Which of the following statements is true about network traffic event logging in Cisco FireSIGHT Management
Center? (Select the best answer.)
A.
Beginningofconnection events contain less information than endofconnection events.
B.
Performance is optimized by logging both beginningofconnection events and end ofconnection events.
C.
You can log only beginningofconnection events for encrypted connections handled by an SSL policy.
D.
You can log only endofconnection events for blocked traffic.
Explanation:
In Cisco FireSIGHT Management Center, beginningofconnection events contain less information than
endofconnection events. Cisco FireSIGHT Management Center, which was formerly called Sourcefire Defense
Center, can log beginningofconnection and endofconnection events for various types of network traffic.
Although most network traffic will generate both kinds of events, blocked or blacklisted traffic is typically denied
without further processing and therefore only generates beginningofconnection events. Beginningofconnection
events contain a limited amount of information because they are generated based on the information contained
in the first few packets of a connection.
By contrast, endofconnection events are generated when a connection closes, times out, or can no longer be
tracked because of memory constraints. Endofconnection events contain significantly more information than
beginningofconnection events because they can draw upon data collected throughout the course of a
connection. This additional information can be used to create traffic profiles, generate connection summaries,
or graphically represent connection data. In addition, the data can be used for detailed analysis or to trigger
correlation rules based on session data. Endofconnection events are also required to log encrypted
connections that are handled by a Secure Sockets Layer (SSL) policy because there is not enough information
in the first few packets to indicate that a connection is encrypted.Cisco: Logging Connections in Network Traffic: Logging the Beginning or End of Connections