One of our customer question on the ips alarm

Unanswered Question
Mar 19th, 2007


I am not getting the right answer. I am not asking about the signeture but I am asking how to include the action taken by the IPS into the alarm email sent to us, so we know what action was taken by the IPS regarding this signeture. Currently , the IPS send the following email :

Date= 2007/02/16

Time= 22:44:13 Arab Standard Time

SIGID= 5081:0


SIGNAME= WWW WinNT cmd.exe Access

Root.exe access

Victime= 193.188.x.x

AttackerAddress= 211.136.x.x

Which does not contail the ACTION.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
qmccallum Mon, 03/19/2007 - 16:51

I just got off a conference call with several Cisco technical/managerial folks about this very issue. I, too, want to know what the IPS did with the traffic and if it passed it, I want to know why.

I was told a couple of folks I spoke with monitor this forum closely and should respond to you.

Here is what I understood:

1) One of the attendees is checking/confirming that this information is still being outputted by the IPS device. The client (VMS, IEV, MARS).

2) There is a bug that prevents this information to being included in SNMP traps.




This Discussion