AIP-SSM log to a SIM

Unanswered Question
Apr 16th, 2008

We currently have a 3-party SIMS and Snort/tipppoint IDS in the network. Testing the Cisco module to replace these IDS systems, questions is how to config the Cisco module to forward events to the SIMS. thx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Wed, 04/16/2008 - 07:52

You didn't mention what SIM you're using. The AIP-SSM, IDSM and 4200 series sensors report events using SDEE. The sensor runs as the host and the SIM as a client. If your SIM supports Cisco's implementation, put your SIM's IP address in the allowed hosts on the AIP-SSM and give your SIM the sensor's readonly account credentials.

wfleenor Thu, 04/17/2008 - 10:22

The SIM is Qradar and it supports Cisco devices, is there a way to send test log or traffic to the SIM after configuring?

rhermes Thu, 04/17/2008 - 12:11

Enable signature 2004 (ICMP Echo Request) and ping past the sensor. That should generate an alert. You can confirm on the sensor CLI with the "show event alert past 01:00" to see the alerts in the past hour.

Actions

This Discussion