CIsco IPS 4200 Log Fields

pratik.jadav · ‎07-18-2008

Hi,

Could anyone please tell me where can I find the information regarding the Fields of the log for IPS 4200? In what sequence do they appear in log files and what does each field signify?

Basically, I need the layout of the log file for the IPS logs. e.g. a sample layout would be something like this:

[timestamp] , [signatureID] , [vendor] [signature desc], [attacker IP] , [victim IP] , [attack type] , [action ID] , [action desc]

Thanks.

Regards,

Pratik

rhermes · ‎07-18-2008

Pratik -

There are two ways of getting event messages out of a sensor. The standard is SDEE, which is just XML that you can look inside to see the tags on each field. They like to call it "self documenting". The second (and more difficult because it requires you to tune each active signature) is syslog.

Which log format are you looking for?

pratik.jadav · ‎07-18-2008

Thanks rhermes.

I am more interested in the fields that are there in the logs and not the actual format of the log.

I am trying to find out what information is available in the logs. e.g. attacker IP, victim IP, signatureID etc...

the format of the logs (SDEE/syslog) doesnt matter.

Total of how many fields are there for each log and what does each field mean.

I am really sorry if this sounds silly but I am new to the IPS stuff and couldnt get the info I wanted on the cisco site.

Please let me know if anyone could pls share this info with me. It would be really helpful to me.

Thanks.

Regards,

Pratik

rhermes · ‎07-18-2008

Here's an example of an SDEE message. I believe this is from a version 5.x sensor (it could be version 4, I don't see Risk Rating). Each time a new major version of software is release, new features are added and (if reportable) they show up as new fields in the SDEE messages.

-

testsensor4250XL

sensorApp

440

Sdee

10.1.1.119

1180958240541285000

10.1.1.119

0

1

-

R0VUIC9vc3Mvc3VydmV5LmFzcD7pdW1kYXlzPTUrMyBIVFRQ0=

-

11.1.1.2

60556

-

61.1.1.76

80