Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
0
Helpful
2
Replies

IPS SNMP alarms

jacques_henry696
Level 1
Level 1

‎01-22-2010 08:33 AM - edited ‎03-10-2019 04:52 AM

Hi,

My question concerns the way to send SNMP traps as an alert format.

I am totally aware that the AIP-SSM/IPS 4200 does not support syslog as an alert format.

The default method is through SDEE but I really don't want to use MARS to get my security events (I have more than 10 devices so don't think about IME )

I'e read that I have to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.

So is this correct?:

snmp-1.png

Is it possible to enable it "globally"? For example for all signatures with a level higher than informational? Is it done with this option? :

snmp-2.png

what is the first action "deny packet inline"? Is it really done because I am using the AIP-SSM in promiscuous mode...

Thanks a lot!

Labels:
0 Helpful
2 Replies 2

jan.odzgan
Level 1
Level 1

‎01-24-2010 11:32 PM

Hello


I also miss syslog in Cisco IPS. But your problem is solvable. You can use Event Action Overrides for set added action (SNMP trap) to all alarm which reach specific risk (maybe high risk, or medium risk, or low risk, or user defined risk as you need). Value "Informational" is not risk value, it is severity (only one part of risk value).

Deny packet inline is usable only in inline mode. This action drop packet which is triggered by specific signature. You can use only TCP reset action to stop some kind of attack in promiscious mode.

0 Helpful

jacques_henry696
Level 1
Level 1
In response to jan.odzgan

‎01-27-2010 03:49 AM

Hello,

You can use Event Action Overrides for set added action (SNMP trap) to all alarm which reach specific risk (maybe high risk, or medium risk, or low risk, or user defined risk as you need).

When you're talking about the "Event Action Overrides", are you referring to the second screenshot I've posted? In this configuration, all enabled signatures should trigger a SNMP trap, right? (even if I didn't set the "request SNMP trap" option in all signatures?)

Deny packet inline is usable only in inline mode. This action drop packet which is triggered by specific signature. You can use only TCP reset action to stop some kind of attack in promiscious mode.

Yes that's what I thought. But this action (Deny packet inline) is not removable from the HIGHRISK. So it is not taken into account when using the IPS in promicuous mode?

Thanks,

Regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card