GLBA Reporting - Attacks shunned by IDS

Unanswered Question
Apr 27th, 2010
User Badges:

I have one more issue with reporting.  I notice under GLBA reports there is a 'attacks prevented by cisco IPS - all events" report.  We actually run IDS and are using a router to actively shun packets, and that is not included within the scope.  I tried adjusting the query in this report, but have been unable to get the results I expect.


The portion of the Raw Event Message that I am trying to search is  'shunRequested:  true'  from the below event.  When I do a query and put that in the 'keyword field' and search within the timeframe this event happened (searching for raw event) it returns 0 results.  Does anyone know a good way to search for events shunned within a GLBA report?  And it really doesn't have to come back with raw events or anything, any other suggestions for this are welcome.


Thanks,


Michael


SAMPLE EVENT BELOW********


evIdsAlert:  eventId="1268318206324079819"  severity="high"  vendor="Cisco" 
    originator: 
        hostId:  OMITTED

        appName:  sensorApp 
        appInstanceId:  31165 
    time:  Apr 27 2010 05:00:59 CDT (1272362459865550000)  offset="-300"  timeZone="UTC" 
    signature:  created="20010202"  type="anomaly"  version="S2"  description="TCP SYN/FIN Packet"  id="3041" 
        subsigId:  0 
        marsCategory:  Probe/Host/Stealth 
    interfaceGroup:  vs0 
    vlan:  0 
    participants: 
        attacker: 
            addr:  81.45.216.133  locality="any" 
            port:  24394 
        target: 
            addr:  OMITTED  locality="INSIDE" 
            port:  25 
            os:  idSource="learned"  relevance="relevant"  type="linux" 
    actions: 
        tcpResetSent:  true 
        shunRequested:  true 
        denyPacketRequestedNotPerformed:  true 
        denyFlowRequestedNotPerformed:  true 
        denyAttackerRequestedNotPerformed:  true 
    riskRatingValue:  100  attackRelevanceRating="relevant"  targetValueRating="mission-critical" 
    threatRatingValue:  80 
    interface:  ge0_1 
    protocol:  tcp 
    globalCorrelation: 
        globalCorrelationScore:  -3.3 
        globalCorrelationRiskDelta:  1 
        globalCorrelationModifiedRiskRating:  false 
        globalCorrelationDenyPacket:  true 
        globalCorrelationDenyAttacker:  true 
        globalCorrelationOtherOverrides:  false 
        globalCorrelationAuditMode:  false 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
atomike10 Wed, 04/28/2010 - 11:44
User Badges:

I found a way to get the information needed.  Instead of searching shunReques

ted:  true, we just searched for keyword 'shunRequested'.  If a shun is not requeste

d, obviously that action is not attempted, therefore is not in the raw packet.  Thanks,

Actions

This Discussion