×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Severity levels in Security Monitor

Unanswered Question
Feb 12th, 2003
User Badges:


I'm quite confused about the different severity levels associated with signatures.


- In NSDB, each signature is assigned a numerical level, from 0 to 5.

- In former director products, you had 3 severity levels: low (1,2), medium (3) and high (4,5).

- Now when you edit a signature with MC, you can adjust its severity to one of Info, Low, Medium or High.

- The Monitoring Center for Security user's manual states that the severity can be Info (blue), Low (green), Medium (yellow) or High (red).


I've enabled signature 2000 (ICMP Echo Reply) with severity Info. I expected to see it in the Event Viewer in blue, but I don't get it at all.

How can I get events colored in blue?

What is the difference between a disabled signature and an enabled signature with severity info?Is it related to the minimum level configured at the sensor to fire an event? How can I configure it (it was possible with CSPM)?

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Tue, 02/18/2003 - 12:07
User Badges:
  • Cisco Employee,

CSPM had a 3 level/color designation for severity.

IDS MC/ SecMon now uses 4 levels/colors for severity.


CSPM

Low = 1,2 = Green

Medium = 3 = Yellow

High = 4,5 = Red


IDS MC/ SecMon

Informational = 1 = Blue

Low = 2 = Green

Medium = 3 = Yellow

High = 4,5 = Red


As for your question: "What is the difference between a disabled signature and an enabled signature with severity info?Is it related to the minimum level configured at the sensor to fire an event? "

A disabled signature has a severity of "0" so it is not analyzed by the sensor.


So if a signature is disabled then the severity config in IDSMC/CSPM is ignored, and the severity number in packetd.conf is set to 0.

If the signature is enabled then the severity number in packetd.conf is set to 1,2,3,or4 depending on the severity level in IDSMC/CSPM for that signature.

NOTE: Both CSPM and IDS MC operate this way.


As for your 2000 signature.

The default is the signature to be disabled/informational. Since it is disabled the severity number in packetd.conf is set to 0 regardless of whether the IDSMC/CSPM severity was Informational, Low, Medium or High.

So you need to "enable" the signature for the signature to have severity of 1 or higher in packetd.conf.


SIDE NOTE: In version 4.0 (recently announced) there is no longer a severity number. Instead in 4.0 there is a severity field that can be set to Information/Low/Medium/High and a Enabled field that can be set to True/False. If a signature is Enabled (Enabled=True) then it is analyzed and if it fires then the proper Severity is assigned to the alarm. If a signature is Disabled (Enabled=False) then the signature won't be analyzed at all so it doesn't matter what the severity setting is.

The 4.0 configuration corresponds better to the IDS MC configuration, and helps alleviate the confusion that the 3.x style severity numbers in packetd.conf have caused our users.



javierlopez Wed, 02/19/2003 - 07:13
User Badges:


Thank you very much for your reply.


I know that a disabled signature implies that the sensor does not search for it. I guess I didn't explain it clearly. I have set the 2000 signature to "enabled" with severity level Info, but I don't get any event in SecMon (not blue nor any other color).

So, the behaviour seems to be the same if you have a signature disabled or a signature enabled with severity Info : no event in the console.

Let me put it in this way: If I configure a signature to enabled and severity Info, will I receive a blue event in SecMon? Is it necessary any other configuration?

BTW, I am currently receiving all sort of events colored in green, yellow and red. And if I configure the 2000 signature to enabled with severity Low I do receive the corresponding green event.

The problem is related with the Info level/blue color.




marcabal Wed, 02/19/2003 - 11:23
User Badges:
  • Cisco Employee,

I have only used Security Monitor a few times.

I will ask some of the Security Monitor engineers to see what they have to say.


There is one thing that does come to mind:

The Sensor has to be configured for what severity alarm gets sent to Security Monitor. I am not sure what the default is, but it may be that the sensor is configured to only send Low level or higher alarms to Security Monitor.

In which case you would need to configure the sensor to send Informational and higher alarms to Security Monitor.

Things to check on the sensor itself:

1) Look in the destinations file:

There should be a line for the Security Monitor. Verify that the level of alarms

being sent to smid on the Security Monitor is set 1 instead of 2.

1) Look in packetd.conf for the line:

SigOfGeneral 2000 0 1 1 1 1 #

Be sure the last numbers are 1 and not 0.


Marco

Actions

This Discussion