×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IDSMC and RDEP

Unanswered Question
Feb 12th, 2004
User Badges:

Does the Ciscoworks VMS function as an RDEP server for external RDEP client queries (in the case of an external reporting solutions untilizing RDEP to query for log files)?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhoda Sat, 02/14/2004 - 23:51
User Badges:
  • Silver, 250 points or more

Hello,


IDS MC doesn't act as a server who can listen on RDEP protocol that is to say no other application can make a rdep connection to the IDS MC. Rather it acts kind of like a client when making RDEP connection to sensor.


I hope this answers your question. Thanks,


Mynul

akah0mer Tue, 02/17/2004 - 04:54
User Badges:

Mynul,


So how is an organization supposed to get a data feed from the VMS?


I cant see Cisco believing that Enterprise customers will not have in place reporting systems (i.e. netForensics, e-Security, Intellitactics) and want to get the log data retrieved from the sensors for use by their own systems.


Does Cisco publish any information as to how to accomplish data retrieval from the IDSMC?



fields.james Tue, 02/17/2004 - 11:07
User Badges:

In the case of NetForensics 3.x, there is a specific agent for CSIDS4 which works just like the VMS server itself - that is, you tell NF how to contact each sensor (appliance, blade, whatever) and it contacts them directly to poll for the data. This of course requires an NF license for each sensor. This stands in contrast to how NF handles the CSA data, where they have an agnet that lives on the VMS server and takes the aggragated logs from there and pipes them to NF, only using one host license in the process.


If you need assistance configuring NF to get to your sensors, I can help - you may wish to do this out-of-band...


--James

akah0mer Tue, 02/17/2004 - 12:06
User Badges:

James,


Thanks for your response. Unfortunately we are not using NF.


We need a solution to the VMS's chaste towards other SIMS.


Again thanks

a.arndt Thu, 02/19/2004 - 09:48
User Badges:
  • Bronze, 100 points or more

Contact the customer support group for the vendor of your product.


FYI, I know Intellitactics has an RDEP client for NSM, just in case your wondering.


I'd say it's safe to assume any other vendor that claims Cisco IDS compatibility will have developed one as well...

akah0mer Thu, 02/19/2004 - 11:43
User Badges:

That is the rub. Our reporting solution does not on the public internet (and we'd like to keep it that way).


Yet IDSMC also acts as a client and runs no RDEP server, so even intellitactics could not get data from it because it runs as a client.

a.arndt Thu, 02/19/2004 - 11:51
User Badges:
  • Bronze, 100 points or more

True enough, the NSM RDEP Listener and other "RDEP Clients" aren't going to help you.


Why have your VMS/IDSMC system act as an RDEP Server though when your sensor(s) are already doing this? Why not instead build your own in-house RDEP Client?


After all, Cisco has made the RDEP specs available to anyone with a CCO login (which we're using right now to access the NetPro Forum...)


You'll find the RDEP specifications here:

http://www.cisco.com/cgi-bin/dev_support/access_level/product_support?pcgi=1&product=IDS_INT_API

ctsorrell Thu, 02/19/2004 - 12:39
User Badges:

OK, I'm working with akahomer. here is the deal. With the current (for 9 more days) Director platform, the "director forward" utility is used to send the centralized event data else where. If you wrote a system around this way of life, you have a rude awakening with the new version, as there is no way to get it out of the centralized data store (outside of NF or Info Center). The real issue here is not being able to retrieve event data from a central point such as VMS. We do not want to have dual feeds to our sensors (one VMS feed for mgmt. and one feed to get the events) If we can focus on that, it would be great.

marcabal Thu, 02/19/2004 - 13:44
User Badges:
  • Cisco Employee,

The older Unix Director platform could act as both a client for receiving alarms as well as a server for passing alarms up to a higher level management station.


The current version of Security Monitoring Center (monitoring portion of VMS) lacks this functionality. It can receive alarms but is not able to forward them on to another management station.


So what are the options if you are moving to Security Monitoring Center from Unix Director and you used to use the forwarding functionality?


1) The current version of Security Monitoring Center does have the ability to extract alarms from the database into a text file. This text file can then be imported into another management station. You would schedule this export to happen as often as you wanted, and then run a separate command to upload the data into another management station somehow:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon12/ug/ch07.htm#130939


2) Use a monitoring tool other than Security Monitoring Center. The IDS Management Center and the Security Monitoring Center do not have to be run together. You can continue to use IDS Management Center for configuring the sensors, and use NetForensics or even your own company built RDEP Client to pull the events.


SIDE NOTE: Security Monitoring Center uses RDEP for pulling events from the sensor, but the current version of IDS Management Center does not use RDEP for configuring the sensor. IDS MC configuration is currently done through a SSH connection. So Security Monitor makes HTTP(s) connections to the sensor while IDS MC makes SSH connections to the sensor.


------


It my above statements I specifically use the word "current" versions. This is because that the VMS development teams have heard the requests from users like yourselves. They are making modifications to the software for the next version currently in development.


If you need to find out the new features being added and scheduled release dates then please contact your Cisco Sales Representative for more information.


Actions

This Discussion