Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA (Host IDS) and Source IP

I am monitoring CSA Agents on the CiscoWorks Security Monitor. I notice that most alerts, specifically the alerts triggered by web server exploit attempts, don't record the Source IP address and Port of the attacker. I understand the difference between NIDS and HIDS, but having past experience with Sygate, I don't understand why the CSA Agents aren't capable of also recording this additional network information to help with alert analysis?

Could I have something configured improperly? Or is Cisco's HIDS just that specific?


Re: CSA (Host IDS) and Source IP

I don't have any experience using the CiscoWorks Security Monitor but CSA hosts reporting to the CSAMC on VMS report source IP and port information. It is based on rules whether it allows, denies and logs the information. Does the CiscoWorks Security Monitor allow you to modify the rules that apply to the CSA hosts?


Re: CSA (Host IDS) and Source IP

Only Network Access Control List (NACL) rules show IP information in the logs. The other rules log different stuff. It cannot be turned on either.

New Member

Re: CSA (Host IDS) and Source IP

Can the other rules be modified into NACL rules?