Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS SNMP alarms

Hi,

My question concerns the way to send SNMP traps as an alert format.

I am totally aware that the AIP-SSM/IPS 4200 does not support syslog as an alert format.

The default method is through SDEE but I really don't want to use MARS to get my security events (I have more than 10 devices so don't think about IME )

I'e read that I have to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.

So is this correct?:

snmp-1.png

Is it possible to enable it "globally"? For example for all signatures with a level higher than informational? Is it done with this option? :

snmp-2.png

what is the first action "deny packet inline"? Is it really done because I am using the AIP-SSM in promiscuous mode...

Thanks a lot!

2 REPLIES
New Member

Re: IPS SNMP alarms

Hello


I also miss syslog in Cisco IPS. But your problem is solvable. You can use Event Action Overrides for set added action (SNMP trap) to all alarm which reach specific risk (maybe high risk, or medium risk, or low risk, or user defined risk as you need). Value "Informational" is not risk value, it is severity (only one part of risk value).

Deny packet inline is usable only in inline mode. This action drop packet which is triggered by specific signature. You can use only TCP reset action to stop some kind of attack in promiscious mode.

New Member

Re: IPS SNMP alarms

Hello,

You can use Event Action Overrides for set added action (SNMP trap) to all alarm which reach specific risk (maybe high risk, or medium risk, or low risk, or user defined risk as you need).

When you're talking about the "Event Action Overrides", are you referring to the second screenshot I've posted? In this configuration, all enabled signatures should trigger a SNMP trap, right? (even if I didn't set the "request SNMP trap" option in all signatures?)

Deny packet inline is usable only in inline mode. This action drop packet which is triggered by specific signature. You can use only TCP reset action to stop some kind of attack in promiscious mode.

Yes that's what I thought. But this action (Deny packet inline) is not removable from the HIGHRISK. So it is not taken into account when using the IPS in promicuous mode?

Thanks,

Regards.

1281
Views
0
Helpful
2
Replies
CreatePlease to create content