i do mostly network management & monitoring using various NMS platforms. i'm not the security person.
my question is this, we recently implemented an IDS. Can it benifit us any to capture it's SYSLOG messages, SNMP TRAPS, SNMP polling, etc for network management?
When you say IDS. Do you mean network or host based.
Both can help the network management and monitoring team by giving them a heads up.
E.G One of your servers is getting a SYN flood attack. This would be a denial of service warning.
If you have the money get an IPS. IDS let's you know something is happening and you have to react. If you have IPS, it will stop the bulk of attacks.
An IPS can also interrupt business traffic due to excessive blocking, introduce latency, or take down the network if it fails. It is NOT a magic cure-all solution despite the marketing literature.
Larry asked about syslog & SNMP monitoring. The Cisco sensors have limited SNMP capability and is really only good for up/down and they do not support syslog leaving the box (a pity).
I would ping poll the sensors for up/down and have your security platform monitor for a continuous stream of security events (create a heartbeat signature which triggers every 5 minutes for example). If you are receiving security events regularly then you know the sensor is sniffing traffic properly and has a working analysis-engine. If those events stop, then trap on that and investigate. If you truly wanted more, you can create a service account and run commands remotely from your network monitoring platform (like df or ps etc).
Just an FYI, The sensor can be configured to send SNMP Traps for Error events, or Alerts, or Both.
The configuration for Alerts requires you to set an event action of "request-snmp-traps" on the specific signatures for which you want snmp traps generated, or to create an Event Action Override for "request-snmp-traps" to force the action for all alerts above/within a certain Risk Rating level.
There are some users that do All of their alert monitoring through these SNMP Traps, while more commonly users will make use of a combination of SNMP Traps as well as purpose built Event viewer (like IME, IEV, or MARS).
Understand though that SNMP Traps for alerts do not contain the same level of information available thorugh the purpose built Event Viewers. But the SNMP Traps do still have value. Some customers will setup SNMP Traps for those specific signatures that a network management team may specifically be interested in. Signatures that detect network floods or scans which can affect network performance are often good candidates for creation of SNMP Traps in order to alert the network management team of possible network outages that might ocurr.
In addition other users may already have a highly designed notification system (emails, pagers, etc..) built around SNMP Traps. So generating SNMP Traps for critial alerts can allow them to make use of that existing system especially over the evening or weekends.
as usual, very good points marco. I had forgotten that you CAN set individual sig actions to send snmp traps. It would be nice to have a global config option though (while I'm dreaming, don't limit it to that action either, let me globally set a default set of actions).
Are you familiar with Event Action Overrides for adding any actions to any alert within a configurable range of Risk Ratings?
All actions can be added through Event Action Overrides except modify-packet-inline because it is such a specialized action in the Normalizer engine only.
Or alternatively being able to bring up the Signature Configuration window in IME or IDM and being able to hit the Select All button.
Then hit the Actions button and add an action to all of the selected signatures.
NOTE: You can both and add and remove actions from a large set of signatures with this method.
(Though I would recommend fitlering by Severity or Base RR, and then adding the Request SNMP Trap action to only the Medium or higher severity signatures, or only those signatures with Risk Rating 50 or higher. You would not want Traps being created for Informational or Low severity alerts)
The Event Action Override method does not edit the individual signatures but instead adds the actions after the signature has been triggered and a Risk Rating determined for the specific triggering. If the Risk Rating for that triggering fits the range then that action is added for that specific triggering.
The Select ALL and Action editing method in IME/IDM does edit the actual signatures to add the action, and happens for all triggering of the selected signatures.
Are you looking for something other than these 2 features/methods?
If so, then can you describe what you are looking for in a "global config option" so I can pass it on to the IPS marketing team for consideration as a future usability enhancement request?
> Or alternatively being able to bring up the Signature Configuration window in IME or IDM and being able to hit the Select All button.
How does this behave for new signatures provided through updates. Do I have to do this every time again to enable SNMP for the new signatures as well?
Yes, if you choose to modify the actions of each sig, you will. However, you can set a RR of 0-100 so that all alarms generate a trap. Then, you won't have to modify the signatures every time.
it is network based.
the IDS will soon point to a MARS box.
do you know if MARS does any SYSLOG and SNMP TRAP?
attmidsteam already answered this question. If you're asking about alarm events (i.e. a signature that fired an alert), then unfortunately, the answer is no.
sure, if nothing else you'll have a log of the alarm. If you want to do anything proactive, you're NMS will need to be able to parse and "understand" the alarms it receives.
I am using IPS-4255 (1.1 - 5.1(8)E2) & for monitoring I am using SolarWinds Server. I config my IPS to send Traps & also the snmp. But I am not able to get any CPU & Memory Informatio n of the Sensor.
Can anybody tell me what are the Exact SNMP Information & Trap Information send by the IPS to the Monitoring Server. (I am talking about the Sending Trap for Firing Signatures).