Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

question about SYSLOG and SNMP with IPS/IDS sensors

i do mostly network management & monitoring using various NMS platforms. i'm not the security person.

my question is this, we recently implemented an IDS. Can it benifit us any to capture it's SYSLOG messages, SNMP TRAPS, SNMP polling, etc for network management?

thanks,

larry

12 REPLIES
New Member

Re: question about SYSLOG and SNMP with IPS/IDS sensors

Hi Larry,

When you say IDS. Do you mean network or host based.

Both can help the network management and monitoring team by giving them a heads up.

E.G One of your servers is getting a SYN flood attack. This would be a denial of service warning.

If you have the money get an IPS. IDS let's you know something is happening and you have to react. If you have IPS, it will stop the bulk of attacks.

Silver

Re: question about SYSLOG and SNMP with IPS/IDS sensors

An IPS can also interrupt business traffic due to excessive blocking, introduce latency, or take down the network if it fails. It is NOT a magic cure-all solution despite the marketing literature.

Larry asked about syslog & SNMP monitoring. The Cisco sensors have limited SNMP capability and is really only good for up/down and they do not support syslog leaving the box (a pity).

I would ping poll the sensors for up/down and have your security platform monitor for a continuous stream of security events (create a heartbeat signature which triggers every 5 minutes for example). If you are receiving security events regularly then you know the sensor is sniffing traffic properly and has a working analysis-engine. If those events stop, then trap on that and investigate. If you truly wanted more, you can create a service account and run commands remotely from your network monitoring platform (like df or ps etc).

Gold

Re: question about SYSLOG and SNMP with IPS/IDS sensors

doh! I forgot that the snmp traps are not on alarms events, just error events.

Cisco Employee

Re: question about SYSLOG and SNMP with IPS/IDS sensors

Just an FYI, The sensor can be configured to send SNMP Traps for Error events, or Alerts, or Both.

The configuration for Alerts requires you to set an event action of "request-snmp-traps" on the specific signatures for which you want snmp traps generated, or to create an Event Action Override for "request-snmp-traps" to force the action for all alerts above/within a certain Risk Rating level.

There are some users that do All of their alert monitoring through these SNMP Traps, while more commonly users will make use of a combination of SNMP Traps as well as purpose built Event viewer (like IME, IEV, or MARS).

Understand though that SNMP Traps for alerts do not contain the same level of information available thorugh the purpose built Event Viewers. But the SNMP Traps do still have value. Some customers will setup SNMP Traps for those specific signatures that a network management team may specifically be interested in. Signatures that detect network floods or scans which can affect network performance are often good candidates for creation of SNMP Traps in order to alert the network management team of possible network outages that might ocurr.

In addition other users may already have a highly designed notification system (emails, pagers, etc..) built around SNMP Traps. So generating SNMP Traps for critial alerts can allow them to make use of that existing system especially over the evening or weekends.

Gold

Re: question about SYSLOG and SNMP with IPS/IDS sensors

as usual, very good points marco. I had forgotten that you CAN set individual sig actions to send snmp traps. It would be nice to have a global config option though (while I'm dreaming, don't limit it to that action either, let me globally set a default set of actions).

Cisco Employee

Re: question about SYSLOG and SNMP with IPS/IDS sensors

Are you familiar with Event Action Overrides for adding any actions to any alert within a configurable range of Risk Ratings?

All actions can be added through Event Action Overrides except modify-packet-inline because it is such a specialized action in the Normalizer engine only.

Or alternatively being able to bring up the Signature Configuration window in IME or IDM and being able to hit the Select All button.

Then hit the Actions button and add an action to all of the selected signatures.

NOTE: You can both and add and remove actions from a large set of signatures with this method.

(Though I would recommend fitlering by Severity or Base RR, and then adding the Request SNMP Trap action to only the Medium or higher severity signatures, or only those signatures with Risk Rating 50 or higher. You would not want Traps being created for Informational or Low severity alerts)

The Event Action Override method does not edit the individual signatures but instead adds the actions after the signature has been triggered and a Risk Rating determined for the specific triggering. If the Risk Rating for that triggering fits the range then that action is added for that specific triggering.

The Select ALL and Action editing method in IME/IDM does edit the actual signatures to add the action, and happens for all triggering of the selected signatures.

Are you looking for something other than these 2 features/methods?

If so, then can you describe what you are looking for in a "global config option" so I can pass it on to the IPS marketing team for consideration as a future usability enhancement request?

New Member

Re: question about SYSLOG and SNMP with IPS/IDS sensors

> Or alternatively being able to bring up the Signature Configuration window in IME or IDM and being able to hit the Select All button.

How does this behave for new signatures provided through updates. Do I have to do this every time again to enable SNMP for the new signatures as well?

Gold

Re: question about SYSLOG and SNMP with IPS/IDS sensors

Yes, if you choose to modify the actions of each sig, you will. However, you can set a RR of 0-100 so that all alarms generate a trap. Then, you won't have to modify the signatures every time.

New Member

Re: question about SYSLOG and SNMP with IPS/IDS sensors

it is network based.

the IDS will soon point to a MARS box.

do you know if MARS does any SYSLOG and SNMP TRAP?

thanks

Gold

Re: question about SYSLOG and SNMP with IPS/IDS sensors

attmidsteam already answered this question. If you're asking about alarm events (i.e. a signature that fired an alert), then unfortunately, the answer is no.

Gold

Re: question about SYSLOG and SNMP with IPS/IDS sensors

sure, if nothing else you'll have a log of the alarm. If you want to do anything proactive, you're NMS will need to be able to parse and "understand" the alarms it receives.

New Member

Re: question about SYSLOG and SNMP with IPS/IDS sensors

Hi All,

I am using IPS-4255 (1.1 - 5.1(8)E2) & for monitoring I am using SolarWinds Server. I config my IPS to send Traps & also the snmp. But I am not able to get any CPU & Memory Informatio n of the Sensor.

Can anybody tell me what are the Exact SNMP Information & Trap Information send by the IPS to the Monitoring Server. (I am talking about the Sending Trap for Firing Signatures).

Regard

Adnan

680
Views
9
Helpful
12
Replies
CreatePlease login to create content