Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VMS secmon and Trigger Packet

Right, in the network is a VMS Server 2.3sp2 and several 5.1.5E1s283.0 sensors. We have enabled the following commands on the sensors:

overrides produce-verbose-alert

override-item-status Enabled

risk-rating-range 50

SDEE events are received in VMS SecMon console. In the past with this enabled, when the Risk Rating was above 50 on any event received in the console, this would produce a (verbose) trigger packet that would be viewable on the console by right clicking the event and the selecting tools/trigger packet. However it seams that this is not the case anymore.

Could someone tell me if this function still works or has something changed that makes it not possible anymore?

2 REPLIES
Gold

Re: VMS secmon and Trigger Packet

Check to see if you are still reporting Risk Ratings on your events in SecMon. We have had some senor updates break Risk Ratings. Re-importing the sensor in VMS fixes that problem.

New Member

Re: VMS secmon and Trigger Packet

If I run show event on a sensor were I have enabled the commands:

overrides produce-verbose-alert

override-item-status Enabled

risk-rating-range 50

The event that is captured on the screen is as follows.

sensor# sh events

evIdsAlert: eventId=removed severity=high vendor=Cisco

originator:

hosted sensor

appName: sensorApp

appInstanceId: 5037

time: 2007/05/30 08:05:57 2007/05/30 10:05:57 CET

signature: description=Cursor/Icon File Format Buffer Overflow id=5442 version=S137

subsigId: 0

sigDetails: Malicious ANI File

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT removed

port: 8080

target:

addr: locality=OUT removed

port: 46531

context:

fromTarget:

text removed

fromAttacker:

text removed

riskRatingValue: 60

interface: ge2_0

protocol: tcp

The event includes the risk rating value. Is that what you mean?

In the past the events collected were IDIOM events but now the are SDEE. Is there a difference as far as the triggered packets are concerned. In the past the event included a section called triggerPacket but I don?t see that anymore.

123
Views
7
Helpful
2
Replies
CreatePlease to create content