I have one more issue with reporting. I notice under GLBA reports there is a 'attacks prevented by cisco IPS - all events" report. We actually run IDS and are using a router to actively shun packets, and that is not included within the scope. I tried adjusting the query in this report, but have been unable to get the results I expect.
The portion of the Raw Event Message that I am trying to search is 'shunRequested: true' from the below event. When I do a query and put that in the 'keyword field' and search within the timeframe this event happened (searching for raw event) it returns 0 results. Does anyone know a good way to search for events shunned within a GLBA report? And it really doesn't have to come back with raw events or anything, any other suggestions for this are welcome.
Thanks,
Michael
SAMPLE EVENT BELOW********
evIdsAlert: eventId="1268318206324079819" severity="high" vendor="Cisco"
originator:
hostId: OMITTED
appName: sensorApp
appInstanceId: 31165
time: Apr 27 2010 05:00:59 CDT (1272362459865550000) offset="-300" timeZone="UTC"
signature: created="20010202" type="anomaly" version="S2" description="TCP SYN/FIN Packet" id="3041"
subsigId: 0
marsCategory: Probe/Host/Stealth
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 81.45.216.133 locality="any"
port: 24394
target:
addr: OMITTED locality="INSIDE"
port: 25
os: idSource="learned" relevance="relevant" type="linux"
actions:
tcpResetSent: true
shunRequested: true
denyPacketRequestedNotPerformed: true
denyFlowRequestedNotPerformed: true
denyAttackerRequestedNotPerformed: true
riskRatingValue: 100 attackRelevanceRating="relevant" targetValueRating="mission-critical"
threatRatingValue: 80
interface: ge0_1
protocol: tcp
globalCorrelation:
globalCorrelationScore: -3.3
globalCorrelationRiskDelta: 1
globalCorrelationModifiedRiskRating: false
globalCorrelationDenyPacket: true
globalCorrelationDenyAttacker: true
globalCorrelationOtherOverrides: false
globalCorrelationAuditMode: false
