Thanks, Yatin. Could anybody help me with these too?

1. Can I get VMS-IDS MC to monitor the daemons/processes/services which are required to run on the 4.x sensors and generate a high event when a particular daemon/service stops and/or fails to restart. Is it also possible to send an email or paging notification based on such an event? I understand that there is no postofficed daemon on the ver 4.x sensors anymore. Can VMS-IDS MC do this ? If yes, how does it work?

2. Can VMS-IDS MC download the latest service pack and signature updates directly from a Cisco site and alert/email an admin to apply them?

3. Is it possible to export raw data (packet payload) collected due to events generated on a CSIDS ver 4.x sensor to a central FTP or SCP server? If yes, can we use VMS-IDS MC to configure it on the CSIDS ver 4.x sensor?

4. It may be a good idea to monitor available disk space/disk usage and NTP/time settings on the CSIDS ver 4.x sensors. Would it be possible to do it using VMS-IDS MC?

5. Finally, how can I setup a highly redundant VMS-IDS MC system based on Solaris 8? Does Cisco recommend any solutions?

Thanks a ton.

Yatin, can you pls help.

Thanks

1. This is interesting. I don't know of an automatic method in existence right now and neither can VMS report/alert if some deamons go down. You are right, the 4.x sensor is not using postoffice protocol anymore. It uses RDEP (Remote Data Exchange Protocol)

2. No not from the VMS server. You have to get the files into a specific directory on the VMS server i.e. /MDC/etc/ids/updates.

On the sensor itself, through CLI, conf t ---> Service Host--->optionalautoupgrade----->autoupgradeparams......

you could do the signatures auto-upgrades.

3. You could ftp the eventstore log / iplog files.

4. It should not matter, as the assigned 4GB memory mapped disk space is a circular memory repository for teh events, it gets overwritten once it gets to the 4GB mark by the new events.

5. High Availability / clustering is not yet incorporated.

Thanks,

yatin

5. High Availability / clustering is not yet implemented

Does VMS support a "Secondary Server"? (similar to the function of Secondary Directors, whereby a sensor may fwd alarms to another server if the first is not available?

Unfortunately, there is no concept of a backup/secondary Security monitor.

You could have it as an "additional" destination, but not "if" the primary goes down, send it to secondary...nothing like this so far.

Thanks,

yatin

1. This is interesting. I don't know of an automatic method in existence right now and neither can VMS report/alert if some deamons go down. You are right, the 4.x sensor is not using postoffice protocol anymore. It uses RDEP (Remote Data Exchange Protocol)

---> What about the Watchdog service? Is that a component of the postoffice protocol only?

One other related question - I noticed that a CLI "show version" would display all the different cids apps which are "running". Is it possible to get a similar result (show ver) through the service account (unix shell). I'm thinking of using a unix shell script which would run it and let me know if all cids apps are running. Thanks,

Hi Smitha,

To the earlier question, the sensor does not automatically alerts/notifies if any of the processes stop or start. But any management application can use the getVersion control transactions and can use the information from that output for any further action.

We do not reccommend at all to get into the shell and do any scripting. Though it is a Linux box, it is customized for its optimum IDS operation and basically could create problems that only a reflash of the sensor will fix.

Thanks,

yatin

I will say that I am also interested in strategies for being alerted when daemons stop running. I have a current TAC case open because one of our sensors keeps having AnalysisEngine stop running mysteriously.

Folks,

I totally agree with this and have taken it up with the product team to see if and how we can incorporate this in an easier way.

Will let you know.

Thanks,

yatin