Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Cisco VMS - IDS MC questions

I need to setup the VMS - IDS MC and have some questions. Can anybody help, please?

1. Would the VMS solution be an all-inclusive one-box setup or would that require us to build another or use an existing DBMS? If it uses an external DBMS what does it work with?

2. Assuming an external DBMS is required (based on your answer to the 1st question), If we use only the IDS MC for managing Cisco IDS sensors and DO NOT use the Security Monitor component, would we still need the external DBMS?

3. The latest version of Cisco VMS (2.2?) runs on Solaris 2.8. Could you please confirm? If yes, what are the specifications for a recommendation system?

Thanks for your time and help.

10 REPLIES
Cisco Employee

Re: Cisco VMS - IDS MC questions

Hi Smitha,

1. VMS 'can' be easily a single box solution. Common Services, PIXMC, IDSMC and Security Monitor, along with few other components can co-exists on the same box. The DB used is Sybase and it comes along with this install. No external DB is required.

2. Security Monitor will be required to get all the sensor's alarms, for reporting, email notifications, etc.

3. Starting VMS 2.2, support for Solaris was also incorporated. The VMS bundle is supported on both Solaris 2.6 and 2.7.

Sun UltraSPARC 60 MP with 440 MHz or faster processor

• Sun UltraSPARCIII (Sun Blade 2000 Workstation or Sun Fire 280R Workgroup Server)

• CD-ROM drive

• 100BASE-T or faster connection

• 1 GB RAM

• 9 GB available disk drive space

• 2 GB virtual memory

Hope this helps,

Yatin

New Member

Re: Cisco VMS - IDS MC questions

Thanks, Yatin. Could anybody help me with these too?

1. Can I get VMS-IDS MC to monitor the daemons/processes/services which are required to run on the 4.x sensors and generate a high event when a particular daemon/service stops and/or fails to restart. Is it also possible to send an email or paging notification based on such an event? I understand that there is no postofficed daemon on the ver 4.x sensors anymore. Can VMS-IDS MC do this ? If yes, how does it work?

2. Can VMS-IDS MC download the latest service pack and signature updates directly from a Cisco site and alert/email an admin to apply them?

3. Is it possible to export raw data (packet payload) collected due to events generated on a CSIDS ver 4.x sensor to a central FTP or SCP server? If yes, can we use VMS-IDS MC to configure it on the CSIDS ver 4.x sensor?

4. It may be a good idea to monitor available disk space/disk usage and NTP/time settings on the CSIDS ver 4.x sensors. Would it be possible to do it using VMS-IDS MC?

5. Finally, how can I setup a highly redundant VMS-IDS MC system based on Solaris 8? Does Cisco recommend any solutions?

Thanks a ton.

New Member

Re: Cisco VMS - IDS MC questions

Yatin, can you pls help.

Thanks

Cisco Employee

Re: Cisco VMS - IDS MC questions

1. This is interesting. I don't know of an automatic method in existence right now and neither can VMS report/alert if some deamons go down. You are right, the 4.x sensor is not using postoffice protocol anymore. It uses RDEP (Remote Data Exchange Protocol)

2. No not from the VMS server. You have to get the files into a specific directory on the VMS server i.e. /MDC/etc/ids/updates.

On the sensor itself, through CLI, conf t ---> Service Host--->optionalautoupgrade----->autoupgradeparams......

you could do the signatures auto-upgrades.

3. You could ftp the eventstore log / iplog files.

4. It should not matter, as the assigned 4GB memory mapped disk space is a circular memory repository for teh events, it gets overwritten once it gets to the 4GB mark by the new events.

5. High Availability / clustering is not yet incorporated.

Thanks,

yatin

New Member

Re: Cisco VMS - IDS MC questions

5. High Availability / clustering is not yet implemented

Does VMS support a "Secondary Server"? (similar to the function of Secondary Directors, whereby a sensor may fwd alarms to another server if the first is not available?

Cisco Employee

Re: Cisco VMS - IDS MC questions

Unfortunately, there is no concept of a backup/secondary Security monitor.

You could have it as an "additional" destination, but not "if" the primary goes down, send it to secondary...nothing like this so far.

Thanks,

yatin

New Member

Re: Cisco VMS - IDS MC questions

1. This is interesting. I don't know of an automatic method in existence right now and neither can VMS report/alert if some deamons go down. You are right, the 4.x sensor is not using postoffice protocol anymore. It uses RDEP (Remote Data Exchange Protocol)

---> What about the Watchdog service? Is that a component of the postoffice protocol only?

One other related question - I noticed that a CLI "show version" would display all the different cids apps which are "running". Is it possible to get a similar result (show ver) through the service account (unix shell). I'm thinking of using a unix shell script which would run it and let me know if all cids apps are running. Thanks,

Cisco Employee

Re: Cisco VMS - IDS MC questions

Hi Smitha,

To the earlier question, the sensor does not automatically alerts/notifies if any of the processes stop or start. But any management application can use the getVersion control transactions and can use the information from that output for any further action.

We do not reccommend at all to get into the shell and do any scripting. Though it is a Linux box, it is customized for its optimum IDS operation and basically could create problems that only a reflash of the sensor will fix.

Thanks,

yatin

New Member

Re: Cisco VMS - IDS MC questions

I will say that I am also interested in strategies for being alerted when daemons stop running. I have a current TAC case open because one of our sensors keeps having AnalysisEngine stop running mysteriously.

Cisco Employee

Re: Cisco VMS - IDS MC questions

Folks,

I totally agree with this and have taken it up with the product team to see if and how we can incorporate this in an easier way.

Will let you know.

Thanks,

yatin

131
Views
25
Helpful
10
Replies
CreatePlease to create content