Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
206
Views
10
Helpful
1
Replies

IDS 4.x appliance questions - help needed

msmitha
Level 1
Level 1

‎06-18-2003 03:05 PM - edited ‎03-09-2019 03:44 AM

I'm running a couple of IDS-4210s (ver 4.0) without VMS. Due to certain issues in our network, I cannot use IDS DM or EV (web-gui-tools). Could anybody tell me where the following are located (/usr/cids/idsRoot/ ???):

1. Events as they are generated by the CIDS

2. Raw-data (packet payload) associated with the events that are generated

3. Where is the signature library (NSDB) stored - library used by the CIDS engine?

Thanks for your help.

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎06-18-2003 09:12 PM

Most of the data you seek is under the /usr/cids/idsRoot/var directory.

However, the data you are asking for is no longer simple log files as they were in version 3.1 sensors.

In version 3.1 the alarms were stored in comma delimited log files. In 4.0 the alarms in an xml file in a circular event storage.

There is no longer multiple files, instead there is a single large (4Gig) memory mapped file that is more like a database than a log file.

This large single file is known as the EventStore.

You should not try to copy or edit this file, or even try to make much sense of it's contents.

Instead of trying to look at the EventStore file itself, you will want to use the new CLI. There is a command "show events" which will pull the events out of the eventStore and display them in a human readable format.

If, however, you want to be able to pull them out yourself. There is a published specification that details the commands that you could use over an HTTPS session to query for these same events from the EventStore. The eventserver would return an XML document containing the XML events.

---------

In 3.1 the binary packet data was stored in IP Logs. A new IP Log file was created for each address being monitored and named according to the address being monitored.

In 4.0 this is no longer the case. The IP Logs are no longer simple log files as they were in 3.1. Instead there is a list of preset files that are simply numbered. SensorApp places the binary packets into these files and keep an internal table of which file contains the packets for which IP Log.

So users really can't just go to the operating system and copy out an IP Log file like they could in version 3.1.

Instead in version 4.0, there is an iplog-status command. You execute this command to get a list of the current iplog files, and their unique identifier. With this unique identifier you can use the copy command to copy the IP Log file to your ftp or scp server. When the copy command is executed with the IP Log ID, sensorApp returns the binary packets that make up the IP Log file. The CLI places the packets into a file and copied them to your server.

NOTE: To even get to the /usr/cids/idsRoot/var directory you will need to be logged in with the service account. This account should only be used under the direction of the TAC. In 4.0, as I have stated above, there are no longer log files that can be copied off or read on the system by a typical user. The CLI has the built-in commands to pull that data out and put it into readable formats(or tranferable copies).

Make changes through the service account is not supported and could cause problems on the sensor.

Customers Also Viewed These Support Documents