Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ids connection events

Hi,

I'm working with a ids 4230 (3.0(5)S17) and a CSPM

2.3.3 i.

I've properly configured the sensor to detect events

related to standard ip attack or connection events.

I've seen that the configured reply for those events (ip blocking, logging and TCP reset) work well but at the event viewer tool I don't see the connection events configured instead the classic ip attack are showed.

Could anyone give me some explanation? I've to change some parameters of the event viewer???

Thank's.

Graz.

4 REPLIES
Cisco Employee

Re: ids connection events

Graz,

Currently the Event viewer does not display an alarm to notify you an action has been taken. You can use the Event Viewer's View>Block option to view the hosts or networks being blocked in CSPM.

New Member

Re: ids connection events

Hi,

Thank you for the answer.

My english is very bad, probably the explanation is not very clear.

The problem is:

I don't want to see in the event viewer the action but the event that originate this action.

For example: if I configure the sensor (from CSPM) to detect a TCP telnet or web connection and the action to do is "Block" and "IPLog", when I originate this event

the sensor properly shun my IPaddress on the managed router and Log the Ipsession in its nr/usr/var/iplog directory; but the event viewer doesn't show the event TCP connection (on port 23 or 80).

I hope it is clear,

Thank's in advance.

Graz.

Cisco Employee

Re: ids connection events

TCP Connections are part of the 3000 TPC Connection signature.

The specific port is the subsignature.

So a telnet ot port 23 would create a 3000 signatures with a 23 subsignature.

UDP connection are similar with the 4000 UDP signature.

These subsignatures can each be assigned a severity level.

The typical severity that people set is low (or 1).

The sensor can both log events and send events to the CSPM box.

By default the sensor will log low severity events and higher, but by default only medium severity events and higher are sent to CSPM.

So if you are not seeing the 3000 signature with subsignature 23 for the telnet connection in your CSPM, then check to see what severity the subsignature has been set to, and check what severity is being sent to CSPM (look in the filters tab).

You may need to raise the severity for the telnet connection to Medium, or you may need to lower the severity of alarms you send to CSPM to Low.

New Member

Re: ids connection events

Thank's I'll try it!

Graz

86
Views
0
Helpful
4
Replies