Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NIDS Action when VMS/CSPM is not available

Hi All,

I would like to know what happens when the NIDS(4235) detects an attack and the VMS which is suppose to receive an alert and take an action (e-mail, closing the port etc.) against the attack is down. In this event can the NIDS be configured to take an alternate action by itself? Thank you for your response.

Regards,

Murali

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: NIDS Action when VMS/CSPM is not available

A little clarification on my earlier post;

The push mechanism is from the IDS's perspective. Normally it is the perscpective form the Security Monitor. In that case, the mechanism is a "pull" method starting with the 4.0 version. This prevents a loss of events as when the Security Monitor server comes up or has "time" to get in new events from the sensors, it goes into the "pull" mechanism.

Thanks,

yatin

5 REPLIES
Cisco Employee

Re: NIDS Action when VMS/CSPM is not available

Hi Murali,

The defined action against the detection of a certain signature is taken by the sensor itself. The VMS server does not come into the picture in processing this action. So even if the VMS server is down, the action is taken by the sensor.

As for receiving the event into the VMS event log and the subsequent email, is something that the Security Monitor does and it needs to be up.

There are 2 aspects to this. If the sensor is on 3.x version, then the alarm / event might be lost depending on how long the SecMon server was down, because the sensor can hold only a finite amount of events logs in its hold.

This "pull" process has been dropped in the 4.0 version.

If the sensor is on 4.0 version, then the process is a bit different. It can hold upto 4GB worth of alarms and holds it until it detects the VMS server comes online and then "pushes" the events to the server.

Hope this helps.

Thanks,

Yatin

Cisco Employee

Re: NIDS Action when VMS/CSPM is not available

A little clarification on my earlier post;

The push mechanism is from the IDS's perspective. Normally it is the perscpective form the Security Monitor. In that case, the mechanism is a "pull" method starting with the 4.0 version. This prevents a loss of events as when the Security Monitor server comes up or has "time" to get in new events from the sensors, it goes into the "pull" mechanism.

Thanks,

yatin

Community Member

Re: NIDS Action when VMS/CSPM is not available

Hi Yatin,

Thanks for your insight into the issue. I stand clarified.

Best regards

Murali

Cisco Employee

Re: NIDS Action when VMS/CSPM is not available

Hi Murali,

Basically, the sensor would still function the way it should, only issue would be it will not be able to report the alarms to a VMS/CSPM director. But if it supposed to take some action like shun, iplog or tcp reset, it will take those actions. Furthermore it will still populate the log files on the sensor too. However email notification which is a function of a "director", be it security monitor, cspm or unix director, will not function. For that the "director" has to be up.

The issue of buffering alarms. Not possible in 3.x but will work in IDS 4.x. So in 4.x

Hope this helps.

Obaid.

Community Member

Re: NIDS Action when VMS/CSPM is not available

Hi Obaid,

Thanks for your reply.

Regards,

Murali

99
Views
0
Helpful
5
Replies
CreatePlease to create content