Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Severity different in IDS MC and IDM - Critical!

Our IDS MC has several signature severities set to high. When I log into the IDM (the web interface on the sensor) those severities are set to medium.

I have changed severities to low on the IDS MC and they appear as Info in the IDM.

The other attributes of the signature appear to be working properly (blocking, enabling the sig, etc). But the severities are not working as they should.

Any thoughts or recommendations?

9 REPLIES
New Member

Re: Severity different in IDS MC and IDM - Critical!

Also,

When I view the history for that config (config-history-specific device config) I can look at that signature and see that it's set to high.

When I look in the IDM for the sensor there are no high severity signatures.

New Member

Re: Severity different in IDS MC and IDM - Critical!

Hi,

You need to go to the Administration->IDM Properties->Severity Mapping menu and adjust the severity mapping to match those of the MC. By default IDM will map alert levels as follows:

1: informational

2: informational

3: low

4: medium

5: high

New Member

Re: Severity different in IDS MC and IDM - Critical!

That is how the IDM is set.

Here is a brief look at our packetd.conf on the sensor.

SigOfGeneral 5349 0 4 # Polycom ViewStation Admin Password

SigOfGeneral 5350 0 0 # PHPnuke email attachment access

SigOfGeneral 6064 0 3 # BIND Large OPT Record DoS

SigOfGeneral 4701 0 2 # SQL Server Slammer WORM packet

Sig 5349 is set to High in the MC

Sig 5350 is set to Info in the MC

Sig 6064 is set to Med in the MC

Sig 4701 is set to Low in the MC

New Member

Re: Severity different in IDS MC and IDM - Critical!

So based off of this I would set the IDM mapping as follows:

1: informational

2: low

3: medium

4: high

5: high

New Member

Re: Severity different in IDS MC and IDM - Critical!

But when I set the severity to high in the MC it's not turning into a severity 5 in the packetd.conf file (as it should). That's what I'd like to get fixed, not how the IDM shows the messages. We have established procedures (automated and procedural) on the severity of the messages.

I NEED to get the high severity singatures in the MC to be a 5 in the packetd.conf file.

Cisco Employee

Re: Severity different in IDS MC and IDM - Critical!

The IDS MC went to a 4 level severity setting:

1 - Informational

2 - Low

3 - Medium

4 - High

If they receive a 5 it becomes a High (4).

All of the Cisco IDS products are going to a 4 level severity mapping with Informational, Low, Medium, and High. (Future versions will use just the names and not numbers for representing severity).

Unfortunately you've found that the numerical mapping isn't consistent between the management products.

I assume you are upgrading from the Unix Director with a 5 level mapping where you had control of the severity number itself to IDS MC with a 4 level mapping where the word and not the number itself are configured.

In fact the old Unix Director could even allow you up to 255 different severities, and had a mapping of Low=1,2 Medium=3, High=4,5.

The end results is that I don't think that there is a way to force the MC to write the Highs as 5s instead of 4s. "4" is the new High for IDS MC users.

New Member

Re: Severity different in IDS MC and IDM - Critical!

Well...

Now it all makes sense at least. I couldn't figure out why it was doing that. And yes I've been messing with the IDS's since the Unix Director days.

Looks like I have a lot of procedural things to change around here then. We were actually using the 5 different levels to perform different things (there actually was a difference between a 5 and a 4 within our environment).

If the signature releases (like S39) come out with the signatures as 5's (like sig 4701) and the MC can't read 5's that's not going to create any problems will it?... Wait a sec! that explains it. The 4701 started as a default of low priority in the MC, and I couldn't figure out why when the readme stated it was a 5. Now that makes sense. If I could make a recommendation, that you put out your future sigs with a proirity of 4 instead of 5's so the MC won't set them to a low priority.

Thank you for your assistance.

Ron Russell

New Member

Re: Severity different in IDS MC and IDM - Critical!

Marcoa,

When you look in Event Viewer, alarms with severity 1 & 2 receives an identical colors (Green). Is there a way to change it (Blue for Severity 1 and Green for Severity Low).

regards

Cedric

New Member

Re: Severity different in IDS MC and IDM - Critical!

The NSDB also has 0-5 levels of severity. When will there be an updated NSDB with levels 1-4? Is there a concensus that 4's and 5's are going to be high and 0's and 1's informational?

167
Views
0
Helpful
9
Replies
CreatePlease to create content