Our IDS MC has several signature severities set to high. When I log into the IDM (the web interface on the sensor) those severities are set to medium.
I have changed severities to low on the IDS MC and they appear as Info in the IDM.
The other attributes of the signature appear to be working properly (blocking, enabling the sig, etc). But the severities are not working as they should.
Any thoughts or recommendations?
When I view the history for that config (config-history-specific device config) I can look at that signature and see that it's set to high.
When I look in the IDM for the sensor there are no high severity signatures.
You need to go to the Administration->IDM Properties->Severity Mapping menu and adjust the severity mapping to match those of the MC. By default IDM will map alert levels as follows:
That is how the IDM is set.
Here is a brief look at our packetd.conf on the sensor.
SigOfGeneral 5349 0 4 # Polycom ViewStation Admin Password
SigOfGeneral 5350 0 0 # PHPnuke email attachment access
SigOfGeneral 6064 0 3 # BIND Large OPT Record DoS
SigOfGeneral 4701 0 2 # SQL Server Slammer WORM packet
Sig 5349 is set to High in the MC
Sig 5350 is set to Info in the MC
Sig 6064 is set to Med in the MC
Sig 4701 is set to Low in the MC
But when I set the severity to high in the MC it's not turning into a severity 5 in the packetd.conf file (as it should). That's what I'd like to get fixed, not how the IDM shows the messages. We have established procedures (automated and procedural) on the severity of the messages.
I NEED to get the high severity singatures in the MC to be a 5 in the packetd.conf file.
The IDS MC went to a 4 level severity setting:
1 - Informational
2 - Low
3 - Medium
4 - High
If they receive a 5 it becomes a High (4).
All of the Cisco IDS products are going to a 4 level severity mapping with Informational, Low, Medium, and High. (Future versions will use just the names and not numbers for representing severity).
Unfortunately you've found that the numerical mapping isn't consistent between the management products.
I assume you are upgrading from the Unix Director with a 5 level mapping where you had control of the severity number itself to IDS MC with a 4 level mapping where the word and not the number itself are configured.
In fact the old Unix Director could even allow you up to 255 different severities, and had a mapping of Low=1,2 Medium=3, High=4,5.
The end results is that I don't think that there is a way to force the MC to write the Highs as 5s instead of 4s. "4" is the new High for IDS MC users.
Now it all makes sense at least. I couldn't figure out why it was doing that. And yes I've been messing with the IDS's since the Unix Director days.
Looks like I have a lot of procedural things to change around here then. We were actually using the 5 different levels to perform different things (there actually was a difference between a 5 and a 4 within our environment).
If the signature releases (like S39) come out with the signatures as 5's (like sig 4701) and the MC can't read 5's that's not going to create any problems will it?... Wait a sec! that explains it. The 4701 started as a default of low priority in the MC, and I couldn't figure out why when the readme stated it was a 5. Now that makes sense. If I could make a recommendation, that you put out your future sigs with a proirity of 4 instead of 5's so the MC won't set them to a low priority.
Thank you for your assistance.
When you look in Event Viewer, alarms with severity 1 & 2 receives an identical colors (Green). Is there a way to change it (Blue for Severity 1 and Green for Severity Low).
The NSDB also has 0-5 levels of severity. When will there be an updated NSDB with levels 1-4? Is there a concensus that 4's and 5's are going to be high and 0's and 1's informational?