I'm quite confused about the different severity levels associated with signatures.
- In NSDB, each signature is assigned a numerical level, from 0 to 5.
- In former director products, you had 3 severity levels: low (1,2), medium (3) and high (4,5).
- Now when you edit a signature with MC, you can adjust its severity to one of Info, Low, Medium or High.
- The Monitoring Center for Security user's manual states that the severity can be Info (blue), Low (green), Medium (yellow) or High (red).
I've enabled signature 2000 (ICMP Echo Reply) with severity Info. I expected to see it in the Event Viewer in blue, but I don't get it at all.
How can I get events colored in blue?
What is the difference between a disabled signature and an enabled signature with severity info?Is it related to the minimum level configured at the sensor to fire an event? How can I configure it (it was possible with CSPM)?
CSPM had a 3 level/color designation for severity.
IDS MC/ SecMon now uses 4 levels/colors for severity.
Low = 1,2 = Green
Medium = 3 = Yellow
High = 4,5 = Red
IDS MC/ SecMon
Informational = 1 = Blue
Low = 2 = Green
Medium = 3 = Yellow
High = 4,5 = Red
As for your question: "What is the difference between a disabled signature and an enabled signature with severity info?Is it related to the minimum level configured at the sensor to fire an event? "
A disabled signature has a severity of "0" so it is not analyzed by the sensor.
So if a signature is disabled then the severity config in IDSMC/CSPM is ignored, and the severity number in packetd.conf is set to 0.
If the signature is enabled then the severity number in packetd.conf is set to 1,2,3,or4 depending on the severity level in IDSMC/CSPM for that signature.
NOTE: Both CSPM and IDS MC operate this way.
As for your 2000 signature.
The default is the signature to be disabled/informational. Since it is disabled the severity number in packetd.conf is set to 0 regardless of whether the IDSMC/CSPM severity was Informational, Low, Medium or High.
So you need to "enable" the signature for the signature to have severity of 1 or higher in packetd.conf.
SIDE NOTE: In version 4.0 (recently announced) there is no longer a severity number. Instead in 4.0 there is a severity field that can be set to Information/Low/Medium/High and a Enabled field that can be set to True/False. If a signature is Enabled (Enabled=True) then it is analyzed and if it fires then the proper Severity is assigned to the alarm. If a signature is Disabled (Enabled=False) then the signature won't be analyzed at all so it doesn't matter what the severity setting is.
The 4.0 configuration corresponds better to the IDS MC configuration, and helps alleviate the confusion that the 3.x style severity numbers in packetd.conf have caused our users.
I know that a disabled signature implies that the sensor does not search for it. I guess I didn't explain it clearly. I have set the 2000 signature to "enabled" with severity level Info, but I don't get any event in SecMon (not blue nor any other color).
So, the behaviour seems to be the same if you have a signature disabled or a signature enabled with severity Info : no event in the console.
Let me put it in this way: If I configure a signature to enabled and severity Info, will I receive a blue event in SecMon? Is it necessary any other configuration?
BTW, I am currently receiving all sort of events colored in green, yellow and red. And if I configure the 2000 signature to enabled with severity Low I do receive the corresponding green event.
The problem is related with the Info level/blue color.
I will ask some of the Security Monitor engineers to see what they have to say.
There is one thing that does come to mind:
The Sensor has to be configured for what severity alarm gets sent to Security Monitor. I am not sure what the default is, but it may be that the sensor is configured to only send Low level or higher alarms to Security Monitor.
In which case you would need to configure the sensor to send Informational and higher alarms to Security Monitor.
Things to check on the sensor itself:
1) Look in the destinations file:
There should be a line for the Security Monitor. Verify that the level of alarms
being sent to smid on the Security Monitor is set 1 instead of 2.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :