I know this has come up numerous times but has anyone actually written a SNORT -> CSIDS sig proggie? I don't want to start a debate over whether or not this is the thing to do -- I want early-access to deal with threats as they arise and the sigs are available (whether it comes from Cisco or not is of no consequence to me if they don't have one already).
We are tossing around ideas about the best way to implement something like this. The current idea is to implement an engine that would allow you enter a Snort configuration line that the sensor will interpret . This would be done with the understanding that not all Snort parameters may be supported, and that Cisco is not responsible for supporting any customer generated signatures. The positive of this is that it allows you to add custom Snort rules with an interface consistent with the sensor and all of its mgmt. applications. The down side is that all custom signatures must be entered individually, and we may only support a hard limit of say five rules for performance reasons. The question to the forum is, could you live with this? Any other suggestions are welcome.
We are currently running over 80 IDS-4230s and IDS-4235s with 3.1(3)S45. We have over 100 custom signatures running on these platforms. My question being is the limit for 4.0 going to be 5 custom signatures or 5 rule-sets with multiple sinatures per set?
We don't have a 4.0 sensor on-line (we are running UNIX 2.2.3 directors) and most of our sensors sit at remote sites where physical access is a problem--the upgrade to 4.0 is going to cause us multiple issues (just converting from the 6 UNIX directors to the multiple Windows 2000 MCs is a major problem). Limiting custom signatures is only going to cause more of a problem.
Also, can the custom signatures be added through the MC or do we have to add them manually to each sensor? Please tell me that that this upgrade (3.1 to 4.0) isn't that much of a pain.
There is no limit to the number of custom signatures that you can use with 4.0. The limit in question was strictly limited to a proposed 4.0 SNORT rules compatibility engine. You can add as many custom signatures to 4.0 using the existing engines as you like (practical limitations assumed). And yes, the custom signatures can be added via the MC. This is one of the major advantages of MC over the Unix Director. BTW, there is a Solaris version of MC coming out this summer.
I'm bringing up an old but nevertheless an important requirement, especially at times when we have new worms running wild and we are to detect them using a custom signature.
I'd like to know if there is a plan to support or to convert Snort signatures into Cisco IDS v4.x sigs? One example I have noticed recently is the way ISS RealSecure 7.0 does it - they call it the "TRONS", which supports Snort sigs on a RealSecure engine.
If Cisco could support atleast 5-10 snort sigs at a time (due to performance reasons), I guess that's fine. We need to support a snort sig on a Cisco IDS platform only till such time that the issue (example-worm) is under control or Cisco comes out with it's own version of the signature. The moment Cisco releases a new version, we can delete the Snort sig and update our CSIDS sensors. This way, we always run our systems with Cisco sigs but have the ability to support Snort sigs during critical times. Any comments are welcome.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :