Re: where to begin?

dking · ‎12-22-2003

We recently got a 4215 with the 4FE card in it. I need to monitor several networks for alarms, DoS attacks,...

The problem is I am having a very hard time finding any documentation that explains the basics of the device and configuration. I have read the "Basic CLI setup" document, and run through the initial setup wizard thing, but am still very confused. Does it work out of the box, or do I have to activate alarms on it?

I want to be notified via email when there is an alarm, but I don't see anywhere in the IDS setup to place this type of info. Or even how to setup the interfaces to monitor network traffic.

I have seen references to many other applications like IEV, which took me 3 hours to figure out what it was and download. Nothing in the manuals I've read say anything about this. And it did not come with my IDS unit. I got a trial version of Threat Response, but am not sure how this ties in with the IDS unit.

Documents that would be handy:

Document explaining how the IEV, Threat Response and any other software ties in with the IDS unit. I was under the impression the IDS unit would work out of the box, but it appears that I need these other applications to actually get the unit to do anything. Am I wrong?

Document explaining how to set the system up:

Does it work right out of the box, or do I have to activate alarms on it? I have set the interfaces to be active, but have yet to see any alarm type activity. (this just may be a good thing) Yes I have the ports connected to a SPAN port on the VLANS on my 2924 switch.

If anyone has good links to these types of docs, that would be great. Or if you know how it all works, a quick explanation would be great.

Thanks

Dan

sguerrero · ‎12-22-2003

Besides the IDS you should have a software to monitor your events and manage your device. If you have only this device in your network, like the Cisco Works management Center for IDS, check this info:http://www.cisco.com/en/US/products/sw/cscowork/ps3990/index.html

Now, if you already have a management software, you have to perform an initial configuration on your IDS and then register it on the management center. In order to send e-mail messages you need to configure your server and then your monitoring options. All these on your management software.The initial bootstraping depend upon the version on your sendor.

klwiley · ‎12-23-2003

Out of the box you can manaeg your sensor via either the CLI or through the web interface commonly reffered to as IDM. You can also download off of CCO (assuming you have a smartnet contract) a free monitoring SW called IEV. This will allow you access to the basics to configure and monitor your sensor.

For advanced services like report generation and e-mail notification of events you will need to purchase the VMS package.

I reccomend before purchasing more SW though that you familiarize yourself with the sensor and how it works with the free management and monitoring tools that are available. They are designed specifically for small deployments of 1-5 sensors.

The sesnor does come configured to begin detecting intrusions right out of the box once you have configured the interfaces through the cli.

dking · ‎12-29-2003

Thanks for the info. The boss seems to believe he read that out of the box it will generate reports and send email alerts. I showed him the reports it generates, but those are not anything useful to a client that wants to know how many times they have been attacked. They all want big colorful bar graphs... I guess those make more sense ;)

david.d · ‎12-30-2003

Your boss may have been told about the next release of Cisco Threat Response. It should be out soon. This is a limited version of VMS that will provide some of those capabilities (am also waiting for an alerting tool). As to reports and graphs etc, I am exporting from the Event Viewer and bringing them into a spreadsheet.

Your initial question may have even been more basic. My experience with many Cisco products is a lack of concise guides and "how to" literature. There is some basic documentation but not of significant help to those unfamiliar with intrusion detection systems. I'd recommend you query books for the subject in general, then correlate that information to Cisco specific issues.

dking · ‎12-30-2003

Thanks David, I'll look out for the new version of CTR.

Glad to know I am not the only one to have difficulty in figuring this thing out.

milan.kulik · ‎12-31-2003

You really are not the only one to have difficulty in figuring this thing out.

I'm in the same trouble.

The only book available on Cisco Press (Cisco Secure IDS by Earl Carter) was released in 2001 so it's obsolete.

There is also a Syngress book

http://www.syngress.com/catalog/sg_main.cfm?pid=2670

which seems to be a little more up-to-date.

Regards,

Milan

kozinyy · ‎02-19-2004

After one week of frustration I feel now more comfortable that I am not alone.!!!!

I am going to order the new book

CCSP Self-Study: Cisco Secure Intrusion Detection System (CSIDS) , ISBN: 1587051443

Published:

FEB 09, 2004

and hope it will help to understand what are the signitures, and what to do with them, etc, etc,etc.