IDS mailing list archives
RE: Reports from Cisco IDS
From: "Alan Shimel" <alan () latis com>
Date: Sun, 8 Dec 2002 22:33:44 -0700
Many of the potential customers we talk to have the same comments on the Cisco IDS reporting features. This along with upgrades, rule updates, etc. are a prime reason they are looking elsewhere for IDS/IPS. If you like the flexibility of SNORT but want it in a easy to use and powerful package with great custom reporting have a look at border guard at http://www.stillsecure.com . I don't think you should have to run 2 extra programs to get decent reporting from your IDS or pay extra. Reporting is such an integral part of the IDS system that if it is not built in you have to question what is important to the desingers Alan Shimel VP of Sales & Business Development Latis Networks, Inc. 303-642-4515 Direct 516-857-7409 Mobile 303-642-4501 Fax www.stillsecure.com Reducing your risk has never been this easy. . . . The information transmitted is intended only for the person to which it is addressed and may contain confidential material. Review or other use of this information by persons other than the intended recipient is prohibited. If you've received this in error, please contact the sender and delete from any computer. -----Original Message----- From: Mark L. Evans [mailto:MEvans () CO SLC UT US] Sent: Sunday, December 08, 2002 9:19 PM To: focus-ids () securityfocus com Subject: RE: Reports from Cisco IDS I use a combination of KIWI, and Ciscoworks VMS to produce IDS activity reports for the management. The KIWI software is excellent, and very affordable. I believe it cost $39 per license. I feed SNMP traps, and SYSLOG messages from all of our network equipment (especially ACL violations) to a central KIWI server. KIWI will allow me to filter the syslog/trap messages into 10 separate screen displays. KIWI can also record the filtered events into 10 separate text files. KIWI allows for the usual notification facilities. Excellent product at a great price! The Ciscoworks VMS plugin is very new. We were actually one of the first customers to use it. It's a HUGE improvement over the older CSPM based product. VMS produces HTML, and text based reports that can be sent to your managers as web links. VMS has a very good "live" IDS event viewer built in as well. The last VMS component worth mentioning is the web based IDS management interface. This interface allows you to group your IDS sensors. You can then manage the sensors as a group from one central interface, The common configuration can be pushed out to the sensors in the group. VMS also reports on the HIDS (Entracept)product that Cisco sells. I don't believe the IDS sensor can write to SYSLOG. The sensor does build a log of IP activity (a little like tcpdump format) but I don't think the data in its raw format will be very useful. The VMS product is not cheap but I feel it has been a good tool in our environment. Its not a customizable as SNORT but it's much easier to get up and running. Mark
On the network at work, we use a Cisco PIX (which comes with IDS), which allows me to send a log to another server. On that server I use something called Kiwi Syslog Daemon (http://www.kiwisyslog.com/info_syslog.htm). From there, I use ReportGen (http://www.reportgen.com/downloads.htm) which turns into stuff my boss can read. Not sure if this solution will work with the Cisco IDS, but should. I have seen this run on several platforms. They have trial versions, to see if it fits your bill. Also, their prices are reasonable, if you like it. Pete. Hi, I have a Cisco IDS (switch module) with the HPOV plug-in. I would like to know how can I get reports from it. Any kind of report, like by source IP, top signatures...is this possible? If not, how can I get reports from Cisco IDS? Thank you, Peter sr. security analyst
Current thread:
- Reports from Cisco IDS ids-lists (Dec 04)
- <Possible follow-ups>
- RE: Reports from Cisco IDS Dante Mercurio (Dec 05)
- RE: Reports from Cisco IDS Seamus Hartmann (Dec 05)
- Reports from Cisco IDS Pete S. (Dec 08)
- RE: Reports from Cisco IDS Mark L. Evans (Dec 08)
- RE: Reports from Cisco IDS Alan Shimel (Dec 09)