CiscoWorks - VMS - IDS Monitoring and Alerting

[Terry S <dts15 () yahoo com>]

I was wondering if Cisco has any “Best Practices” on the best ways to use IDS Event Manager and or do you know what 
other companies are doing to best us it. I feel that we are not getting 100% out of it. I am still having issues with 
monitoring and making sure we are getting the right alerts. I feel like unless I have someone sitting right in front of 
it watching every minute that we are missing things. 

I have downloaded a Perl script from Cisco’s website but you are still limited on what you can assign the script to. 

For example: When I go to assign the script to a filter the only choices I have are: 

Originating Device 
Originating Device Address 
Attacker Address 
Victim Address 
Signature Name 
Signature ID 
Severity 

> From these choices not one is good because you have to know info, like Originating Device IP. If I pick Severity = 
> High then all High alerts trigger the script. When I tested this one I was getting e-mail after e-mail. I did set the 
> thresholds. 

What would be nice if there was a way to do “Grouping” Signatures, meaning that I could make a group and add all the 
Virus/Worm related signatures to that group and then create a filter that would alert when a signature from that group 
was matched? Grouping would allow us to focus our alerts a little better. 

Any help or suggestions would be nice on the best wayt to get the Event Manager to alert use to an issue. 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------