IDS mailing list archives
Re: CiscoWorks - VMS - IDS Monitoring and Alerting
From: Alexis Caurette <alexis.caurette () gmail com>
Date: Tue, 7 Dec 2004 11:18:50 +0100
CiscoWorks VMS is using a Sybase database which you can query using the password set during install process. Furthermore, Cisco provides binaries (the one you need is called IdsAlarms.exe on windows version of CiscoWorks) which allow you to query the event databases the way you want. These binaries are used by the perl script you downloaded from Cisco. You should read this script and try to write your own one depending on your needs. You can find documentation about these tools in the Cisco documentation called " Using Monitoring Center for Security 2.0 : Using Command-Line Utilities" found here : http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/cmdlnutl.pdf Best regards Alexis CAURETTE XP Conseil On Thu, 02 Dec 2004 23:54:28 +0100, Torben Grisell <torben () grisell com> wrote:
Hi, I know that many are using IBM's Tivoli Risk Manager. You can read more about it her: http://www-306.ibm.com/software/tivoli/products/risk-mgr/detail.html You can read more about the Cisco IDS adapter her: http://www.redbooks.ibm.com/abstracts/REDP0202.html Cheers, Torben Grisell Terry S wrote:I was wondering if Cisco has any "Best Practices" on the best ways to use IDS Event Manager and or do you know what other companies are doing to best us it. I feel that we are not getting 100% out of it. I am still having issues with monitoring and making sure we are getting the right alerts. I feel like unless I have someone sitting right in front of it watching every minute that we are missing things. I have downloaded a Perl script from Cisco's website but you are still limited on what you can assign the script to. For example: When I go to assign the script to a filter the only choices I have are: Originating Device Originating Device Address Attacker Address Victim Address Signature Name Signature ID SeverityFrom these choices not one is good because you have to know info, like Originating Device IP. If I pick Severity = High then all High alerts trigger the script. When I tested this one I was getting e-mail after e-mail. I did set the thresholds.What would be nice if there was a way to do "Grouping" Signatures, meaning that I could make a group and add all the Virus/Worm related signatures to that group and then create a filter that would alert when a signature from that group was matched? Grouping would allow us to focus our alerts a little better. Any help or suggestions would be nice on the best wayt to get the Event Manager to alert use to an issue. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- CiscoWorks - VMS - IDS Monitoring and Alerting Terry S (Dec 02)
- Re: CiscoWorks - VMS - IDS Monitoring and Alerting Torben Grisell (Dec 06)
- Re: CiscoWorks - VMS - IDS Monitoring and Alerting Alexis Caurette (Dec 07)
- Re: CiscoWorks - VMS - IDS Monitoring and Alerting Torben Grisell (Dec 06)