IDS mailing list archives
RE: IDS CISCO alarm
From: Arndt.WA () forces gc ca
Date: Fri, 7 Jan 2005 08:53:44 -0500
Response in-line below...
-----Original Message----- From: Julio Crespo [mailto:jcrespo () sigfe cl] Sent: January 5, 2005 21:41 To: focus-ids () securityfocus com Subject: IDS CISCO alarm Hi, someone knows if is configurable for send alarms the IDS CISCO ?
Cisco IDS appliances store all IDS alarms locally in what is referred to by Cisco as the "EventStore." It is a 4 GB rolling file that stores the alarms and system messages in IDIOM XML (a Cisco XML format). This data can then be viewed locally on the sensor either via Command Line Interface (CLI) or using a browser to connect to the sensor's IDS Device Management (IDM) interface. Data sitting in the EventStore can also be picked up by RDEP-compatible clients, such as IDS Event Viewer (IEV), Cisco IDS RDEP Info Mediator or Security Monitor (SecMon, part of VMS and VMS Basic). If you would like help accessing the EventStore via IDM, contact me off-list.
I have looked for by all the site of Cisco without obtaining no reference
Here's a link for the Security Device Event Exchange (SDEE) format, which sprang from Cisco's development of RDEP: http://www.icsalabs.com/html/communities/ids/membership/index.shtml Cisco also host some documentation, but it is not available for public viewing. If you have a CCO login, check out this link (NOTE: beware of possible line wrap): http://www.cisco.com/cgi-bin/dev_support/access_level/product_support?pcgi=1 &product=IDS_INT_API
As it is possible that a IDS does not have form to alarm? it is necessary
Cisco uses EventStore to store the alarms and RDEP to move them to a client from a sensor (see above).
to be patch to log that it gives product IDS Event Viewer?
Again, you don't need IEV to view the alarms, though it is much more user-friendly and intuitive to read than the raw data you'll find in the EventStore via IDM. In any case, to use any of the Cisco-supported RDEP clients, you'll need a current SmartNet support contract. Otherwise, you can use the specifications provided by Cisco to build your own. I hope this helps, Alex Arndt -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS CISCO alarm Julio Crespo (Jan 06)
- Re: IDS CISCO alarm Krystian Antoni (Jan 08)
- RE: IDS CISCO alarm Gary Halleen (ghalleen) (Jan 10)
- <Possible follow-ups>
- RE: IDS CISCO alarm Arndt . WA (Jan 08)
- RE: IDS CISCO alarm Phil Hollows (Jan 12)