IDS mailing list archives

RE: IDS CISCO alarm

From: Arndt.WA () forces gc ca
Date: Fri, 7 Jan 2005 08:53:44 -0500

Response in-line below...

-----Original Message-----
From: Julio Crespo [mailto:jcrespo () sigfe cl]
Sent: January 5, 2005 21:41
To: focus-ids () securityfocus com
Subject: IDS CISCO alarm


Hi, someone knows if is configurable for send alarms the IDS CISCO ?


Cisco IDS appliances store all IDS alarms locally in what is
referred to by Cisco as the "EventStore." It is a 4 GB rolling
file that stores the alarms and system messages in IDIOM XML
(a Cisco XML format). This data can then be viewed locally on
the sensor either via Command Line Interface (CLI) or using a
browser to connect to the sensor's IDS Device Management (IDM)
interface. Data sitting in the EventStore can also be picked
up by RDEP-compatible clients, such as IDS Event Viewer (IEV),
Cisco IDS RDEP Info Mediator or Security Monitor (SecMon, part
of VMS and VMS Basic).

If you would like help accessing the EventStore via IDM,
contact me off-list.


I have looked for by all the site of Cisco without obtaining no
reference


Here's a link for the Security Device Event Exchange (SDEE)
format, which sprang from Cisco's development of RDEP:
http://www.icsalabs.com/html/communities/ids/membership/index.shtml

Cisco also host some documentation, but it is not available for
public viewing. If you have a CCO login, check out this link
(NOTE: beware of possible line wrap):
http://www.cisco.com/cgi-bin/dev_support/access_level/product_support?pcgi=1
&product=IDS_INT_API


As it is possible that a IDS does not have form to alarm? it is
necessary


Cisco uses EventStore to store the alarms and RDEP to move them
to a client from a sensor (see above).


to be patch to log that it gives product IDS Event Viewer?


Again, you don't need IEV to view the alarms, though it is
much more user-friendly and intuitive to read than the raw
data you'll find in the EventStore via IDM. In any case, to
use any of the Cisco-supported RDEP clients, you'll need a
current SmartNet support contract. Otherwise, you can use
the specifications provided by Cisco to build your own.

I hope this helps,
Alex Arndt

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

IDS CISCO alarm Julio Crespo (Jan 06)
- Re: IDS CISCO alarm Krystian Antoni (Jan 08)
- RE: IDS CISCO alarm Gary Halleen (ghalleen) (Jan 10)
- <Possible follow-ups>
- RE: IDS CISCO alarm Arndt . WA (Jan 08)
- RE: IDS CISCO alarm Phil Hollows (Jan 12)