topic Re: CSA (Host IDS) and Source IP in Network Security

CSA (Host IDS) and Source IP

RichardSW — Sun, 10 Mar 2019 09:58:04 GMT

I am monitoring CSA Agents on the CiscoWorks Security Monitor. I notice that most alerts, specifically the alerts triggered by web server exploit attempts, don't record the Source IP address and Port of the attacker. I understand the difference between NIDS and HIDS, but having past experience with Sygate, I don't understand why the CSA Agents aren't capable of also recording this additional network information to help with alert analysis?

Could I have something configured improperly? Or is Cisco's HIDS just that specific?

Re: CSA (Host IDS) and Source IP

tsteger1 — Thu, 06 Apr 2006 18:37:36 GMT

I don't have any experience using the CiscoWorks Security Monitor but CSA hosts reporting to the CSAMC on VMS report source IP and port information. It is based on rules whether it allows, denies and logs the information. Does the CiscoWorks Security Monitor allow you to modify the rules that apply to the CSA hosts?

Re: CSA (Host IDS) and Source IP

jwalker — Thu, 06 Apr 2006 20:35:45 GMT

Only Network Access Control List (NACL) rules show IP information in the logs. The other rules log different stuff. It cannot be turned on either.

Re: CSA (Host IDS) and Source IP

RichardSW — Fri, 07 Apr 2006 13:55:44 GMT

Can the other rules be modified into NACL rules?