04-16-2008 06:46 AM - edited 03-10-2019 04:04 AM
We currently have a 3-party SIMS and Snort/tipppoint IDS in the network. Testing the Cisco module to replace these IDS systems, questions is how to config the Cisco module to forward events to the SIMS. thx
04-16-2008 07:52 AM
You didn't mention what SIM you're using. The AIP-SSM, IDSM and 4200 series sensors report events using SDEE. The sensor runs as the host and the SIM as a client. If your SIM supports Cisco's implementation, put your SIM's IP address in the allowed hosts on the AIP-SSM and give your SIM the sensor's readonly account credentials.
04-17-2008 10:22 AM
The SIM is Qradar and it supports Cisco devices, is there a way to send test log or traffic to the SIM after configuring?
04-17-2008 12:11 PM
Enable signature 2004 (ICMP Echo Request) and ping past the sensor. That should generate an alert. You can confirm on the sensor CLI with the "show event alert past 01:00" to see the alerts in the past hour.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide