04-06-2006 06:17 AM - edited 03-10-2019 01:58 AM
I am monitoring CSA Agents on the CiscoWorks Security Monitor. I notice that most alerts, specifically the alerts triggered by web server exploit attempts, don't record the Source IP address and Port of the attacker. I understand the difference between NIDS and HIDS, but having past experience with Sygate, I don't understand why the CSA Agents aren't capable of also recording this additional network information to help with alert analysis?
Could I have something configured improperly? Or is Cisco's HIDS just that specific?
04-06-2006 11:37 AM
I don't have any experience using the CiscoWorks Security Monitor but CSA hosts reporting to the CSAMC on VMS report source IP and port information. It is based on rules whether it allows, denies and logs the information. Does the CiscoWorks Security Monitor allow you to modify the rules that apply to the CSA hosts?
04-06-2006 01:35 PM
Only Network Access Control List (NACL) rules show IP information in the logs. The other rules log different stuff. It cannot be turned on either.
04-07-2006 06:55 AM
Can the other rules be modified into NACL rules?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide