Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
3
Replies

CSA (Host IDS) and Source IP

RichardSW
Level 1
Level 1

‎04-06-2006 06:17 AM - edited ‎03-10-2019 01:58 AM

I am monitoring CSA Agents on the CiscoWorks Security Monitor. I notice that most alerts, specifically the alerts triggered by web server exploit attempts, don't record the Source IP address and Port of the attacker. I understand the difference between NIDS and HIDS, but having past experience with Sygate, I don't understand why the CSA Agents aren't capable of also recording this additional network information to help with alert analysis?

Could I have something configured improperly? Or is Cisco's HIDS just that specific?

Labels:
0 Helpful
3 Replies 3

tsteger1
Level 8
Level 8

‎04-06-2006 11:37 AM

I don't have any experience using the CiscoWorks Security Monitor but CSA hosts reporting to the CSAMC on VMS report source IP and port information. It is based on rules whether it allows, denies and logs the information. Does the CiscoWorks Security Monitor allow you to modify the rules that apply to the CSA hosts?

0 Helpful

jwalker
Level 3
Level 3

‎04-06-2006 01:35 PM

Only Network Access Control List (NACL) rules show IP information in the logs. The other rules log different stuff. It cannot be turned on either.

0 Helpful

RichardSW
Level 1
Level 1
In response to jwalker

‎04-07-2006 06:55 AM

Can the other rules be modified into NACL rules?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card