Re: Format Problem with IPS Event Viewer v5.1

DFiore · ‎07-10-2006

Has anyone seen this?

Since upgrading to IPS Event Viewer v5.1 my export files no longer have a "date & time" column like they did in the older v4.1 Event Viewer. Because of this, I cannot export the IPS data to create reports (not time and date, just a code string). It looks like (to me) that the v5.1 no longer supplies the date & time, whereas v4.1 did). Again, as a person who is not using MARS or VMS or CSM, the export function in IEV was the only way I could slice and dice the sensor data for reporting.

I have a TAC service request #603911523.

Any help or direction is appreciated.

Sincerely,

David

PS --- I'm attaching a PDF showing the old (v4.1) and the new (v5.1) export output from IEV. Please note eventhough I used Excel instead of Notepad to view the files, I did not parse or manipulate the data in Excel. This is truly how it looks exported from IEV. Notice the date and time in v4.1 and the number string in v5.1 ---

mhellman · ‎07-10-2006

chop off the last 3 digits and convert from unix time.

1152177842593 = 1152177842 = Thu, 06 Jul 2006 09:24:02 GMT

Here is one example of how you would convert in Excel:

LEFT(,10) / 86400 + 25569

DFiore · ‎07-10-2006

Thanks for the reply Matt..... But is this the solution? Is their a difference in formating between v4.1 and v5.1 with IEV? Are their any other fields added or missing in IEV 5.1? Is their any "new" IEV documentation? I've only found v3 and v4 docs on the Cisco site....

Thanks again for the help. - David

jlin1 · ‎07-10-2006

Yes, more fields have been added in IEV5.1 to support the 5.x and coming 6.0 IPS features. Four unneeded columns have been deleted. I summarized the basic changes as below. The help document for IEV will be updated in future release. Sorry for the delay.

The following columns are new in IEV 5.1:

* Victim OS - Stores the target OS information. This field applies only to IPS 6.x sensors. For IPS 5.x sensors, this field is empty. IPS 5.x sensors do not have the POSFP feature.

* Interface - Stores the network interface on which the suspicious or malicious traffic was detected.

* Actions - Stores any actions that have been reported in the alert.

* Risk Rating - Stores the RR value of the alert. For IPS 6.x sensors it not only contains the RR value but also contains the TVR, ARR, and WL information.

* Threat Rating - Stores the threat rating value of the alert. This field applies only to IPS 6.x sensors. This field is empty for IPS 5.x sensors.

* Protocol - Stores the risk protocol type of the alert.

The Receive Date and Receive Time columns have been combined into one column to store the IEV host UTC time when the alert is received.

The Trigger String column is renamed to Alert Details. The Interface Group column is renamed to Virtual Sensor, which stores the virtual sensor name from which the alert was fired. IPS 5.x sensors do not support virtual sensors, so this field is empty.

The Total Attacks, IPlog Activated, TCP Reset Sent, and Shun Requested columns have been deleted because they no longer apply to IEV 5.1.

Regards,

Jie

mhellman · ‎07-10-2006

I don't use the IEV. I just recognized the format of the time and gave you an example of how to deal with it. Sorry, I can answer any of your questions;-(

jlin1 · ‎07-10-2006

IEV5.1 combined original 4.x received data and time fields into one field in its database and stored it as milliseconds since 1/1/1970. So when it does export, it dumps that raw number instead of the old human readable format (see that first column after "sensorApp" in your IPS v5-1-1 export.txt).

The exported files have never meant to be end-user consumption since it contains bunch of raw fields that need special decoding to make it human readable (e.g. the sensor utc time, local time, summary_attack_detail, context etc.)

Cisco doesn't support the end use of those exported files. Those files are meant to be imported back into IEV when needed for combining two tables, trouble shooting or save database storage etc.

Your script might need to be modified slightly to decode that milliseconds field. But if this is really inconvenient, you can ask TAC to open an enhancement request against IEV5.1.

Regards,

Jie

DFiore · ‎07-10-2006

Thanks for the reply Jie.

This change from 4.x to 5.x really is a shame.

The exports from 4.x really had everything you needed to build an "intrusion report" that you could send off to an ISP or NOC. As long as I had a "human readable" date and time in the export file all the other information (Attacker IP & Port#, Victim IP & Port#, Attack Description, Attack ID, etc.) made perfect sense you could afterward sort by any of those fields to fine-tune the information in Excel. Of course this is what happens when silly users start using IEV export files that should ?only? be used for importing back to IEV and not for researching events? J

Does this mean I need to start using CiscoWorks Management Center for IPS or Cisco Security Manager for my basic reporting needs? I have yet to find any information on converting the Unix date/time field to separate date and time field in Excel.

Any advice is appreciated...

Sincerely David

DFiore · ‎07-10-2006

Hello Jie,

I was typing my reply to your first post while you were sending your second one... Sorry if I sounded rude.

I greatly appreciate your reply and effort.

Sincerely, David