01-10-2013 08:06 AM - edited 03-10-2019 05:52 AM
Hi All,
We have IPS modules (ASA-SSM-10) which is installed in Cisco ASA firewall (5520) and i want to integrated the module in RSA Envision log management server. Please confirm if these can be integrated in Envision and how? I am able to recieve Cisco ASA logs by enabling loggin on the box. I need to send logs from this sensor.
Below are the module details--
Platform: ASA-SSM-10
Build Version: 7.0(4)E4
Os Version: 2.4.30-IDS-smp-bigphys
Can anybody advise me on this
Regards,
Saurabh Srivastava
Solved! Go to Solution.
01-10-2013 08:38 PM
Does the RSA tool supports SDEE events.
If yes, then it should be pretty straightforward to pull the events.
https://supportforums.cisco.com/docs/DOC-12515
Regards,
Sawan Gupta
01-11-2013 07:10 AM
Hi Saurabh,
The enVision appliances we manage all pull the events from IPS modules in ASA's so the process will work for that as well, as long as you have given the IPS an IP address and have the management port cabled. We have enVision pulling logs via the process I explained from ASA-SSM-10 & ASA5515-IPS devices.
Jon.
01-10-2013 08:21 AM
You can send the log messages to your SIEN using SNMP Traps.
See the DOC: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cliguide7.html
01-10-2013 10:17 AM
RSA enVision can be configured to pull these logs using the Cisco's SDEE protocol.
You need to allow the enVision server to connect to the IPS through an access-list entry in "service host\network-settings" on the CLI.
From enVision you need to configure the SDEE Collection Service from "Overview\System Configuration\Services\Device Services\Manage SDEE Collection Service". When adding a device just give the IP address of the IPS, a user name for enVision to use to connect, password, and port of 443.
One thing to note, this will give you basic alert information but wont include the TriggerPacket details which are often times helpful in alert investigation. You can check if this is the case by opening the "Cisco Secure Ids.txt" file from the "\nic\csd\config\sdees\templates" directory and see if it contains "cid:triggerPacket". If the file doesn't contain that you can just rename the file to something like "Cisco Secure Ids.old" and then copy the "Cisco Secure Ids.txt" file from
"%_envision%\etc\devices\ciscoidsxml\sdee" to "\nic\csd\config\sdees\templates". Restart the Collector service and you should be good to go.
One final note, the trigger packet data comes over in base64 format so you will need to run that output through a base64 program or script of some sort.
01-10-2013 07:36 PM
Hi Jon,
Thanks for reply..This procedure is for CISCO IPS appliance viz 4240 etc. however i want to integrate ASA-IPS module(SSM module) with RSA envision and i had contacted RSA in this regards and as per them logs will come under ASA logs via syslog but fail to see the IPS logs..
Please suggest..
Regards,
Saurabh
01-10-2013 08:38 PM
Does the RSA tool supports SDEE events.
If yes, then it should be pretty straightforward to pull the events.
https://supportforums.cisco.com/docs/DOC-12515
Regards,
Sawan Gupta
01-11-2013 05:38 AM
Thanks Sawan..i will try it out.
Regards,
Saurabh
01-11-2013 07:10 AM
Hi Saurabh,
The enVision appliances we manage all pull the events from IPS modules in ASA's so the process will work for that as well, as long as you have given the IPS an IP address and have the management port cabled. We have enVision pulling logs via the process I explained from ASA-SSM-10 & ASA5515-IPS devices.
Jon.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: