Re: IDS MC Security Monitor not getting alarms

allen.external · ‎03-11-2005

Has anybody ran into the trouble of the Cisco Works Security monitor for IDSs not getting an alarm. We have a virus in our network, sig 3030 tcp host sweep, and the IDS version Sig149, Sees the signature but it is not sending it to the Cisco Works Server. I see the alarm on the IDS box but not Cisco Works. I see other alarms on Cicso works though. Just not all of them. I checked to make sure that signature was turned on on the MC and it is. Anybody have any ideas what is wrong with my IDS box or my MC? Any help would be great. Thanks Justin

mcvosi · ‎03-11-2005

The first thing that comes to mind is checking to see that the CiscoWorks server is in trusted hosts on the sensor. If so, verify the credentials are correct in SecMon.

allen.external · ‎03-11-2005

Done and Done. Everything looks good. I am recieving alarms, just not all of them. It is like the IDS sees it as a problem and the SC does not.

mcvosi · ‎03-11-2005

Well, sig 3030 is by default an informational alert. What's the minimum logging level for the sensor in SecMon?

allen.external · ‎03-11-2005

I dont even see an option for that. Where would that be found?

mcvosi · ‎03-11-2005

Go to the devices tab in SecMon and edit the sensor entry. There you should see the setting.

allen.external · ‎03-11-2005

mcvosi, you totally rock. That fixed the problem. I found it. I have been beating my head on the table for weeks trying to figure this out. I saw that before but it was greyed out so I figured it was not active. What I learned is you have to edit the device inoreder to change that. Again, thanks a ton.

Justin