cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2282
Views
0
Helpful
4
Replies

IPS 7.1 Event Analysis

dadaramola
Level 1
Level 1

Hi Folks,

Happy new year!

I'm trying to interface my IPS Event with an external log analyzer.

This exercise (Log Management) has become vital as my SLA required IPS Event (particularly those with risk rating above 85) be documented and reported <90mins on a day-to-day basis.

Anyone with ideas?

Regards,

Daniel

4 Replies 4

rhermes
Level 7
Level 7

Daniel -

Your two most common options for getting event data off your sensors are:

1. Get/build/buy a SIEM that will pull the evetns via the SDEE protocol.

2. Edit the action of the signatures in question (>85% RR) to generate an SNMP trap for the event.

For real analysis you will also want to grab a PCAP of both sides of the attack (so you can tell if it was sucessful or a false positive).

- Bob

Thanks Rhermes, nice one.

On your response, I have tried pulling events using Splunk- seems to be getting errors integrating splunk with the sensor; is there a way around this, or are there other SIEM (preferably open source) one can use to pull events via SDEE?

Regards.

I don't have any experience with Splunk and Cisco IPS, but there is a Wiki for it, so I assume other people have it working:  http://wiki.splunk.com/Set_up_Splunk_for_Cisco_IPS

I would imagine all commercial SEM vendors should support Cisco's implementation of SDEE, I have experience with Trustwave (formerly Intelitactics) and Arcsight.

How many sensors are you attempting to monitor? The free Cisco IME can pull events from up to 5 sensors.

- Bob

Hi rhermes,

I have since gotten Cisco IME 7.2.1. It pretty great working with this interface. Thanks!

Daniel.

Review Cisco Networking for a $25 gift card