Farrukh and Marcabal

Can either of you answer the following? This was in my original post in the last paragraph and i think it may have been overlooked :) thx...

"Also, there are several Management applications listed under the "Network IPS/IDS Management/Monitoring Software" heading, including: IME, IPC MC, and ICS. I am already using IDM as well as IEV respectively to Configure/ Monitor and then IEV to Alarm on certain Events. What are IME, IPC MC, and ICS and how are they different from IDM and IEV??"

IME = Intrusion Prevention Manager Express

- IME is fairly new (released only a month or 2 ago) IME is a next generation of IEV. It does the event monitoring of IEV, but is also able to do configuration similar to IDM. So it is IEV and IDM in one tool. The configuration screens of IME will only work IPS 6.1, but the event monitoring screens will work with 5.1, 6.0, and 6.1.

IPS MC = Intrusion Prevention System Management Center

IPS MC was a part of VMS (VPN and Security Management System). IPS MC was configuration of a large number of sensors.

IPS MC and VMS are both End Of Saled and were replaced with CSM

CSM = Cisco Security Manager

CSM is a multi-security device configuration management system. It is targeted at Enterprise customers with more than 5 sensors.

ICS = Intrusion Containment System

ICS was a product produced by Trend Micro Systems. Trend could create signatures for Viruses and Worms and then send an update to ICS and ICS would then create the signatures on the sensors. These signatures were known as the V signatures.

ICS has been End of Saled

So from your perspective you need not be concerned with IPS MC (VMS) or ICS.

IME should be of interest to you as an upgrade from IEV (IME like IEV is available as part of your existing sensor support contracts and is not an additional charge).

As you upgrade sensors to IPS v6.1 you might consider upgrading IEV to IME.

CSM (and also MARS) would be of interest if you are going to manage more than 5 sensors. (IME and IEV are limited to 5 sensors).

IME is the replacement for IEV for newer IPS versions, it has more features of course. ICS was a collaboration between Cisco and Trend Micro to come up with quick signature/policy updates for upcoming threats, its EOS now, have a look at:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps6542/prod_end-of-life_notice0900aecd806d9cdb.html

marcabal did a nice comparison between IEV and IME here:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc0bca0/5#selected_message

Regards

Farrukh

I want to ask you guys a question about IEV which I am currently using...

When the views Tab is selected, i can see Alarms that have crossed the Sensor. When I right click a selected View "Type" in the Views Pane on the left, i then can proceed to properties and click next. It then will give me the option to select columns I can choose to show in the alarm detail table. One of the column names is "Actions". I have this selected for some of my Views.

the issue is this. When I right click on a specific alarm which is in one of the views and proceed to "Expand Whole Details", and then right click and select "View Alarms", it gives me all the detail. I then can reference the "Action" column. Alot of the Alarms I am getting in IEV show an action of "Present"...what does this mean??

I tried to find this in the help files for the IEV but it is not there...

Thanks

Perhaps "Present" means an action was taken and therefore can be viewed by right clicking the Alert?. This 'action' I guess would be something besides 'Produce Alert' because if Product Alert was not there, the action would have never reach ed IEV in the first place.

Regards

Farrukh

Farrukh

I need to be able to generate reports out of IEV. It has canned reports for Top alerts, Top Attackes, and Top Victims. But these cannot be broken down by the date that they occured.

I need to be able to report on the Alarm Type and Volume per day. Is there a way to do that within IEV? Outside of IEV?

thanks mucho!

I'm sorry I don't have access to an IEV at the moment, I will try t look it up somewhere. Most probably this is supported on the NEW IEV replacement called IME (IPS Manager Express), but that only works with 6.x and 6.1.x, I think.

Regards

farrukh

Actually i was going to download the IME, but it is only available for IPS version 6.1.1.

We are not upgrading to that until next week.

You can gather events even for 6.x. But for most of the 'real' new features, like health monitoring, configuration etc. you need 6.1.x.

But I should say it looks really cool :)

Regards

Farrukh

I need some help in tuning signatures. I have a high volume of about 5 different signature types that are coming thru the sensor. Right now they are set to "Product Alerts" only. Should these be adjusted to "Deny Attacker Inline" or some other more restrictive setting?

Thanks

Which signatures?

Regards

Farrukh

Farrukh

They are as follows:

Sig ID=4703 Signature Name=MSSQL Resolution Service Stack Overflow

Sig ID=3102 Signature Name=Sendmail Invalid Sender

Sig ID=1300 Signature Name=TCP Segment Overwrite

Sig ID=2152 Signature Name=ICMP Flood

I am getting Alarms from these Signatures as they are tripped on the IPS. The "Signature Actions" indicates Produce Alert, but what I have noticed is that the Sensor will start IP logging when each on of these is seen. I also think that he is taking the following actions:

Deny Connection inline

Deny Packet Inline

Log Attacker Packets

Deny Attacker Inline

The reason I am thinking this is these are what are listed in my Signature 0 "Actions to Add" in Event Action Rules.

Is is correct that these actions Override what is configured directly on the Signature, and that is why these additional actions are occuring? I am not sure how the Signatures interact with the Event Action Rules?

Any data you could provide would be helpful...

Thanks

Kevin