Re: does CSPM console need to be always up and running

jjpeyrache · ‎05-31-2002

Hello

customer claims when CSPM console is down (shutdown or OFF)

IDS sensor doesnt log any attacks, morever when CSPM is restarted

and he try to connect on the sensor , sensor has lost parameters

Sensor Organization Name et IDS Manager Host ID

is it a know problem ? or restriction , customer concerns during a maintenance or problem on CSPM console, attack can't be treated as need

thanks

JYP

marcabal · ‎05-31-2002

The CSPM machine should stay running.

There is a background process in CSPM that should always be running collecting the alarms and placing them in the database.

The front GUI only needs to be run when the user wants to access the database.

If the CSPM background services are not running (like when the machine is shutoff).

Then the sensor will store up to 1000 events in memory waiting to send to CSPM.

When CSPM background processes come back up, it will send those 1000 events.

The sensor is by default not setup to log it's own alarms. That is a configurable through CSPM. The logging of the alarms is separate from the 1000 alarms stored in memory for sending to CSPM when it is down.

As for the loss of parameters. I have never seen nor heard of this. You would need to find out more info as to what is causing it and contact the TAC if possibly turns out to be a software problem.

jjpeyrache · ‎05-31-2002

many thanks for this infos, is documented somewhere ?, i didnt

find that in documentation

JYP

marcabal · ‎05-31-2002

I don't know if that is documented anywhere.

s309973 · ‎05-31-2002

Truth be told, CSPM and IDS (in general) product documentation is poor outside of well-formed, pre-sales, executive level stuff. Even the TAC will tell you they realize technical documentation about the neuances of IDS are lacking. I need to compose my own 'little document' about all the things I've discovered on my own or been hinted to, unofficially, by the TAC - that can't be found written down anywhere.

scotthef · ‎06-02-2002

As I understand the IDS system, the sensors and the Director communicate through a few daemons or services that need to be running on both boxes. These services do not directly depend on CSPM being loaded in memory and functioning. Different services run on the Director and the sensor however they both run the "nr.postofficed" service that uses the Cisco Postoffice prococol. This is how they communicate with each other. The parameters that are used by this service, and all of the other servics, are kept in config files. On the sensor these files are found in the /usr/nr/etc directory. All of these parameters are loaded from the config files on both the sensors and the Direct on power up, or when the service is started.

From the sensor a check of the services running can be done with the "nrstatus" command. The communication between the sensor and the Director can be checked with the "nrconns" and the "snoop" commands.

As for documentation on IDS, I found a book by Cisco Press "Cisco Secure Intrusion Detection System". You can find it in the popular on-line book stores. However, as with all network and computer equipment CIDS has undocumented features that we will all have to learn about and share.

There is more to the story of why a database would not get alarm updates from sensors on the network. I do not beleave it has to do with CSPM being loaded. I am at home and my 2 and 4 year old keep calling so I had to make this as short as I could and still say something usefull. I hope this helps.

jjpeyrache · ‎06-04-2002

thanks all for your explaination,i'm still looking how to ask sensor to log

alarms in this own memory, didnt find command or examples,also

i traced between sensor and CSPM server ,when CSPM is down, i saw

datas coming from Sensor ,but definitatly nothing is logged on CSPM

server when restarted

any help welcomed

JYP