04-27-2010 07:43 AM
I have one more issue with reporting. I notice under GLBA reports there is a 'attacks prevented by cisco IPS - all events" report. We actually run IDS and are using a router to actively shun packets, and that is not included within the scope. I tried adjusting the query in this report, but have been unable to get the results I expect.
The portion of the Raw Event Message that I am trying to search is 'shunRequested: true' from the below event. When I do a query and put that in the 'keyword field' and search within the timeframe this event happened (searching for raw event) it returns 0 results. Does anyone know a good way to search for events shunned within a GLBA report? And it really doesn't have to come back with raw events or anything, any other suggestions for this are welcome.
Thanks,
Michael
SAMPLE EVENT BELOW********
evIdsAlert: eventId="1268318206324079819" severity="high" vendor="Cisco"
originator:
hostId: OMITTED
appName: sensorApp
appInstanceId: 31165
time: Apr 27 2010 05:00:59 CDT (1272362459865550000) offset="-300" timeZone="UTC"
signature: created="20010202" type="anomaly" version="S2" description="TCP SYN/FIN Packet" id="3041"
subsigId: 0
marsCategory: Probe/Host/Stealth
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 81.45.216.133 locality="any"
port: 24394
target:
addr: OMITTED locality="INSIDE"
port: 25
os: idSource="learned" relevance="relevant" type="linux"
actions:
tcpResetSent: true
shunRequested: true
denyPacketRequestedNotPerformed: true
denyFlowRequestedNotPerformed: true
denyAttackerRequestedNotPerformed: true
riskRatingValue: 100 attackRelevanceRating="relevant" targetValueRating="mission-critical"
threatRatingValue: 80
interface: ge0_1
protocol: tcp
globalCorrelation:
globalCorrelationScore: -3.3
globalCorrelationRiskDelta: 1
globalCorrelationModifiedRiskRating: false
globalCorrelationDenyPacket: true
globalCorrelationDenyAttacker: true
globalCorrelationOtherOverrides: false
globalCorrelationAuditMode: false
04-28-2010 11:44 AM
I found a way to get the information needed. Instead of searching shunReques
ted: true, we just searched for keyword 'shunRequested'. If a shun is not requeste
d, obviously that action is not attempted, therefore is not in the raw packet. Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide