Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
500
Views
0
Helpful
1
Replies

hardening intrusion detection on IDS and realtime reporting.

kapishmohole.cisco
Level 1
Level 1

‎09-11-2004 11:17 AM - edited ‎03-09-2019 08:45 AM

Hello,

I am new to Cisco IDS, not much familiar.

I have installed Cisco IDS-4215 and I want to get best out from this.

I have IDS-4215 and IDS event viewer.

My basic question is how I can define a rule base for intrusion detection (Can I really define any rule base?); And a real-time reporting of Threat using these two, what are the options for this?

IDS is generating log with its default configuration and I am getting that on IDS event viewer, its difficult to find any vulnerability or any attack by looking at Event viewer.

What are the modifications I can do so that I can harden the detection and how to get the real-time response; alerts on mail or some thing advanced reporting?

I am mainly concern about rule base/hardening the detection and real-time reporting.

Labels:
0 Helpful
1 Reply 1

flyingmunk
Level 1
Level 1

‎09-14-2004 04:42 AM

if you only have the one sensor, then using IDM/IEV is probably the best way for you to achieve what you are looking for. however, if you want to receive e-mail alerts, then you should use vms basic. your sensor should have come with a copy.

as for reporting capabilities, again, you will need to look at vms basic. with this, you will be able to get more detailed reports from ids mc and sec mon.

i'm not sure what you mean by 'rule base hardening', but there does need to be some interaction on your part with the sensor. out of the box, you will have default signatures set to enable, and as you are seeing, will receive alarms with these sigs. in most cases, you will have false positives or alerts that you can either filter out or tune.

as far as 'defining a rule base' for your network, you need to monitor what alerts you are getting, and tune your sensor to your environment. take a look at the link below, as a place to start, when tuning, and administering your sensor:

http://www.cisco.com/en/US/partner/products/sw/cscowork/ps3990/products_user_guide_book09186a008018d92f.html

read through some of the past posts on this forum. i think you will find that questions very similar to yours have been answered already.

regards,

chris

0 Helpful
Customers Also Viewed These Support Documents