Re: Internal Networks and Database Rules in Management Center

javierlopez · ‎02-25-2003

I've got across two different problems related with Management Center for IDS Sensors version 1.0 (included in Cisco Works 2000 / VMS version 2.1).

1.- Internal Networks.

I have configured several internal networks (example : 172.16.23.0 / 255.255.255.0) without getting any of the expected effects:

- Events fired by packets whose source or destination address belong to an internal network continue to appear in Event Viewer as OUT OUT.

- Setting up a filter to exclude a certain signature when originated by any internal address does not prevent the event to appear in Event Viewer.

I did a search in Bug Toolkit and found bug CSCdx03102, stating only that "Internal Networks should accept ip address in ranges". Does this mean that I must enter individually each and every IP address for any internal network?

2.- Database Rules.

I have customized the Default Pruning rule included with the product. By default, it should trigger when "IDS events > 2,000,000", and then it should execute the script file PruneDefault.pl (that then archives 750,000 events). I changed the trigger to "Free Space < 500 MB or IDS Events > 100,000" and added an e-mail notification and a Console Notification Event generation. I have several GB of free space and less than 10,000 events, but I receive a new e-mail message exactly each half an hour (?). Fortunately, the script seems not to be executed!

Is there anybody successfully using these features?

m.singer · ‎03-03-2003

1.According to the bug headline, looks like the IP addresses have to be entered individually until the feature is incorporated.

2.To execute a script when the specified threshold is met, select Execute a Script check box. Then, select a script from the Script File list box. You can enter any required arguments in the Arguments field.

http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080104f09.html#184 should help.

javierlopez · ‎03-04-2003

As for the Internal Networks, the Management Center screen in which you enter them allows you to put an IP address and a net mask. There is no place to put any IP addresses range. So, according to the bug headline, it seems that I need to enter each individual IP address with a net mask of 255.255.255.255 (and I don't even know if this would make the trick). In any real world scenario this is not practical, if not to say impossible. My question was if anybody has used this feature and how has managed it to work.

The other question in my post referred to Database Rules. Of course I have selected the "Execute a Script" check box. But that was not the point. Adding a Database Rule involves two steps. First, you must "Specify the Trigger Conditions". I chose two conditions: "Free Space < 500 MB" and "IDS Events > 100,000" (the documentation states that these are OR conditions). Second, you select the "Rule Actions". I selected the three check boxes: Notify via Email, Log a Console Notification Event and Execute a Script (PruneDefault.pl with arguments 50000 -wC:\ARCHIV~1\CSCOpx\MDC\Sybase\DB\IDS\AlertPruneData). The unexpected result is that although not any trigger condition is met I DO receive an email and get a console notification event exactly each half an hour (!!). I don't know if the script is also executed each half an hour, but I guess that is not because the events are not pruned and remain in the database. This behaviour has no sense and makes this feature useless. By the way, I have not found any related bug in Bug Toolkit.