Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
0
Helpful
3
Replies

Report problem...

asaoudi
Community Member

‎06-09-2004 01:59 AM - edited ‎03-09-2019 07:41 AM

I need some statistics about my IDS activity. I am interested in getting the number of events generated for a week. I would need them sorted by severity as well.

Something like :

Total event : 1000 000

High severity : 500 000

Medium severity : 200 000

Low & informationnel : 300 000

I don’t think I can create a customize report so I’ve gathered the information from differents default reports.

I chose 2 reports. The first one, called "Daily Metrics Report", provides the total number of events. Let’s say this number is 1000 000. The second, called "IDS Summary Report", provides statistics about alarms sorted by severity.

As I only log medium and high severity events, the "IDS Summary Report" only shows the number of medium and high severity events . In the « Alarms by Source and Destination Direction » section, let’s say the high severity number is 500 000 and the medium severity one is 200 000. It’s also written that high severity events represents 25% of the total alarms. This is what I don’t understand : I would rather say 50%.

Where does this 25% come from? Are events and alarms not the same things? For example, do some events generate more than one alarm ?

If so, what report can I use to have my information ?

Does anyone know where to find some information about the meaning of the field in the default reports or in the statistics listed in the monitor/statistics section.

One more question to understand how events are managed : the security monitor doesn’t store events in a database but retrieve alarms from each IDS’ event store, depending on the query specification , doesn’t it ?

Thank you

Labels:
0 Helpful
3 Replies 3

umedryk
Level 11
Level 11

‎06-15-2004 07:03 AM

Please refer to the document http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/hwguide/hwchap4.htm#364839 this would answer a couple of your questions.

0 Helpful

asaoudi
Community Member
In response to umedryk

‎06-17-2004 05:59 AM

Thank you for your help even if I didn't find some helpful information to understand how reports are created.... I have been trying to understand for 4 days without success. There are some obscur points about different values given by statistics and reports...

I can only do speculation. It would nice to have so clear documentation about that..

0 Helpful

asaoudi
Community Member
In response to asaoudi

‎06-18-2004 02:09 AM

Here is an extract of my IDS Summary Report

Alarms by Source and Destination Direction

Alarm Level From To Count % of Total Alarms

High - 3 OUT OUT 263778 8.65

Medium - 2 OUT OUT 31231 1.02

I calculate the Total Alarms :

(263 778 * 100) /8.65 = 3 049 456

(31 231 *100) /1.02 = 3 061 862

I can picture the diffence come from that values are rounded

Alarms by Category

Alarm Count Signature Category % ofTotallarms

High 144552 UDP Header Signatures 4.74

High 118568 Windows/NetBIOS Signatures 8.51

I made the same calculus

(144 552 *100) / 4.74 = 3 049 620

(118 568 *100) / 8.51 = 1 393 278

I have some similar problems with different reports. The result are unmanageable...

Is anyone used to use reports and could explain me? Has anyone ever met the same problem? Please tell me if I misunderstand or reports are confusing..

0 Helpful
Customers Also Viewed These Support Documents