05-10-2017 01:18 PM
Can SNTC look at the configs of devices in an inventory upload to better determine if PSIRT alerts apply to the devices? Based on what i've found it appears that device model and image name are the primary means by which a PSIRT comparison is made. I can see it taking up a lot of time with thousands of devices to compare workarounds and config options to.
For example, "Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170419-energywise) require energywise to be configured. My SNTC PSIRT report shows 987 affected devices, but energywise is not enabled on the majority of these.
Solved! Go to Solution.
05-10-2017 01:22 PM
Yes. It uses the running config to provide the Features list you would see in SNTC and that is considered for many PSIRTs.
05-10-2017 01:22 PM
Yes. It uses the running config to provide the Features list you would see in SNTC and that is considered for many PSIRTs.
05-26-2017 07:22 AM
Hi Chris,
This is very interesting, I was not aware that, the PSIRT checks against the inventory, had the ability to be 'context aware' in respect of enabled features/protocols etc.
Is there any supporting documentation that describes this?
Presumably there are some constraints as some alerts can be quite niche in their cases for being applicable to any specific device, thinking of compound logic here i.e. if, and - within range, or type conditions?
Thanks, Graham
05-26-2017 07:34 AM
I don't own any of the external documentation, so I'll let someone else chime in there. There are always caveats with automation because of niche cases, as you mentioned. If you have some more specifics, I'd be happy to answer them. It is pretty straight-forward in that we'll write a regex rule for parsing against the running config to look for those configuration lines that indicate you have the feature enabled. In addition, of course, the software version is matched. For IOS, the imagename is matched as well. Optionally, hardware information, such as Product Family and PID can be matched, if needed. For IOS XR, SMU checks are also done. The automation does not currently look at additional show commands beyond the running config.
05-26-2017 07:51 AM
Thanks for the clarification.
At present we aren't uploading configs, partially due to security restrictions but also because we didn't think there was sufficient value in doing so.
So, as of now we are just getting the Alert/Device match on just HW type and SW version, but given that when my next 6 collectors come online there will be over 60K chassis to report on, hence my interest in the alert matching being context aware.
Just to check... this is included within the standard SNTC offering, and not part of the Threat Awareness or other bolt on service correct?
05-26-2017 08:07 AM
Standard. Without configs, many of your PSIRT results will be "Potentially Vulnerable"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide