cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
15
Helpful
5
Replies

SNTC PSIRT Report and Device Configs

bvogle
Beginner
Beginner

Can SNTC look at the configs of devices in an inventory upload to better determine if PSIRT alerts apply to the devices?  Based on what i've found it appears that device model and image name are the primary means by which a PSIRT comparison is made.  I can see it taking up a lot of time with thousands of devices to compare workarounds and config options to.

For example, "Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170419-energywise) require energywise to be configured.  My SNTC PSIRT report shows 987 affected devices, but energywise is not enabled on the majority of these.

1 Accepted Solution

Accepted Solutions

Chris Camplejohn
Cisco Employee
Cisco Employee

Yes.  It uses the running config to provide the Features list you would see in SNTC and that is considered for many PSIRTs.

View solution in original post

5 Replies 5

Chris Camplejohn
Cisco Employee
Cisco Employee

Yes.  It uses the running config to provide the Features list you would see in SNTC and that is considered for many PSIRTs.

Hi Chris,

This is very interesting, I was not aware that, the PSIRT checks against the inventory, had the ability to be 'context aware' in respect of enabled features/protocols etc.

Is there any supporting documentation that describes this?

Presumably there are some constraints as some alerts can be quite niche in their cases for being applicable to any specific device, thinking of compound logic here i.e. if, and - within range, or type conditions?

Thanks, Graham

I don't own any of the external documentation, so I'll let someone else chime in there.  There are always caveats with automation because of niche cases, as you mentioned.  If you have some more specifics, I'd be happy to answer them.  It is pretty straight-forward in that we'll write a regex rule for parsing against the running config to look for those configuration lines that indicate you have the feature enabled.  In addition, of course, the software version is matched.  For IOS, the imagename is matched as well.  Optionally, hardware information, such as Product Family and PID can be matched, if needed.  For IOS XR, SMU checks are also done.  The automation does not currently look at additional show commands beyond the running config.

Thanks for the clarification.

At present we aren't uploading configs, partially due to security restrictions but also because we didn't think there was sufficient value in doing so.

So, as of now we are just getting the Alert/Device match on just HW type and SW version, but given that when my next 6 collectors come online there will be over 60K chassis to report on, hence my interest in the alert matching being context aware.

Just to check... this is included within the standard SNTC offering, and not part of the Threat Awareness or other bolt on service correct?

Standard.  Without configs, many of your PSIRT results will be "Potentially Vulnerable"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: