Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
5
Helpful
3
Replies

PSIRTs customization

IsabelPais58245
Level 1
Level 1

‎09-11-2020 05:59 AM

Attached is an example of alerts that we received for our Cisco 9300 switches; Cisco IOS XE Software, Version 16.09.04

We would like to understand how we can customize the alerts that specifically address each hardware, Cisco IOS version AND the specific features/ attributes as well.  We are interested in understanding if there is a smart way for SNTC to detect and cross-reference each attribute (and all functionality that is disabled) to smartly detect true vulnerabilities.

 

Those titles not checked in the publications below are examples of "not applicable" to our equipment. It is our understanding that SNTC, should be able to understand each functionality that is not used or is disabled, therefor not alerting us on vulnerability that is no applicable to us. This is just one of many examples.

Thank you.

Preview file
159 KB
0 Helpful
3 Replies 3

Jarrett Pomeroy
Cisco Employee
Cisco Employee

‎09-14-2020 08:53 AM

Hello,
PSIRT accuracy can be improved if you are collecting both SNMP and CLI data from your devices. The CLI data will help SNTC to know what configs and features may be related to PSIRTs and report back on those.
If you are not collecting CLI yet, you can add SSH/Telnet profiles to the CSPC and run a DAV/Collection to include these results in the next upload.
Thank you,
Jarrett
0 Helpful

kdasilva03
Level 1
Level 1
In response to Jarrett Pomeroy

‎09-17-2020 11:02 AM

Thanks Jarrett... When CLI credentials are provided, what type of commands are executed on those devices? Having this information would help ease any concerns our Security Team may have. 

 

Thanks,

Kevin

0 Helpful

IsabelPais58245
Level 1
Level 1

‎10-14-2020 01:59 PM

Hello Jarrett,

As suggested,  we started collecting CLI on only two devices for testing purposes. We noticed that collecting CLI data greatly improved Alert/ Bug reporting compared to Non- CLI data collection. Below you can see the information that we have gathered.

 
C9300-48UXM 
IOS-XE 16.12.4		SNTC w/o CLISNTC w/ CLI
Alerts83
Bugs1064383

However, we still do not have accurate information on all of our configs. For example, with CLI Data, the above C9300 returned the following high alert security Impact - Cisco IOx Application Framework Arbitrary File Creation Vulnerability. This link provided more information on how to assess the device status and resolve the issue. Upon assessing the device status, we discovered that this did not apply to us. See below example:

For the, Catalyst 9x00 Series Switches, Cisco IOS XE-based devices, administrators can use the privileged exec command show iox-service to determine whether the Cisco IOx Application Framework is enabled on the device.
The following output of the show iox-service command shows a device with the Cisco IOx Application Framework enabled:

switch# show iox-service
.
.
.
IOx Infrastructure Summary:
---------------------------
IOx service (CAF)        : Running
IOx service (HA)          : Running
IOx service (IOxman)  : Running
Libvirtd                         : Running
Dockerd                       : Running
When we ran this command for that particular switch, this is what returned:
 
IOx Infrastructure Summary:
---------------------------
IOx service (CAF) : Not Running
IOx service (HA) : Not Running
 
As you can see, this particular vulnerability that returned a security impact high, does not apply to us, yet it appears in our alerts. Please advise on how we can further improve PSIRT accuracy.
 
Also, please see Kevin's inquiry. any information would be helpful.
 
 
Best regards,
Isabel
Customers Also Viewed These Support Documents