cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Smart Net Total Care Community!

Our community includes Cisco experts to answer your questions about the Smart Net Total Care (SNTC) portal and CSP-Collector.
Click the navigation links below to access materials for using our service and supported collectors.

376
Views
15
Helpful
5
Replies
Highlighted
Beginner

SNTC PSIRT Report and Device Configs

Can SNTC look at the configs of devices in an inventory upload to better determine if PSIRT alerts apply to the devices?  Based on what i've found it appears that device model and image name are the primary means by which a PSIRT comparison is made.  I can see it taking up a lot of time with thousands of devices to compare workarounds and config options to.

For example, "Cisco IOS and IOS XE Software EnergyWise Denial of Service Vulnerabilities (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170419-energywise) require energywise to be configured.  My SNTC PSIRT report shows 987 affected devices, but energywise is not enabled on the majority of these.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Yes.  It uses the running

Yes.  It uses the running config to provide the Features list you would see in SNTC and that is considered for many PSIRTs.

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

Yes.  It uses the running

Yes.  It uses the running config to provide the Features list you would see in SNTC and that is considered for many PSIRTs.

View solution in original post

Beginner

Hi Chris,

Hi Chris,

This is very interesting, I was not aware that, the PSIRT checks against the inventory, had the ability to be 'context aware' in respect of enabled features/protocols etc.

Is there any supporting documentation that describes this?

Presumably there are some constraints as some alerts can be quite niche in their cases for being applicable to any specific device, thinking of compound logic here i.e. if, and - within range, or type conditions?

Thanks, Graham

Highlighted
Cisco Employee

I don't own any of the

I don't own any of the external documentation, so I'll let someone else chime in there.  There are always caveats with automation because of niche cases, as you mentioned.  If you have some more specifics, I'd be happy to answer them.  It is pretty straight-forward in that we'll write a regex rule for parsing against the running config to look for those configuration lines that indicate you have the feature enabled.  In addition, of course, the software version is matched.  For IOS, the imagename is matched as well.  Optionally, hardware information, such as Product Family and PID can be matched, if needed.  For IOS XR, SMU checks are also done.  The automation does not currently look at additional show commands beyond the running config.

Highlighted
Beginner

Thanks for the clarification.

Thanks for the clarification.

At present we aren't uploading configs, partially due to security restrictions but also because we didn't think there was sufficient value in doing so.

So, as of now we are just getting the Alert/Device match on just HW type and SW version, but given that when my next 6 collectors come online there will be over 60K chassis to report on, hence my interest in the alert matching being context aware.

Just to check... this is included within the standard SNTC offering, and not part of the Threat Awareness or other bolt on service correct?

Highlighted
Cisco Employee

Standard.  Without configs,

Standard.  Without configs, many of your PSIRT results will be "Potentially Vulnerable"

CreatePlease to create content
Right-rail
Navigation
Be sure to bookmark these support pages and use them in the future to find all the self-help information.
Helpful Links