HiWe get a lot ( approximately 10 / minute) of the following message in the status event log for an IDSM-2:evStatus: eventId=1245875406575241648 vendor=Cisco originator: hostId: hostX appName: modprobe appInstanceId: time: de...
Hi I would like to track if an ‘event action filter’ triggers. A filter that removes all actions from an event effectively consumes the event.But can I track if an ‘event action filter’ triggers (cli command, debug)? Br Johan Kellerman
HiThe very first thing I would do is to make inventory of the network that you are protecting and identify OS, applications, systems etc. When that is in place I would disable/tune all signatures that are written to detect attacks against systems, op...
Hi You have to use SDEE to collect events (log entries) from the sensor. I believe that SIM supports SDEE otherwise your are left with SNMP/SNMP traps which is not a good choice for this since you have to tweak signatures. Syslog is unfortunately no...
HiThis is pretty straith forward. A file has been created in the ..%windowsroot%\system32 directory.If you turn on verbose logging for this signature you can see what file has been created.BrJohan Kellerman
Hi Got an answer from TAC that solved the problem:1) create a service account on the IDSM. idsm(config)# username service privilege service password (your pwd) 2) exit and login with that user ...