Friday, November 30, 2007

Cisco IDS

First, the link to research signatures:
http://tools.cisco.com/security/center/home.x

Now a tip for using the Cisco IDSM module without purchasing their overpriced control station. The IDSM module will not syslog alert, it also will not SNMP trap by default. So how do I get the IDSM module to trap when an event is triggered?

The Key is the "Event Action Override", this allows you to set a default action for all signatures that fall withing a specified Risk Rating (RR) range. In my case I set the default action of sending an SNMP trap for signatures with a RR of 18-100. 100 is the max RR, 18 is the lowest RR of signatures that by default alert. This will ensure that all signatures that are set to "alert" will produce an SNMP trap.

What about signatures that have a RR that is 18 or more, but shouldn't alert? Such as signatures that are apart of meta-events?

That is where the "Event Action Filter" comes into play. It allows us to specify signatures that we don't want to send a trap. You can specify signature(s), sub-signature(s), RR, etc.. Then you simply select to over-ride the SNMP trap action.

You might be thinking that this seems convoluted, why not simply adjust the signatures to trap? Well, because there are hundreds of signatures and they will need to be reviewed everytime they are updated. By using the "Event Action Override" new signature will automatically send a trap by default. The Event Action Filtering will only be needed for a few noisy signatures based on your environment.
Posted by at No comments:
Labels:

Friday, November 09, 2007

Cisco VPN and Filters

access-list vpn-crypto-domain permit ip object-group local-hosts object-group remote-hosts



# Note these are used for both incoming and outgoing connection!

access-list vpn-acl permit tcp object-group remote-hosts object-group localhosts eq 22

access-list vpn-acl permit icmp object-group remote-hosts object-group localhosts

access-list vpn-acl permit tcp object-group localhosts object-group remote-hosts

crypto map VPN_MAP1 230 match address vpn-crypto-domain

crypto map VPN_MAP1 230 set peer xx.xx.xx.xx

crypto map VPN_MAP1 230 set transform-set ESP-AES256-SHA

group-policy vpn-filter internal

group-policy vpn-filter attributes

vpn-filter value vpn-acl

pfs disable

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group xx.xx.xx.xx general-attributes

default-group-policy vpn-filter

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)