Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: RE: Reports from Cisco IDS

RE: Reports from Cisco IDS

From: Mark L. Evans <MEvans_at_CO.SLC.UT.US>
Date: Sun, 8 Dec 2002 21:19:26 -0700

I use a combination of KIWI, and Ciscoworks VMS to produce IDS activity
reports for the management.

The KIWI software is excellent, and very affordable. I believe it cost $39
per license. I feed SNMP traps, and SYSLOG messages from all of our network
equipment (especially ACL violations) to a central KIWI server. KIWI will
allow me to filter the syslog/trap messages into 10 separate screen
displays. KIWI can also record the filtered events into 10 separate text
files. KIWI allows for the usual notification facilities. Excellent product
at a great price!

The Ciscoworks VMS plugin is very new. We were actually one of the first
customers to use it. It's a HUGE improvement over the older CSPM based
product. VMS produces HTML, and text based reports that can be sent to your
managers as web links. VMS has a very good "live" IDS event viewer built in
as well. The last VMS component worth mentioning is the web based IDS
management interface. This interface allows you to group your IDS sensors.
You can then manage the sensors as a group from one central interface, The
common configuration can be pushed out to the sensors in the group. VMS also
reports on the HIDS (Entracept)product that Cisco sells.

I don't believe the IDS sensor can write to SYSLOG. The sensor does build a
log of IP activity (a little like tcpdump format) but I don't think the data
in its raw format will be very useful.

The VMS product is not cheap but I feel it has been a good tool in our
environment. Its not a customizable as SNORT but it's much easier to get up
and running.

Mark

>
> On the network at work, we use a Cisco PIX (which comes with
> IDS), which
> allows me to send a log to another server. On that server I
> use something
> called Kiwi Syslog Daemon
> (http://www.kiwisyslog.com/info_syslog.htm). From
> there, I use ReportGen
> (http://www.reportgen.com/downloads.htm) which turns
> into stuff my boss can read. Not sure if this solution will
> work with the
> Cisco IDS, but should. I have seen this run on several
> platforms. They
> have trial versions, to see if it fits your bill. Also,
> their prices are
> reasonable, if you like it.
> Pete.
>
> Hi,
>
> I have a Cisco IDS (switch module) with the HPOV plug-in. I
> would like to
> know how can I get reports from it. Any kind of report, like
> by source IP,
> top signatures...is this possible? If not, how can I get
> reports from Cisco
> IDS?
>
> Thank you,
>
> Peter
> sr. security analyst
>
Received on Dec 09 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos