Guest

Cisco IPS 4200 Series Sensors

IPS 5.x and later: Various Methods of Monitoring Events

Document ID: 111432

Updated: Dec 18, 2009

   Print

Introduction

This document provides various methods to monitor the IPS events.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on IPS 5.x and later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Methods of Monitor the IPS Events

Currently, there are four options for monitoring the sensors:

  1. IPS Manager Express (IME) is available from software download in Cisco.com. This application is able to securely subscribe to the IPS sensor with SDEE and retrieve the events/logs that have been generated as a result of any issues or signatures that have fired due to a match.

    IPS Device Manager (IDM) is called when you access the sensor directly through HTTPS.

    View the event store directly on the sensor with the IDM Monitoring or IME Event Monitoring tools. IDM and IME are not valid solutions if you need to store the events long term as the local event store of the sensor is a 30 MB circular buffer and begins to overwite itself once the 30 MB limit is reached. This limit is non-configurable.

  2. Use a CS-MARS device in order to routinely pull and correlate the events from the sensor. The CS-MARS uses the SDEE protocol in order to establish a secure connection to the sensor to retrieve the events and retrieves new events every few seconds.

    Contact your account team/reseller/SE for more information if you are interested in demo-ing the CS-MARS device.

    For Cisco IPS 5.x and 6.x devices, MARS pulls the logs with SDEE over SSL. Therefore, MARS must have HTTPS access to the sensor. In order to prepare the sensor, you must allow HTTPS traffic from the IDM/IME management station, and make sure that the IP address of MARS is defined as an allowed host on the sensor.

    sensor#conf t
    	 	sensor(config)#service host
    	 	sensor(config-hos)#network-settings
    	 	sensor(config-hos-net)#access-list x.x.x.x/subnet_mask
    	 	sensor(config-hos-net)#exit
    	 	sensor(config-hos)#exit
    	 	Apply Changes?[yes]:
    	 	sensor(config)#
  3. Monitor the events with the IEV. IDS Event Viewer is a Java-based application that enables you to view and manage alarms for up to five sensors. With IDS Event Viewer you can connect to and view alarms in real time or in imported log files. You can configure filters and views to help you manage the alarms. You can also import and export event data for further analysis. Like MARS, IEV establishes a secure connection to the sensor and retrieves events every few seconds. The IEV stores these events in a database on the server on which IEV is installed. The DB is included with IEV and installed along with the application. Click IEV in order to download.

    Note: The documentation for IEV is found through the help menu after you install it. The readme contains installation information.

  4. Configure the signatures on your sensor to have an action of request-snmp-trap and configure the sensor to send the traps to an SNMP server. You can then use this server to relay the messages as syslogs to another machine.

    SNMP is an application layer protocol that facilitates the exchange of management information between network devices. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.

    SNMP is a simple request/response protocol. The network-management system issues a request, and managed devices return responses. This behavior is implemented with the use of one of four protocol operations:

    1. Get

    2. GetNext

    3. Set

    4. Trap

    You can configure the sensor for monitoring by SNMP. SNMP defines a standard way for network management stations to monitor the health and status of many types of devices, which includes switches, routers, and sensors.

Related Information

Updated: Dec 18, 2009
Document ID: 111432