Device Configuration Guide for Cisco Security MARS, Release 6.x - Enterasys Dragon Devices [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Enterasys Dragon 6.x

DPM/EFP Configuration

Configure the DPM or EFP

Host-side Configuration

Configure the syslog on the UNIX host

MARS-side Configuration

Add Configuration Information for the Enterasys Dragon

Add a Dragon NIDS Device

Enterasys Dragon 6.x

To configure the Enterasys Dragon devices, you must:

•Configure the Dragon Policy Manager (DPM) or Event Flow Processor (EFP).

•Configure the syslog daemon running on the same system as the DPM or EFP.

•Configure the MARS.

This chapter contains the following topics:

•DPM/EFP Configuration

•Host-side Configuration

•MARS-side Configuration

DPM/EFP Configuration

Before you configure the DPM or EFP, you must install and enable the Alarmtool.

This section contains the following topics:

•Configure the DPM or EFP

Configure the DPM or EFP

Step 1 Log into the DPM or EFP.

Step 2 Click Alarmtool.

Step 3 In the left menu, click Notification Rules.

Step 4 In the right window, select syslog if it exists. If not, you need to create it:

a. Click New Notification Rules and select syslog.

b. Facility - Make sure the localn you select is not in use by the syslog daemon

c. Level - Select Debug

d. Message - Make sure its in such format:
%TIME% %DATE% SigName=%NAME% from Sensor=%SENSOR%
ScrIP=%SIP% DstIP=%DIP% SrcPort=%SPORT% DstPort=%DPORT% 
Protocol=%PROTO%
Step 5 Click Save.

Step 6 In the left menu, click Alarm.

Step 7 Set the Type to Real-time and the Notification Rule to syslog.

Step 8 Click Save.

Step 9 In the left menu, click Deployment.

Step 10 In the main screen, click View Configuration. Make sure the localn set in both notify syslog and alarm syslog match.

Step 11 In the main screen, click Deploy and Reset to confirm the configuration change.

Host-side Configuration

This section contains the following topics:

•Configure the syslog on the UNIX host

Configure the syslog on the UNIX host

Step 1 Log into the host as the root user.

Step 2 On the same system running the DPM or EFP, edit the file /etc/syslog.conf .

Step 3 Make sure n in localn matches the syslog entry you used on the DPM or EFP.

Step 4 Add the line:
localn.*           @<mars ip address>
Replacing n with the value used in Step 3 and replacing <mars ip address > with the IP address of the MARS Appliance.

Step 5 Restart the syslog daemon by entering:
/etc/rc.d/rc.syslog restart
MARS-side Configuration

This section contains the following topics:

•Add Configuration Information for the Enterasys Dragon

•Add a Dragon NIDS Device

Add Configuration Information for the Enterasys Dragon

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host.

Step 3 Enter the Device Name and IP Addresses if adding a new host.

Step 4 Click Apply

Step 5 Click Reporting Applications tab

Step 6 From the Select Application list, select Enterasys Dragon 6.x.

Step 7 Click Add.

Add a Dragon NIDS Device

Step 1 Click Add Sensor.

Step 2 Select existing device or Add New Device.

Step 3 Enter values for the following fields:

•Device Name—The DNS entry for this device.

•Sensor Name—The name as it appears in the console.

•Reporting IP—The IP address that the agent uses to send logs to the console.

Step 4 Add the interfaces, which important information for attack path calculation.

•For multiple interfaces, click Add Interface, and add the new interfaces's name, IP address and mask.

Step 5 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

•To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

•To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list

b. Click Add to move the specified network into the Monitored Networks field.

c. Repeat as needed.

Step 6 To save your changes, click Submit.

Step 7 Click Done when you are done adding the sensor.

Step 8 To enable MARS to start sessionizing events from this module, click Activate.

	Device Configuration Guide for Cisco Security MARS, Release 6.x
	Enterasys Dragon Devices
Device Configuration Guide for Cisco Security MARS, Release 6.x Preface Part 1: Concepts Configuring Reporting and Mitigation Devices in MARS Part 2: Intrusion Detection and Prevention (Network based) Cisco IPS Devices (4.x and 5.x) NetScreen IDP Devices and Servers Cisco IPS 6.x Devices and Virtual Sensors Enterasys Dragon Devices Snort Devices McAfee Intrushield Symantec ManHunt Cisco IPS Modules IBM SiteProtector Devices IBM RealSecure Devices Part 3: Vulnerability Assessment Qualys QualysGuard Devices eEye REM Devices McAfee Foundstone Part 4: Switches Cisco Switches Extreme Switches Part 5: Routers Cisco Routers Routers (Generic) Part 6: Firewalls Cisco Firewall Devices Cisco ASA, Version 8.1.X and 8.2.X and NetFlow Check Point Devices NetScreen ScreenOS Devices Part 7: Network Access Control Cisco NAC Appliance Part 8: Virtual Private Network Gateways Cisco VPN 3000 Concentrator Part 9: WLAN Controller Cisco Wireless LAN Controller Part 10: AAA Servers Cisco Secure ACS Devices Part 11: Intrusion Detection and Prevention (Host based) Cisco Security Agent Entercept Devices Part 12: Virus Protection Symantec AntiVirus McAfee EPO Management Devices Cisco Incident Controller Server Part 13: Content Management Cisco CSC SSM Part 14: Database Applications Oracle Database Applications Part 15: Web Servers Web Server Devices Part 16: Web Proxies Network Appliance NetCache Generic Part 17: Host Nodes Generic, Solaris, Linux, and Windows Application Hosts Index	Download this chapter Enterasys Dragon Devices Download the complete book Device Configuration Guide for Cisco Security MARS Release 6.x (PDF - 5 MB) Table Of Contents Enterasys Dragon 6.x DPM/EFP Configuration Configure the DPM or EFP Host-side Configuration Configure the syslog on the UNIX host MARS-side Configuration Add Configuration Information for the Enterasys Dragon Add a Dragon NIDS Device Enterasys Dragon 6.x To configure the Enterasys Dragon devices, you must: •Configure the Dragon Policy Manager (DPM) or Event Flow Processor (EFP). •Configure the syslog daemon running on the same system as the DPM or EFP. •Configure the MARS. This chapter contains the following topics: •DPM/EFP Configuration •Host-side Configuration •MARS-side Configuration DPM/EFP Configuration Before you configure the DPM or EFP, you must install and enable the Alarmtool. This section contains the following topics: •Configure the DPM or EFP Configure the DPM or EFP Step 1 Log into the DPM or EFP. Step 2 Click Alarmtool. Step 3 In the left menu, click Notification Rules. Step 4 In the right window, select syslog if it exists. If not, you need to create it: a. Click New Notification Rules and select syslog. b. Facility - Make sure the localn you select is not in use by the syslog daemon c. Level - Select Debug d. Message - Make sure its in such format: %TIME% %DATE% SigName=%NAME% from Sensor=%SENSOR% ScrIP=%SIP% DstIP=%DIP% SrcPort=%SPORT% DstPort=%DPORT% Protocol=%PROTO% Step 5 Click Save. Step 6 In the left menu, click Alarm. Step 7 Set the Type to Real-time and the Notification Rule to syslog. Step 8 Click Save. Step 9 In the left menu, click Deployment. Step 10 In the main screen, click View Configuration. Make sure the localn set in both notify syslog and alarm syslog match. Step 11 In the main screen, click Deploy and Reset to confirm the configuration change. Host-side Configuration This section contains the following topics: •Configure the syslog on the UNIX host Configure the syslog on the UNIX host Step 1 Log into the host as the root user. Step 2 On the same system running the DPM or EFP, edit the file /etc/syslog.conf . Step 3 Make sure n in localn matches the syslog entry you used on the DPM or EFP. Step 4 Add the line: localn.* @<mars ip address> Replacing n with the value used in Step 3 and replacing <mars ip address > with the IP address of the MARS Appliance. Step 5 Restart the syslog daemon by entering: /etc/rc.d/rc.syslog restart MARS-side Configuration This section contains the following topics: •Add Configuration Information for the Enterasys Dragon •Add a Dragon NIDS Device Add Configuration Information for the Enterasys Dragon Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name and IP Addresses if adding a new host. Step 4 Click Apply Step 5 Click Reporting Applications tab Step 6 From the Select Application list, select Enterasys Dragon 6.x. Step 7 Click Add. Add a Dragon NIDS Device Step 1 Click Add Sensor. Step 2 Select existing device or Add New Device. Step 3 Enter values for the following fields: •Device Name—The DNS entry for this device. •Sensor Name—The name as it appears in the console. •Reporting IP—The IP address that the agent uses to send logs to the console. Step 4 Add the interfaces, which important information for attack path calculation. •For multiple interfaces, click Add Interface, and add the new interfaces's name, IP address and mask. Step 5 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: •To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. •To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list b. Click Add to move the specified network into the Monitored Networks field. c. Repeat as needed. Step 6 To save your changes, click Submit. Step 7 Click Done when you are done adding the sensor. Step 8 To enable MARS to start sessionizing events from this module, click Activate.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.