Device Configuration Guide for Cisco Security MARS, Release 6.x - Entercept Devices [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Entercept Entercept 2.5 and 4.0

Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5)

Create a CSV file for Entercept Agents in Version 2.5

Define the MARS Appliance as an SNMP Trap Target

Specific the Events to Generate SNMP Traps for MARS

Add and Configure an Entercept Console and its Agents in MARS

Add the Entercept Console Host to MARS

Add Entercept Agents Manually

Add Entercept Agents Using a Seed File

Entercept Entercept 2.5 and 4.0

To configure Entercept in MARS, you must perform the following tasks:

1. Generate CSV file that identifies each of the Entercept hosts by logging into the host running the Entercept console and copying the data out of the database table.

2. Configure the Entercept console to send SNMP traps to the MARS Appliance

3. Identify the events that should be generated as SNMP traps.

4. Define a host that represents the management console (Entercept console) in MARS web interface.

5. From that host in the MARS web interface, import the CSV seed file to identify the Entercept agents running on other hosts.

Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server.

This chapter contains the following topics:

•Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5)

•Define the MARS Appliance as an SNMP Trap Target

•Specific the Events to Generate SNMP Traps for MARS

•Add and Configure an Entercept Console and its Agents in MARS

Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5)

Note Entercept agent information is saved in a database file on the Entercept console.

When you configure the MARS box to add Entercept agents, you can extract them from the database file on the Entercept console, instead of typing the mapping for each agent.

Create a CSV file for Entercept Agents in Version 2.5

Step 1 Go to the directory Program Files\Cisco IDS\Console\Database and copy the file CoreShield.mdb to another directory, e.g.: C:\temp.

Step 2 Open the copied CoreShield.mdb with Microsoft Access, and go to the "Agents" table.

Step 3 Export the table to a file named: Agents.txt and choose the exported file format to be CSV.

Step 4 Copy Agents.txt to a specific directory that is ready for the MARS box to load.
   A sample agents.txt file could be:
1,3,"entercept1",6,1,1,1,438,1,"127.0.0.1",0,,1051055867,2086
where the fields are: AgentID, AgentTypeID, ComputerName, ComputerType,
NewFlag, StatusID, OperatingModeID, VersionID, VersionModeID, IP, 
License, Note, NoConnection, and UpTime.
Define the MARS Appliance as an SNMP Trap Target

Step 1 Log in to the Entercept Console.

Step 2 Click Configuration.

Step 3 Click the Address Book tab.

Step 4 In the All Contacts tree, click SNMP Trap.

Step 5 Click the Plus (+) button.

Step 6 In the New SNMP Trap page, specify the following values:

•Alias—Enter an name for the MARS Appliance.

•Privilege Level—Set to Global.

•Status—Set to Enabled.

•Name—Enter the MARS Appliance's name if the DNS server can resolve the name. Otherwise, use its IP address.

•Community—Enter a community string name,

•Port—Enter the SNMP port number used by the MARS Applaince.

•Protocol—Select SNMP.

Specific the Events to Generate SNMP Traps for MARS

Step 1 Click the Notifications tab.

Step 2 Click the Plus (+) button.

Step 3 On the General tab, in the name field, enter a name for the notification.

Step 4 Click the Agent Groups tab and select the All Agents radio button.

Step 5 Click the Security Events tab and select the Events by Severity Levels radio button. Select the events that you want (High, Medium, Low, and Information).

Step 6 Click the System Events tab and select the Events by Severity Levels radio button. Select the events that you want (Error, Warning, and Information).

Step 7 Click the Address Book tab and click a destination in the Available Destinations field. Click the Down arrow to move it into the Selected Destinations field.

Step 8 Click OK and exit the program.

Add and Configure an Entercept Console and its Agents in MARS

Adding an Entercept device has two distinct steps. First, you add configuration information for the for the Entercept Console host. Second, you add the agents managed by that console.

This section contains the following topics:

•Add the Entercept Console Host to MARS

•Add Entercept Agents Manually

•Add Entercept Agents Using a Seed File

Add the Entercept Console Host to MARS

Step 1 Click Admin > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host.

Step 3 Enter the Device Name and IP addresses if adding a new host.

Step 4 Click Apply.

Step 5 Click on Reporting Applications tab.

Step 6 From the Select Application list, select Entercept 2.5 or 4.0

Step 7 Click Add.

Step 8 Enter the Console Name.

Step 9 Check the Is Sensor check box, which identifies the deivce as a sensor.

Step 10 Enter the sensor's Agent Name, which is the agent name for the console if it is an agent.

Step 11 Click Submit.

You can now add the agents.

Add Entercept Agents Manually

Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server.

Step 1 Click Add Agent.

Step 2 Select the device that already has agent running or Add New.

Step 3 If you selected Add New, then specificy the following values:

•Device Name

•Agent Name

•Reporting IP

•For the first interface, enter an IP address and mask.

•For multiple interfaces, click Add Interface, and add the new interfaces' IP address and mask.

Step 4 Click Submit .

Add Entercept Agents Using a Seed File

Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server.

Step 1 Click Load From CSV.

Step 2 Enter the FTP server information and location of the CSV (comma separated values) file.

•If you need to generate the Entercept Agent CSV file, see Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5).

Step 3 Click Submit.

	Device Configuration Guide for Cisco Security MARS, Release 6.x
	Entercept Devices
Device Configuration Guide for Cisco Security MARS, Release 6.x Preface Part 1: Concepts Configuring Reporting and Mitigation Devices in MARS Part 2: Intrusion Detection and Prevention (Network based) Cisco IPS Devices (4.x and 5.x) NetScreen IDP Devices and Servers Cisco IPS 6.x Devices and Virtual Sensors Enterasys Dragon Devices Snort Devices McAfee Intrushield Symantec ManHunt Cisco IPS Modules IBM SiteProtector Devices IBM RealSecure Devices Part 3: Vulnerability Assessment Qualys QualysGuard Devices eEye REM Devices McAfee Foundstone Part 4: Switches Cisco Switches Extreme Switches Part 5: Routers Cisco Routers Routers (Generic) Part 6: Firewalls Cisco Firewall Devices Cisco ASA, Version 8.1.X and 8.2.X and NetFlow Check Point Devices NetScreen ScreenOS Devices Part 7: Network Access Control Cisco NAC Appliance Part 8: Virtual Private Network Gateways Cisco VPN 3000 Concentrator Part 9: WLAN Controller Cisco Wireless LAN Controller Part 10: AAA Servers Cisco Secure ACS Devices Part 11: Intrusion Detection and Prevention (Host based) Cisco Security Agent Entercept Devices Part 12: Virus Protection Symantec AntiVirus McAfee EPO Management Devices Cisco Incident Controller Server Part 13: Content Management Cisco CSC SSM Part 14: Database Applications Oracle Database Applications Part 15: Web Servers Web Server Devices Part 16: Web Proxies Network Appliance NetCache Generic Part 17: Host Nodes Generic, Solaris, Linux, and Windows Application Hosts Index	Download this chapter Entercept Devices Download the complete book Device Configuration Guide for Cisco Security MARS Release 6.x (PDF - 5 MB) Table Of Contents Entercept Entercept 2.5 and 4.0 Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5) Create a CSV file for Entercept Agents in Version 2.5 Define the MARS Appliance as an SNMP Trap Target Specific the Events to Generate SNMP Traps for MARS Add and Configure an Entercept Console and its Agents in MARS Add the Entercept Console Host to MARS Add Entercept Agents Manually Add Entercept Agents Using a Seed File Entercept Entercept 2.5 and 4.0 To configure Entercept in MARS, you must perform the following tasks: 1. Generate CSV file that identifies each of the Entercept hosts by logging into the host running the Entercept console and copying the data out of the database table. 2. Configure the Entercept console to send SNMP traps to the MARS Appliance 3. Identify the events that should be generated as SNMP traps. 4. Define a host that represents the management console (Entercept console) in MARS web interface. 5. From that host in the MARS web interface, import the CSV seed file to identify the Entercept agents running on other hosts. Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server. This chapter contains the following topics: •Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5) •Define the MARS Appliance as an SNMP Trap Target •Specific the Events to Generate SNMP Traps for MARS •Add and Configure an Entercept Console and its Agents in MARS Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5) Note Entercept agent information is saved in a database file on the Entercept console. When you configure the MARS box to add Entercept agents, you can extract them from the database file on the Entercept console, instead of typing the mapping for each agent. Create a CSV file for Entercept Agents in Version 2.5 Step 1 Go to the directory Program Files\Cisco IDS\Console\Database and copy the file CoreShield.mdb to another directory, e.g.: C:\temp. Step 2 Open the copied CoreShield.mdb with Microsoft Access, and go to the "Agents" table. Step 3 Export the table to a file named: Agents.txt and choose the exported file format to be CSV. Step 4 Copy Agents.txt to a specific directory that is ready for the MARS box to load. A sample agents.txt file could be: 1,3,"entercept1",6,1,1,1,438,1,"127.0.0.1",0,,1051055867,2086 where the fields are: AgentID, AgentTypeID, ComputerName, ComputerType, NewFlag, StatusID, OperatingModeID, VersionID, VersionModeID, IP, License, Note, NoConnection, and UpTime. Define the MARS Appliance as an SNMP Trap Target Step 1 Log in to the Entercept Console. Step 2 Click Configuration. Step 3 Click the Address Book tab. Step 4 In the All Contacts tree, click SNMP Trap. Step 5 Click the Plus (+) button. Step 6 In the New SNMP Trap page, specify the following values: •Alias—Enter an name for the MARS Appliance. •Privilege Level—Set to Global. •Status—Set to Enabled. •Name—Enter the MARS Appliance's name if the DNS server can resolve the name. Otherwise, use its IP address. •Community—Enter a community string name, •Port—Enter the SNMP port number used by the MARS Applaince. •Protocol—Select SNMP. Specific the Events to Generate SNMP Traps for MARS Step 1 Click the Notifications tab. Step 2 Click the Plus (+) button. Step 3 On the General tab, in the name field, enter a name for the notification. Step 4 Click the Agent Groups tab and select the All Agents radio button. Step 5 Click the Security Events tab and select the Events by Severity Levels radio button. Select the events that you want (High, Medium, Low, and Information). Step 6 Click the System Events tab and select the Events by Severity Levels radio button. Select the events that you want (Error, Warning, and Information). Step 7 Click the Address Book tab and click a destination in the Available Destinations field. Click the Down arrow to move it into the Selected Destinations field. Step 8 Click OK and exit the program. Add and Configure an Entercept Console and its Agents in MARS Adding an Entercept device has two distinct steps. First, you add configuration information for the for the Entercept Console host. Second, you add the agents managed by that console. This section contains the following topics: •Add the Entercept Console Host to MARS •Add Entercept Agents Manually •Add Entercept Agents Using a Seed File Add the Entercept Console Host to MARS Step 1 Click Admin > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name and IP addresses if adding a new host. Step 4 Click Apply. Step 5 Click on Reporting Applications tab. Step 6 From the Select Application list, select Entercept 2.5 or 4.0 Step 7 Click Add. Step 8 Enter the Console Name. Step 9 Check the Is Sensor check box, which identifies the deivce as a sensor. Step 10 Enter the sensor's Agent Name, which is the agent name for the console if it is an agent. Step 11 Click Submit. You can now add the agents. Add Entercept Agents Manually Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server. Step 1 Click Add Agent. Step 2 Select the device that already has agent running or Add New. Step 3 If you selected Add New, then specificy the following values: •Device Name •Agent Name •Reporting IP •For the first interface, enter an IP address and mask. •For multiple interfaces, click Add Interface, and add the new interfaces' IP address and mask. Step 4 Click Submit . Add Entercept Agents Using a Seed File Caution Monitoring devices that support dynamic discovery of agents do not discover the agent on the monitoring device server, if applicable. This agent is intentionally not discovered, as it causes issues in event processing from that device. In addition, you must not manually define the agent that runs on the monitoring device server. Step 1 Click Load From CSV. Step 2 Enter the FTP server information and location of the CSV (comma separated values) file. •If you need to generate the Entercept Agent CSV file, see Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5). Step 3 Click Submit.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.