Device Configuration Guide for Cisco Security MARS, Release 6.x - IBM RealSecure Devices [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

ISS RealSecure 6.5 and 7.0

Configure ISS RealSecure to Send SNMP Traps to MARS

Add an ISS RealSecure Device as a NIDS

Add an ISS RealSecure Device as a HIDS

ISS RealSecure 6.5 and 7.0

To configure ISS RealSecure, you must perform the following four tasks:

1. Prepare each ISS sensor as follows:

–Edit the common.policy files to point to the MARS Appliance as an SNMP target.

–Modify the current.policy files to configure each signature so that the SNMP notification is a default response when triggered.

–Edit the response.policy files to specify the IP of the SNMP manager (MARS Appliance) and the community string.

–Restart the ISS daemon for the changes to take effect.

For more information, see Configure ISS RealSecure to Send SNMP Traps to MARS.

2. Add the ISS sensor to MARS as a network-based IDS device. For more information, see Add an ISS RealSecure Device as a NIDS.

3. Click Activate to enable proper processing of received events.

This chapter contains the following topics:

•Configure ISS RealSecure to Send SNMP Traps to MARS

•Add an ISS RealSecure Device as a NIDS

•Add an ISS RealSecure Device as a HIDS

Configure ISS RealSecure to Send SNMP Traps to MARS

To configure an ISS RealSecure sensor, follow these steps:

Step 1 Log into the sensor.

Step 2 Locate the common.policy files in these directories:

•Microsoft Windows
Program Files\ISS\issSensors\server_sensor_1
Program Files\ISS\issSensors\network_sensor_1
•Linux
/opt/ISS/issSensors/server_sensor_1
/opt/ISS/issSensors/network_sensor_1
Step 3 Open the common.policy files in a text editor.

Step 4 Change the line that reads:
Manager =S
to:
Manager =S <MARS's IP address>
If MARS Appliance's IP address is NATed, you may need to use the NATed address. If you use the MARS Appliance's IP address as the destination IP address, make sure the SNMP trap can reach MARS Appliance.

Step 5 Save these edited files and exit the editor.

Step 6 Locate the current.policy files in these directories:

•Microsoft Windows
Program Files\ISS\issSensors\server_sensor_1
Program Files\ISS\issSensors\network_sensor_1
•Linux
/opt/ISS/issSensors/server_sensor_1
/opt/ISS/issSensors/network_sensor_1
Step 7 Open the current.policy files in a text editor.

Edit each signature to have SNMP as one of its responses, and set the choice for SNMP trap as default. For example, in this original signature:
[\template\features\AOLIM_File_Xfer\Response\];
[\template\features\AOLIM_File_Xfer\Response\DISPLAY\];
Choice =S Default;
[\template\features\AOLIM_File_Xfer\Response\LOGDB\];
Choice =S LogWithoutRaw;
Insert the following bolded lines to make it look similar to the following:
[\template\features\AOLIM_File_Xfer\Response\];
[\template\features\AOLIM_File_Xfer\Response\DISPLAY\];
Choice =S Default;
[\template\features\AOLIM_File_Xfer\Response\SNMP\];
Choice =S Default;
[\template\features\AOLIM_File_Xfer\Response\LOGDB\];
Choice =S LogWithoutRaw;
Step 8 Save these edited files and exit the editor.

Step 9 Locate the response.policy files in these directories:

•Microsoft Windows
Program Files\ISS\RealSecure SiteProtector\Console
•Linux
/opt/ISS/RealSecure SiteProtector/Console
Step 10 Edit the response.policy files to specify the IP of the SNMP manager (MARS Appliance) and the community string:
SMTP_HOST=S;
addr_1=S;
[\Response\SNMP\];
[\Response\SNMP\Default\];
Manager=S;
Community=Spublic;
to:
Manager =S <MARS's IP address> ;
Community = S <string> public;
If MARS Appliance's IP address is NATed, you may need to use the NATed address. If you use the MARS Appliance's IP address as the destination IP address, make sure the SNMP trap can reach MARS Appliance.

Step 11 Save these edited files and exit the editor.

Step 12 Restart the ISS daemon.

•For sensors installed on Microsoft Windows, restart it in the Services menu.

•For sensors installed on Linux, run:
/etc/init.d/RealSecure stop
/etc/init.d/RealSecure start
Add an ISS RealSecure Device as a NIDS

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host.

Step 3 Enter the Device Name.

Step 4 Click Apply.

Step 5 Click the Reporting Applications tab.

Step 6 From the Select Application list, select ISS RealSecure 6.5 or ISS RealSecure 7.0.

Step 7 Click Add.

Step 8 Click the NIDS radio button, if it is not already selected.

Figure 11-1 Configure ISS Real Secure NIDS

Step 9 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following:

•To manually define the networks, select the Define a Network radio button.

a. Enter the network address in the Network IP field.

b. Enter the corresponding network mask value in the Mask field.

c. Click Add to move the specified network into the Monitored Networks field.

d. Repeat as needed.

•To select the networks that are attached to the device, click the Select a Network radio button.

a. Select a network from in the Select a Network list

b. Click Add to move the specified network into the Monitored Networks field.

c. Repeat as needed.

Step 10 To save your changes, click Submit.

Step 11 To enable MARS to start sessionizing events from this module, click Activate.

Add an ISS RealSecure Device as a HIDS

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host.

Step 3 Enter the Device Name.

Step 4 Click Apply.

Step 5 Click the Reporting Applications tab.

Step 6 From the Select Application list, select ISS RealSecure 6.5 or ISS RealSecure 7.0.

Step 7 Click Add.

Step 8 Click the HIDS radio button.

Figure 11-2 Configure ISS Real Secure HIDS

Step 9 Click Submit.

Step 10 For multiple interfaces, click the General tab, and add the new interfaces' name, IP address, and network mask.

Figure 11-3 Adding Multiple Interfaces

Step 11 Click Apply.

	Device Configuration Guide for Cisco Security MARS, Release 6.x
	IBM RealSecure Devices
Device Configuration Guide for Cisco Security MARS, Release 6.x Preface Part 1: Concepts Configuring Reporting and Mitigation Devices in MARS Part 2: Intrusion Detection and Prevention (Network based) Cisco IPS Devices (4.x and 5.x) NetScreen IDP Devices and Servers Cisco IPS 6.x Devices and Virtual Sensors Enterasys Dragon Devices Snort Devices McAfee Intrushield Symantec ManHunt Cisco IPS Modules IBM SiteProtector Devices IBM RealSecure Devices Part 3: Vulnerability Assessment Qualys QualysGuard Devices eEye REM Devices McAfee Foundstone Part 4: Switches Cisco Switches Extreme Switches Part 5: Routers Cisco Routers Routers (Generic) Part 6: Firewalls Cisco Firewall Devices Cisco ASA, Version 8.1.X and 8.2.X and NetFlow Check Point Devices NetScreen ScreenOS Devices Part 7: Network Access Control Cisco NAC Appliance Part 8: Virtual Private Network Gateways Cisco VPN 3000 Concentrator Part 9: WLAN Controller Cisco Wireless LAN Controller Part 10: AAA Servers Cisco Secure ACS Devices Part 11: Intrusion Detection and Prevention (Host based) Cisco Security Agent Entercept Devices Part 12: Virus Protection Symantec AntiVirus McAfee EPO Management Devices Cisco Incident Controller Server Part 13: Content Management Cisco CSC SSM Part 14: Database Applications Oracle Database Applications Part 15: Web Servers Web Server Devices Part 16: Web Proxies Network Appliance NetCache Generic Part 17: Host Nodes Generic, Solaris, Linux, and Windows Application Hosts Index	Download this chapter IBM RealSecure Devices Download the complete book Device Configuration Guide for Cisco Security MARS Release 6.x (PDF - 5 MB) Table Of Contents ISS RealSecure 6.5 and 7.0 Configure ISS RealSecure to Send SNMP Traps to MARS Add an ISS RealSecure Device as a NIDS Add an ISS RealSecure Device as a HIDS ISS RealSecure 6.5 and 7.0 To configure ISS RealSecure, you must perform the following four tasks: 1. Prepare each ISS sensor as follows: –Edit the common.policy files to point to the MARS Appliance as an SNMP target. –Modify the current.policy files to configure each signature so that the SNMP notification is a default response when triggered. –Edit the response.policy files to specify the IP of the SNMP manager (MARS Appliance) and the community string. –Restart the ISS daemon for the changes to take effect. For more information, see Configure ISS RealSecure to Send SNMP Traps to MARS. 2. Add the ISS sensor to MARS as a network-based IDS device. For more information, see Add an ISS RealSecure Device as a NIDS. 3. Click Activate to enable proper processing of received events. This chapter contains the following topics: •Configure ISS RealSecure to Send SNMP Traps to MARS •Add an ISS RealSecure Device as a NIDS •Add an ISS RealSecure Device as a HIDS Configure ISS RealSecure to Send SNMP Traps to MARS To configure an ISS RealSecure sensor, follow these steps: Step 1 Log into the sensor. Step 2 Locate the common.policy files in these directories: •Microsoft Windows Program Files\ISS\issSensors\server_sensor_1 Program Files\ISS\issSensors\network_sensor_1 •Linux /opt/ISS/issSensors/server_sensor_1 /opt/ISS/issSensors/network_sensor_1 Step 3 Open the common.policy files in a text editor. Step 4 Change the line that reads: Manager =S to: Manager =S <MARS's IP address> If MARS Appliance's IP address is NATed, you may need to use the NATed address. If you use the MARS Appliance's IP address as the destination IP address, make sure the SNMP trap can reach MARS Appliance. Step 5 Save these edited files and exit the editor. Step 6 Locate the current.policy files in these directories: •Microsoft Windows Program Files\ISS\issSensors\server_sensor_1 Program Files\ISS\issSensors\network_sensor_1 •Linux /opt/ISS/issSensors/server_sensor_1 /opt/ISS/issSensors/network_sensor_1 Step 7 Open the current.policy files in a text editor. Edit each signature to have SNMP as one of its responses, and set the choice for SNMP trap as default. For example, in this original signature: [\template\features\AOLIM_File_Xfer\Response\]; [\template\features\AOLIM_File_Xfer\Response\DISPLAY\]; Choice =S Default; [\template\features\AOLIM_File_Xfer\Response\LOGDB\]; Choice =S LogWithoutRaw; Insert the following bolded lines to make it look similar to the following: [\template\features\AOLIM_File_Xfer\Response\]; [\template\features\AOLIM_File_Xfer\Response\DISPLAY\]; Choice =S Default; [\template\features\AOLIM_File_Xfer\Response\SNMP\]; Choice =S Default; [\template\features\AOLIM_File_Xfer\Response\LOGDB\]; Choice =S LogWithoutRaw; Step 8 Save these edited files and exit the editor. Step 9 Locate the response.policy files in these directories: •Microsoft Windows Program Files\ISS\RealSecure SiteProtector\Console •Linux /opt/ISS/RealSecure SiteProtector/Console Step 10 Edit the response.policy files to specify the IP of the SNMP manager (MARS Appliance) and the community string: SMTP_HOST=S; addr_1=S; [\Response\SNMP\]; [\Response\SNMP\Default\]; Manager=S; Community=Spublic; to: Manager =S <MARS's IP address> ; Community = S <string> public; If MARS Appliance's IP address is NATed, you may need to use the NATed address. If you use the MARS Appliance's IP address as the destination IP address, make sure the SNMP trap can reach MARS Appliance. Step 11 Save these edited files and exit the editor. Step 12 Restart the ISS daemon. •For sensors installed on Microsoft Windows, restart it in the Services menu. •For sensors installed on Linux, run: /etc/init.d/RealSecure stop /etc/init.d/RealSecure start Add an ISS RealSecure Device as a NIDS Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name. Step 4 Click Apply. Step 5 Click the Reporting Applications tab. Step 6 From the Select Application list, select ISS RealSecure 6.5 or ISS RealSecure 7.0. Step 7 Click Add. Step 8 Click the NIDS radio button, if it is not already selected. Figure 11-1 Configure ISS Real Secure NIDS Step 9 For attack path calculation and mitigation, specify the networks being monitored by the sensor. Do one of the following: •To manually define the networks, select the Define a Network radio button. a. Enter the network address in the Network IP field. b. Enter the corresponding network mask value in the Mask field. c. Click Add to move the specified network into the Monitored Networks field. d. Repeat as needed. •To select the networks that are attached to the device, click the Select a Network radio button. a. Select a network from in the Select a Network list b. Click Add to move the specified network into the Monitored Networks field. c. Repeat as needed. Step 10 To save your changes, click Submit. Step 11 To enable MARS to start sessionizing events from this module, click Activate. Add an ISS RealSecure Device as a HIDS Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name. Step 4 Click Apply. Step 5 Click the Reporting Applications tab. Step 6 From the Select Application list, select ISS RealSecure 6.5 or ISS RealSecure 7.0. Step 7 Click Add. Step 8 Click the HIDS radio button. Figure 11-2 Configure ISS Real Secure HIDS Step 9 Click Submit. Step 10 For multiple interfaces, click the General tab, and add the new interfaces' name, IP address, and network mask. Figure 11-3 Adding Multiple Interfaces Step 11 Click Apply.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks