Using Management Center for IDS Sensors 1.2
Administering the IDS MC Server
Download this chapter
Administering the IDS MC ServerAdministering the IDS MC Server
Download the complete book
Using Management Center for IDS Sensors 1.2 (whole book PDF)Using Management Center for IDS Sensors 1.2 (whole book PDF) (PDF - 2 MB)
give_us_feedback

Table of Contents

Administering the IDS MC Server
Using Database Rules
 Updating Sensor Software
 Updating Signatures
 Defining the E-mail Server Settings
 Approving Configuration Files
 Reports

Administering the IDS MC Server

Administering the IDS MC server encompasses tasks associated with database rules, system configuration, and reports.

Caution   User attempts to connect to the database directly can cause performance reductions and unexpected system behavior. It is strongly recommended that the user avoid attempting to connect to the database directly.

Using Database Rules

You can add, edit, view, and delete database rules. This section contains the following tasks:

Adding a Database Rule

You can use database rules to configure IDS MC to take an action at daily intervals or when a database threshold that you have defined is met. That action can be to send an e-mail notification, to log a console notification event, or to execute a script.

To add a database rule, follow these steps:

Step 1   Select Admin > Database.

The Database Rules page appears.

Step 2   Click Add.

The Specify Trigger Actions page appears.

Step 3   Specify the threshold to trigger Security Monitor to take an action. Then, click Next.

a. To trigger an action when the database exceeds a specified size, select the Database used space greater than (megabytes) check box. Then, specify the database size, in megabytes, that will trigger that action.

b. To trigger an action when the database free space is less than a specified size, select the Database freespace less than (megabytes) check box. Then, specify the database free space size, in megabytes, that will trigger that action.

c. To trigger an action when the total number of IDS events in the database exceeds a specified number, select the Total IDS events check box. Then, specify the number of IDS events that will trigger that action.

d. To trigger an action when the total number of SYSLOG events in the database exceeds a specified number, select the Total SYSLOG events check box. Then, specify the number of SYSLOG events that will trigger that action.

e. To trigger an action when the total number of events in the database exceeds a specified number, select the Total events check box. Then, specify the number of events that will trigger that action.

f. To trigger the action to occur daily, select the Daily beginning check box. Then, specify the date and time to start the action. The date is specified in month, day, and year format. The time is specified in hours, minutes, and seconds.

g. To enter a description for the Database Rule, enter a description in the Comment field.

The Choose the Actions page appears.

Step 4   Specify the action for IDS MC to take when the threshold specified in Step 3 is met. You can select more than one action.

a. To send an e-mail notification when the specified threshold is met, select the Notify via Email check box. Then, enter the e-mail address for the recipient(s) in the Recipient(s) field. If you enter more than one e-mail address, separate the addresses with commas. Enter the subject for the message in the Subject field and the message body text in the Message field. You can use the keyword substitutions listed in Table 8-1 in the Subject and Message fields:

Keyword Description

${RuleName}

The name of the event rule.

${RuleDescr}

The description of the event rule.

${Filter}

The query filter for the event rule.

${Interval}

The query interval for the event rule.

${Initial}

The initial threshold for the event rule.

${Repeat}

The repeat threshold for the event rule.

${DateStr}

Date stamp for when the event rule was triggered, based on the server-local time. The datestamp appears in YYYY/MM/DD format.

${TimeStr}

Time stamp for when the event rule was triggered, based on the server-local time. The timestamp appears in HH:MM:SS TZ format, where HH is in 24-hour form.

${GmtDateStr}

The Greenwich Mean Time (GMT) date stamp for when the rule was triggered in YYY/MM/DD format.

${GmtTimeStr}

GMT time stamp for when the event rule was triggered in HH:MM:SS TZ format, where HH is in 24-hour form and TZ is always UTC.

${MsgCount}

The number of matches that occurred in the current interval causing this rule to be triggered.

${Threshold}

The threshold that was met, causing the event rule to be triggered. This value will be the same as either ${Initial} or ${Repeat}.

Note The keyword matching (inside the brackets) is case-insensitive.
Keyword Description

${RuleName}

The name of the event rule.

${RuleDescr}

The description of the event rule.

${Filter}

The query filter for the event rule.

${Interval}

The query interval for the event rule.

${Initial}

The initial threshold for the event rule.

${Repeat}

The repeat threshold for the event rule.

${DateStr}

Date stamp for when the event rule was triggered, based on the server-local time. The datestamp appears in YYYY/MM/DD format.

${TimeStr}

Time stamp for when the event rule was triggered, based on the server-local time. The timestamp appears in HH:MM:SS TZ format, where HH is in 24-hour form.

${GmtDateStr}

The Greenwich Mean Time (GMT) date stamp for when the rule was triggered in YYY/MM/DD format.

${GmtTimeStr}

GMT time stamp for when the event rule was triggered in HH:MM:SS TZ format, where HH is in 24-hour form and TZ is always UTC.

${MsgCount}

The number of matches that occurred in the current interval causing this rule to be triggered.

${Threshold}

The threshold that was met, causing the event rule to be triggered. This value will be the same as either ${Initial} or ${Repeat}.

Note The keyword matching (inside the brackets) is case-insensitive.

b. To log a console notification to the audit log when the specified threshold is met, select Log a Console Notification Event check box. Then, enter your user name in the User Name field. Select an alarm event level from the Severity list box and enter a message in the Message field. You can use the keyword substitutions listed in Table 8-1.

Tip To view the console notification messages, run the Console Notification Report on the Reports > Generate page.

c. To execute a script when the specified threshold is met, select Execute a Script check box. Then, select a script from the Script File list box. You can enter any required arguments in the Arguments field.

Note    The scripts included with IDS MC are for database pruning and are more applicable for database rules than for event rules. However, you can add your own custom scripts to the list. For more information, see Learn More About Executing a Script from a Database or Event Rule 8-5.
Tip You can use the keyword substitutions listed in Table 8-1 in the Arguments field. If you use one of these keyword substitutions, surround the keyword with quotation marks. For example, you might use "${RuleDescr}" as an argument.

Step 5   Click Finish.

The Database Rule is added.




Learn More About Executing a Script from a Database or Event Rule

One of the actions you can select from the Choose the Actions page is Execute a Script. If you select Execute a Script, you must select a script from the Script File list box.

IDS MC provides the following scripts:

  • PruneByAge.pl--Prunes alarms older than the specified number of days from the specified tables. Use as follows:

PruneByAge.pl age "tablelist"

  • age—Specifies the number of days. The default value is 20.
  • tablelist—Specifies the type of table to be pruned. You can list more than one table in a comma-delimited list. You can choose from the following table types:
  • syslog—SYSLOG event table
  • alert—Alert table
  • auditlog—Audit log table
  • deploy—Deployment jobs table
  • sysconfig—System configuration table

The default value is all tables ("syslog,alert,auditlog,deploy,sysconfig").

  • PruneByDate.pl--Prunes alarms from the specified tables generated on and before the specified date. Use as follows:

PruneByDate.pl "date" "tablelist"

  • date (Required)—Specifies the date to delete alarms on and before. The date format is "MM/DD/YYYY,HH:MM".
  • tablelist—Specifies the type of table to be pruned. You can list more than one table in a comma-delimited list. You can choose from the following table types:
  • syslog—SYSLOG event table
  • alert—Alert table
  • auditlog—Audit log table
  • deploy—Deployment jobs table
  • sysconfig—System configuration table

The default value is all tables ("syslog,alert,auditlog,deploy,sysconfig").

  • PruneBySeverity.pl--Prunes alarms of the specified severity from the specified tables. This script is order-specific: You must specify the severity before you specify the table list. Use as follows:

PruneBySeverity.pl "severitylist" "tablelist"

  • severitylist—Specifies the severity level of the alarms to prune. You can choose from the following severity levels.
  • h—High severity
  • m—Medium severity
  • l—Low severity
  • i—Informational severity

The default value is "i,l,m".

  • tablelist—Specifies the type of table to be pruned. You can list more than one table in a comma-delimited list. You can choose from the following table types:
  • syslog—SYSLOG event table
  • alert—Alert table
  • auditlog—Audit log table

The default value is all tables ("syslog,alert,auditlog").

  • PruneMarkedForDeletion.pl--Prunes alarms already marked for deletion from the specified tables. Use as follows:

PruneMarkedForDeletion.pl "tablelist"

  • tablelist—Specifies the type of table to be pruned. You can list more than one table in a comma-delimited list. You can choose from the following table types:
  • syslog—SYSLOG event table
  • alert—Alert table
  • auditlog—Audit log table

The default value is all tables ("syslog,alert,auditlog").

  • PruneSpecifyCmdLine.plxd1 Prunes alarms from the specified tables using the specified alarms. Use as follows:

PruneSpecifyCmdLine.pl -r"tablelist" [-p] [-t"date"] [-a#] [-s"severities"] [-w"dirname"]

  • -r"tablelist" (Required)—Specifies the type of table to be pruned. You can list more than one table in a comma-delimited list. You can choose from the following table types:
  • syslog—SYSLOG event table
  • alert—Alert table
  • auditlog—Audit log table
  • deploy—Deployment jobs table
  • sysconfig—System configuration table

For example, -r"alert,syslog".

  • -p (Optional)—Prunes all records already marked for deletion in the specified table. By default, alarm records are not pruned from the database.
  • -t"date" (Optional)—Prunes all records that are older that the specified date from the specified table. The date format is "MM/DD/YYYY,HH:MM".
Note    You cannot use -t"date" and -a# in the same argument.
  • -a# (Optional)—Prunes all records that are older than the specified number of days from the database, where # is a positive integer representing the number of days.
Note    You cannot use -t"date" and -a# in the same argument.
  • -s"severity" (Optional)—Prunes all records with the specified severity from the specified table. You can list more than one severity in a comma-delimited list.
  • h—High severity
  • m—Medium severity
  • l—Low severity
  • i—Informational severity

For example, -s"i,l,m".

  • -w"dirname" (Optional)—Outputs comma-delimited files to the specified directory. There is one file output for each table specified.

Additionally, you can add your own custom scripts. To add a custom script, place your script file in the X:/Program Files/CSCOpx/MDC/etc/ids/scripts folder, where X is the drive where IDS MC is installed. If you add your script to this folder, it will appear in the Script File list box.

Caution   IDS MC cannot verify that scripts are valid or that they will execute as expected. A poorly written custom script can cause your system to fail.

Editing a Database Rule

Editing a database rule is similar to creating a database rule. The edit database rule wizard takes you through the same panels that you used to create the database rule.

To edit a device configuration, follow these steps:

Step 1   Select Admin > Database.

The Database Rules page appears.

Step 2   Select the radio button corresponding to the database rule that you want to edit, and then click Edit.

The Specify the Trigger Conditions page appears.

Step 3   Make any necessary changes to the fields that you want to revise. Click Next to access the Choose the Actions page to make changes.

Step 4   To save your changes, click Finish.

Step 5   To edit another database rule, repeat Step 2 through Step 4.




Viewing Database Rule Details

This procedure provides the basic steps for viewing detail information for a database rule. You cannot edit database rules from the View Database Rule page.

To view a database rule, follow these steps:

Step 1   Select Admin Database Rules.

The Database Rules page appears.

Step 2   Click the radio button next to the database rule that you want to view.

Step 3   Click View.

The View Database Rule page appears. Detailed information about the rule appears in the View Database Rule text box.

Step 4   Click OK to return to the Database Rules page.




Deleting a Database Rule

You can delete database rules that you no longer want to use.

To delete a database rule, follow these steps:

Step 1   Select Admin > Database.

The Database Rules page appears.

Step 2   Select the radio button corresponding to the database rule that you want to delete.

Step 3   Click Delete.

The database rule is deleted from IDS MC.




Updating Sensor Software

To query your sensors and update their software if necessary, follow this procedure:

Updating IDS Sensor Software Versions and Signature Release Levels

Updating Signatures

To learn whether Cisco Systems has released one of its periodic updates of signatures for IDS MC, follow this procedure:

Updating IDS Sensor Software Versions and Signature Release Levels

Defining the E-mail Server Settings

You can specify the e-mail server that IDS MC uses for event notifications.

To define the e-mail server settings, follow these steps:

Step 1   Select Admin > System Configuration.

Step 2   Click E-mail Server in the TOC.

The E-mail Server page appears.

Step 3   Enter your e-mail server name in the Server Name box.

Step 4   To save your changes, click Apply.

The e-mail server you specify will be used to send event notifications.




Approving Configuration Files

You can configure IDS MC to automatically or manually approve configuration files when they are generated. The default value is automatic approval.

You must have a user account with adequate privileges to approve configuration files.

To automatically approve configuration files when they are generated, follow these steps:

Step 1   Select Admin > System Configuration.

Step 2   In the TOC, select Configuration File Management.




Reports

The Reports tab is where you can generate and view audit log reports about network activities monitored by sensors on your network.

When you generate a report, you can run it immediately or you can schedule it to run at a later time. Scheduled reports can be run once or repeatedly.

For step-by-step procedures on performing a specific task, refer to the corresponding section.

About Audit Reports

Audit reports provide information about management server events. If IDS MC and Security Monitor are installed on the same server, the generated audit reports and scheduled audit report templates are shared between the applications.

The following audit reports are available:

  • Subsystem Report—Reports audit records ordered by the IDS subsystem, which includes systems from IDS MC and Security Monitor and systems common to each. Filterable by Event Severity, Date/Time, and Subsystem.
  • Sensor Version Import Report—Reports the audit records that are generated when the version identifier of IDS sensor devices is imported into IDS MC. These records indicate success or failure of the import operation. Filterable by Device, Event Severity, and Date/Time.
  • Sensor Configuration Import Report—Reports the audit records that are generated when you import IDS Sensor configurations into IDS MC. The resulting records can be used to determine success or failure in device configuration import tasks. Filterable by Device, Event Severity, and Date/Time.
  • Sensor Configuration Deployment Report—Reports records related to IDS sensor configurations deployed to devices using IDS MC. These records indicate successful deployment or provide error messages where appropriate for deployment operations. Filterable by Device, Event Severity, and Date/Time.
  • Console Notification Report—Reports the console notification records generated by the notification subsystem. Filterable by Event Severity and Date/Time.
  • Audit Log Report—Reports audit records by the server and application. Unlike the other report templates, this report template provides a broad, non-task-specific view of audit records in the database. Filterable by Task Type, Event Severity, Date/Time, Subsystem, and Applications.

About Scheduled Reports

For each report type that you choose to generate, you can enter a report title, schedule, and notification options. Enter this information in the Schedule Report page when you select Reports > Generate. You can run the report immediately, or you can schedule the report to run at a later time, at regular intervals, or both.

If you choose to run the report at a later time, you must specify the date and time that you want the report to run. Additionally, you can schedule the report to run at regular intervals, such as hourly, daily, or weekly. You can edit the report parameters of a scheduled report on the Edit Scheduled Reports page, which you access by selecting Reports > Scheduled. You can also delete scheduled report templates from this page.

Each time a scheduled report is run, it is added to the Completed Report page.

Scheduling and Generating Reports

On the Select Report page, you can select the type of report to generate and define the parameters for the selected report. Based on the scheduling parameters you select, the report runs immediately, at a later time, or at regular intervals.

To generate a report, follow these steps:

Step 1   Select Reports > Generate.

The Select Report page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the report type that you want to generate, and then click Select.

The Report Filtering page appears.

Step 3   Enter the report parameters for the report type you selected. Then, click Next.

The Schedule Report page appears.

Step 4   Enter a name for the report in the Report Title field.

Step 5   To export the generated report to an HTML file, select the Export to check box. Then, specify the exact path to the file that is to contain the generated report. The path should include the filename and the desired extension; for example, /<dir>[/<dir>/[...]]/<filename>[.<ext>]. No extension is appended to the filename if you do not specify an extension.

Step 6   Click the Run Now or Schedule for Later radio button under Schedule Options. If you select Run Now, skip to Step 7. If you select Schedule for Later, specify the following options:

a. Specify the date and time that you want the report to run in the Start Time list boxes. The date is specified by month, day, and year. The time is specified in hours and minutes. The time zone used to determine the time is to the right of the Start Time list boxes.

b. To run the report at regular intervals, select an option in the Repeat every list box. You can schedule the report to run every day, week, weekday, weekend day, hour, or minute.

Step 7   To send an e-mail notification to someone when the report runs, select the Email report to check box and enter an e-mail address in the adjacent field. Use commas to separate multiple addresses. Then, click Finish.

If you select Run Now, the report runs and you can view the generated report by selecting Reports > View. If you select Schedule for Later, you can view the scheduled report template by selecting Reports > Scheduled.




About Viewing Reports

When you select Reports > View, the Choose Completed Report page appears. From that page, you can view generated reports. You also can export reports to HTML files and delete unwanted reports. If the report was generated from a scheduled report template, deleting the report does not delete the associated scheduled report template.

This section contains the following procedures:

Viewing Reports

After you generate a report, you can view it.

Tip To understand how data is sorted in a report, refer to the numbers that appear in the column headings of the generated report. These numbers represent the sort keys. For example, data is sorted first based on the data in the column with a (1) in it, followed by the data in the column with a (2) in it, and so on.

To view a report, follow these steps:

Step 1   Select Reports > View.

The Choose Completed Report page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the check box corresponding to the title of the report you want to view.

Step 3   To view the selected report, click View.

The report appears in the Report page.

Step 4   To view the report in a new browser window, click Open in Window. . ..

The report appears in a new browser window.




Saving a Generated Report as an HTML File

After you generate a report, you can save the report as an HTML file.

To save a generated report as an HTML file, follow these steps:

Step 1   Select Reports > View.

The Choose Completed Report page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   To select the report that you want to export, select the check box corresponding to the report title.

Step 3   Click Open in Window.

If you are using Internet Explorer, the report appears in a new browser window; proceed to Step 4. If you are using Netscape Navigator, the Unknown File Type dialog box appears; skip to Step 5.

Step 4   To save the report, select File > Save As from the Internet Explorer menu bar. Browse to the location where you want to save the file and enter a filename. Then, click Save.

The report is saved using the filename and location you specified.

Skip Step 5.

Step 5   To save the report, click Save File. Browse to the location where you want to save the file and enter a filename. Then, click Save.

The report is saved using the filename and location you specified.




Deleting Generated Reports

You can delete generated reports. If the report was generated from a scheduled report template, deleting the report does not delete the associated scheduled report template.

To delete a report, follow these steps:

Step 1   Select Reports > View.

The Choose Completed Report page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the check box next to the title of the report you want to delete.

Tip You can delete more than one report at a time. To delete more than one report, select the check boxes next to all reports that you want to delete.

A check mark appears next to each report you selected.

Step 3   To delete the selected report, click Delete.

The report is deleted. The report name is removed from the list of available reports.




Editing Report Parameters

You can edit the report parameters or the schedule for a scheduled report template.

To edit the report parameters, follow these steps:

Step 1   Select Reports > Scheduled.

The Edit Scheduled Reports page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the check box corresponding to the title of the report template that you want to edit.

A check mark appears next to the report you selected.

Step 3   To open the selected report template, click Edit.

A new page displays the report parameters. Depending on the type of report, the parameters are different.

Step 4   Change any report parameters that you want to. To save your changes, click Finish.

The changes you made are saved to the report template.




Deleting Scheduled Report Templates

You can delete unwanted scheduled report templates. Deleting a scheduled report template also deletes all associated reports that have already been generated.

To delete a scheduled report template, follow these steps:

Step 1   Select Reports > Scheduled.

The Edit Scheduled Reports page appears.

Tip In Security Monitor, you can filter which reports appear on the page. From the Report Group list, select All to show both alarm and audit reports, Alarms to show only alarm reports, or Audit to show only audit reports.

Step 2   Select the check box corresponding to the title of the report you want to delete.

Tip You can delete more than one report template at a time. To do so, select the check boxes corresponding to all the report templates that you want to delete.

A check mark appears next to each report you selected.

Step 3   To delete the report template, click Delete.

The selected report template and all associated end reports are deleted.