Features and Benefits of IEV
| [ LiB ] |
Features and Benefits of IEV
The IEV is a Java-based application used to view and manage alarms for up to five sensors, with support for alarm monitoring in real time or through imported log files. It offers a more compact version of the functionality included in the Security Monitor for VMS, which is designed for large, enterprise IDS deployments.
|
IEV is intended for small to medium offices and can only support up to five sensors. You use the Security Monitor for enterprise-size corporations. |
| [ LiB ] |
| [ LiB ] |
Installing IEV Software and Configuring It to Monitor IDS Devices
You can install IEV on any Windows NT or Windows 2000 PC that meets these minimum hardware requirements:
-
Pentium III processor, 800MHz or faster
-
256MB RAM
-
512MB free hard drive space
Installing IEV is straightforward. First, download the application from http://www.cisco.com. After going through the setup wizard, reboot the PC and launch the IEV application. You first need to add sensor devices (up to three) before you can start to monitor intrusion events.
To add sensor devices, select New, Devices from the File menu to launch the Device Properties dialog box. Enter values for the settings listed in Table 13.1.
Table 13.1. Adding Devices with the Device Properties Dialog Box in IEV
|
Device Properties Setting |
Description |
|---|---|
|
Sensor IP address |
The IP address of the sensor. |
|
Sensor
|
Sensor hostname. |
|
Username |
Username to log in to the sensor. |
|
Password |
Password for the username. |
|
Web server port |
The Web server port for Remote Data Exchange Protocol (RDEP) communications between IEV and the sensor. |
|
Communications protocol radio
|
Select one of the radio buttons: Use encrypted connection (HTTPS) Use nonencrypted connection (HTTP) |
|
Event start time |
Either select the Latest Alerts check box or enter start time and start date in the specified format. |
|
Exclude events of the following severity levels |
(Optional) Valid options are Informational, Low, Medium, or High. |
Click OK to return to the main IEV window. You see the new sensor you added in the Devices pane on the left side of the interface.
| [ LiB ] |
| [ LiB ] |
Creating Custom IEV Views and Filters
The following list summarizes the key points to bear in mind when thinking about IEV views:
-
The initial view provides an aggregate view of alarm data.
-
Views are grouped by signature
name , source address, destination address, sensor identity, and severity levels. -
Each view can have different data sources.
-
The level of alarm detail is customizable.
-
A graph view displays alarm data in either an area format or a bar graph format.
You can see in Figure 13.1 that the default viewsSignature Name, Security Level, Sensor Name, Destination Address, and Source Addresscorrespond to the tab sheets in the right-side pane.
Figure 13.1. The default views of Cisco IEV
correspond
to the tab sheets in the right side of the interface.
| [ LiB ] |
| [ LiB ] |
Navigating IEV to View Alarm Details
To display a view, click on the view
If you want to change the data source for the viewfor example, if you want to switch from the realtime events table to a previously imported fileright-click the view from the Views folder and choose Data Source from the drop-down menu to display the Change Data Source window. Choose the name of the database table of interest and click OK.
To delete an event from the database, right-click the event in the main view pane and choose Delete Row in Database from the menu.
Expanding Whole Details
If you want to display all the details of an IDS event, right-click the event and select Expand Whole Details from the drop-down menu to display the Expanded Details dialog window. Here you can choose to view the alarm detail according to Class A, B, or C Level addressing or for the whole address. Simply select the View tab which corresponds to the level of detail that you want to see.
Viewing Alarm Information
From the Expanded Details window, you can right-click on an alarm and select View Alarms to see the signature name and source and destination addresses for the corresponding alarm event. You can also see all the information associated with an alarm event by right-clicking on the event and selecting Show All
You can view alarm context data for Transmission Control Protocol (TCP)based signatures, for which the sensor can capture up to 256
To view the context data buffer, right-click the alarm you're interested in and choose Show Context from the drop-down menu to display the Decode Alarm Context with the signature and context information.
Creating Views
When an event is
-
In the first page of the wizard, type the name of your view in the View Name text box. If you want to use a filter (covered later in this chapter, in the section "IEV Filters"), select the Use Filter check box and choose your filter from the Use Filter drop-down menu.
-
In the Select the Grouping Style on Alarm Aggregation Table area, select the radio button that corresponds to the way you want to have the view
group the signatures.
-
In the Select the Columns Initially Shown on Alarm Aggregation Table area, choose the columns that you want to display on the alarm aggregation table by selecting the check box for each of the columns you want to view.
-
Choose a column for a secondary
sort order from the drop-down menu and click Next to continue to the second page of the View wizard, shown in Figure 13.3.
-
On the second page of the View Wizard, choose the event_realtime_table from the Choose a Data Source drop-down menu.
-
In the Select the Columns Initially Shown on Alarm Detail Table area, select the columns that you want to see in your alarm detail table. Then use the up and down arrow
buttons to change the order in which you want them to appear.
When you are finished adding columns and determining the sequence, click Finished to create your view. Your new view appears in the Views folder on the lower-left pane of the IEV interface.
Figure 13.2. The first page of the View Wizard in IEV.
Figure 13.3. The second page of the View Wizard in IEV.
|
|
The up and down arrows in the Step 2 of 2 screen of the View Wizard allow you to adjust the order of the columns in the view. |
Realtime and Statistic Graph Data
You can view both realtime and statistical data in a graph format, using either a bar or area graph format. Both graphs show the average number of aggregate alarms by severity level on the Y axis, per unit time on the X axis.
The Realtime Graph displays the average number of alarms received by IEV. The timestamp on alarms reflects the time that IEV received the alarm, rather than the time the sensor generated the alarm. To view the Realtime Graph, select Realtime Graph from the Tools menu.
The Statistic Graph is based on a data source that you select, which could be the event_realtime_table or any imported or archived table. The events displayed in the Statistic Graph reflect the average number of alarms received by IEV, based on the filter that is applied to the data source. Therefore, depending on the filter, the Statistic Graph might not reflect the true average number of alarms. The timestamps for these events in the Statistic Graph reflect the time that the sensor generated the alarm and not the time that the alarm was received by IEV (as is the case in the Realtime Graph).
To view the Statistic Graph, select the view from the Views folder in the lower-left pane which contains the alarm data that you want to display. Right-click the view from the Views folder and choose Statistic Graph. Figure 13.4 shows a sample Statistic Graph in bar format.
Figure 13.4. A Statistic Graph in bar format in IEV.
Realtime Dashboard
If you want to view a continuous stream of events from the sensor, you can use the Realtime Dashboard , as shown in Figure 13.5.
Figure 13.5. The Realtime Dashboard in IEV shows a continuous stream of events from the sensor.
Select Realtime Dashboard, Launch Dashboard from the Tools menu to launch the Realtime Dashboard. IEV opens a subscription request to the sensor to display the most recent events received by the sensor since the request was issued.
To pause the continuous streamfor example, if you want to study one particular entryclick the Pause button on the bottom left; to resume the stream, click the Resume button. Because they are toggle buttons, only one option is available at a time.
To clear all existing events from the Dashboard and
|
|
The Realtime Dashboard displays the four security level events: Informational, Low, Medium, and High. |
| [ LiB ] |