[ LiB ] |
You've already performed many of the configuration tasks in the Configuration tab sheet; you perform signature tuning, global sensing, blocking, and maintenance from the Configuration tab sheet. We need to cover a few remaining key tasks from the Configuration tab sheet before moving on to the Deployment tab sheet. They are sensor communications and IP logging.
Version 4.x of the Cisco IDS software uses Remote Data Exchange Protocol (RDEP), which replaces the PostOffice protocol of earlier IDS versions. As you've seen, the IDS MC does not use RDEP to communicate with the sensor; it uses either HTTP/HTTPS or SSH. However, you can use the IDS MC to configure RDEP settings and to specify allowed hosts to connect to and configure a sensor or sensor group .
Complete the following steps to configure the RDEP protocol settings:
You might recall from Chapter 7, "Cisco IDS Navigation and General Configuration Using the Command-Line Interface," that you can use the CLI accessList command to define trusted hosts or networks that are allowed to connect to and configure the sensor. You can also use the IDS MC to define the trusted hosts, by following these steps:
We now cover the logging capabilities and configuration tasks using the IDS MC. As you would expect, event logging is enabled by default, whereas automatic IP logging, because of its potential impact on performance, must be enabled for an individual signature.
![]() | Automatic IP logging, because of its impact on performance, must be enabled for an individual signature and for a specified duration. |
Events are logged locally and can be any of the following types:
evError Application errors.
evAlert Intrusion detection alerts.
evStatus Status changes, such as the creation of a new IP log.
evShunRequest Shun requests .
evLogTransaction Record of control transactions processed by the sensor's applications.
All events are stored locally on the sensor's EventStore, as you saw in Chapter 5, "Cisco IDS Architecture and Communications Protocols." IDS Event Viewer (IEV) and Security Monitor can pull events occurring after a time that you specify. Whether or not events are pulled to a management console, they remain in the EventStore until a 4GB limit is reached.
![]() | Events remain in the EventStore until the size limit of 4GB is reached. |
The IDS IP logging feature is designed to make sure that there is always enough room to write a new IP log file. At startup, the sensor sets up a reusable ring of files for IP logging; after 2GB of logs have been generated, the sensor reuses files by overwriting the file with the oldest closing time. A log file is closed when it reaches its configured expiration or when its full capacity is used. Because files are pre-allocated, you do not have to delete them.
You saw in Chapter 8, "Command-Line Interface Commands," how to use the CLI to configure automatic IP logging, which captures raw IP packets for offline analysis with a third-party tool such as Ethereal, Tcpdump, or any other reader that is libcap-capable. You can retrieve IP log files by using the CLI copy command with File Transfer Protocol (FTP) or Secure Copy Protocol (SCP), or you can download them using the IDM.
The IDS MC (as well as the IDM) also allows you to define settings for automatic IP logging. First, you set the sensor's automatic IP logging properties to define how it logs IP sessions when it detects an attack; if you want the sensor to actually perform IP logging, you must explicitly specify this when you configure individual signatures. The following steps describe how to set up automatic IP logging using the IDS MC:
Setting | Description |
---|---|
Number of IP log files | Number of IP log files for which the sensor will log IP session information. The default is 20. |
Maximum number of concurrently open log files | Number of concurrent log files into which the sensor will log IP session information. The default is 20. |
*Maximum log file size | Maximum number of packets that will be logged in an event. The default is 0. |
*Maximum number of packets in a log event (0 implies no limit) | Maximum number of packets that will be logged in an event. The default is 0, which means there is no limit. |
*Duration of log | Duration that the IP session information is logged, in seconds. The default is 30 seconds. |
Cisco doesn't recommend changing the default settings for IP logging; if you do make changes, make it a general principle to decrease the values marked with an asterisk (*) in the table. This recommendation, again, is because of the performance impact that IP logging has on the sensor.
Finally, when you configure automatic IP logging at the group level, individual sensors are grayed out; if you want to edit the settings for an individual sensor, you have to check the Override check box.
![]() | To change the automatic IP logging settings for an individual sensor from the IDS MC, check the Override check box to override the group. |
[ LiB ] |