IDS Configuration
| [ LiB ] |
You've already performed many of the configuration tasks in the Configuration tab sheet; you perform signature tuning, global sensing, blocking, and maintenance from the Configuration tab sheet. We need to cover a few remaining key tasks from the Configuration tab sheet before moving on to the Deployment tab sheet. They are sensor communications and IP logging.
Communication Settings
Version 4.x of the Cisco IDS software uses Remote Data Exchange Protocol (RDEP), which replaces the PostOffice protocol of earlier IDS versions. As you've seen, the IDS MC does not use RDEP to communicate with the sensor; it uses either HTTP/HTTPS or SSH. However, you can use the IDS MC to configure RDEP settings and to specify allowed hosts to connect to and configure a sensor or sensor group .
RDEP Protocol Settings
Complete the following steps to configure the RDEP protocol settings:
- Navigate to Configuration, Settings, Communications, RDEP Properties to display the RDEP Properties page. Enter a new port number that the Web server listens and responds on in the Web Server Port field.
- Select or clear the Enable Transaction Layer Security (TLS) check box. TLS provides cipher and secret key negotiation, session privacy and integrity, and server authentication. It allows the secure exchange of data between the RDEP server and the RDEP client.
- Enter the server identification in the Server ID field to identify the Web server on the sensor.
- Click Apply to display the RDEP Properties page, which refreshes to show the changes. Alternatively, click Reset to discard your updates and restore the previous settings.
Allowed Hosts
You might recall from Chapter 7, "Cisco IDS Navigation and General Configuration Using the Command-Line Interface," that you can use the CLI accessList command to define trusted hosts or networks that are allowed to connect to and configure the sensor. You can also use the IDS MC to define the trusted hosts, by following these steps:
- Navigate to Configuration, Settings, Communications, Allowed Hosts to display the Allowed Hosts page. Click the Add action button to display the Enter Allowed Host page.
- Enter the IP address and subnet mask of the allowed host in the IP address and subnet mask fields, respectively. If you are using NAT in your network, use the NAT address for the host or network.
- Click the OK action button to display the Allowed Hosts page, which refreshes to show your new allowed host. You can also use the Delete action button to delete an entry from the allowed hosts list.
Logging
We now cover the logging capabilities and configuration tasks using the IDS MC. As you would expect, event logging is enabled by default, whereas automatic IP logging, because of its potential impact on performance, must be enabled for an individual signature.
 | Automatic IP logging, because of its impact on performance, must be enabled for an individual signature and for a specified duration. |
Event Logging
Events are logged locally and can be any of the following types:
-
evError Application errors.
-
evAlert Intrusion detection alerts.
-
evStatus Status changes, such as the creation of a new IP log.
-
evShunRequest Shun requests .
-
evLogTransaction Record of control transactions processed by the sensor's applications.
All events are stored locally on the sensor's EventStore, as you saw in Chapter 5, "Cisco IDS Architecture and Communications Protocols." IDS Event Viewer (IEV) and Security Monitor can pull events occurring after a time that you specify. Whether or not events are pulled to a management console, they remain in the EventStore until a 4GB limit is reached.
| | Events remain in the EventStore until the size limit of 4GB is reached. |
Automatic IP Logging
The IDS IP logging feature is designed to make sure that there is always enough room to write a new IP log file. At startup, the sensor sets up a reusable ring of files for IP logging; after 2GB of logs have been generated, the sensor reuses files by overwriting the file with the oldest closing time. A log file is closed when it reaches its configured expiration or when its full capacity is used. Because files are pre-allocated, you do not have to delete them.
You saw in Chapter 8, "Command-Line Interface Commands," how to use the CLI to configure automatic IP logging, which captures raw IP packets for offline analysis with a third-party tool such as Ethereal, Tcpdump, or any other reader that is libcap-capable. You can retrieve IP log files by using the CLI copy command with File Transfer Protocol (FTP) or Secure Copy Protocol (SCP), or you can download them using the IDM.
The IDS MC (as well as the IDM) also allows you to define settings for automatic IP logging. First, you set the sensor's automatic IP logging properties to define how it logs IP sessions when it detects an attack; if you want the sensor to actually perform IP logging, you must explicitly specify this when you configure individual signatures. The following steps describe how to set up automatic IP logging using the IDS MC:
- Navigate to Configuration, Settings to display the Settings page. Select Logging, Automatic IP Logging from the TOC to display the Automatic IP Logging page.
- Enter values for the IDS MC Automatic IP Logging settings, as listed and described in Table 14.7.
Table 14.7. IDS MC Automatic IP Logging Settings
Setting
Description
Number of IP log files
Number of IP log files for which the sensor will log IP session information. The default is 20.
Maximum number of concurrently open log files
Number of concurrent log files into which the sensor will log IP session information. The default is 20.
*Maximum log file size
Maximum number of packets that will be logged in an event. The default is 0.
*Maximum number of packets in a log event (0 implies no limit)
Maximum number of packets that will be logged in an event. The default is 0, which means there is no limit.
*Duration of log
Duration that the IP session information is logged, in seconds. The default is 30 seconds.
- Click Apply to save and apply the settings; the Automatic IP Logging page refreshes to show that the IDS MC applied the changes.
Cisco doesn't recommend changing the default settings for IP logging; if you do make changes, make it a general principle to decrease the values marked with an asterisk (*) in the table. This recommendation, again, is because of the performance impact that IP logging has on the sensor.
Finally, when you configure automatic IP logging at the group level, individual sensors are grayed out; if you want to edit the settings for an individual sensor, you have to check the Override check box.
| | To change the automatic IP logging settings for an individual sensor from the IDS MC, check the Override check box to override the group. |
| [ LiB ] |
