[ LiB ] |
Although you will do most of your monitoring tasks through Event Viewer, you need to perform other supporting tasks to facilitate reporting and administration. The next sections cover the final two tab sheets in Security Monitor, Reports and Admin.
Security Monitor allows you to generate reports on demand. Alternatively, you can schedule reports to be generated at a specific time. Creating reports involves generating, scheduling, and viewing reports.
If you are a Security Monitor network security administrator, you can generate audit and alarm reports on demand or schedule them to generate at a specific time or at regular intervals. The steps to generate an IDS alarm report are as follows :
Setting | Description |
---|---|
Event level | The event level that is displayed in the selected report; available options are informational, low, medium, and high. |
Time/date | The time and date selected in the report; valid options are since installation, a specified number of units, or a time range. |
Source direction | The direction of the security violation; valid options are any, in, or out. |
Source address | The source address of the security violation; valid options are any, single, or a range of IP addresses. |
Destination direction | The direction of the security violation; valid options are any, in, or out. |
Destination address | The destination address of the security violation; valid options are any, single, or a range of IP addresses. |
IDS devices | The IDS devices that are viewed in the report; you can choose all devices that have been added to Security Monitor. |
IDS signatures | The IDS signatures that are viewed in the report; you can choose one or multiple signatures. |
IDS signature categories | The IDS signature categories that are viewed in the report; you can choose one or multiple signature categories. |
Top n | The top number of results in the report. |
Setting | Description |
---|---|
Report title | Description field that allows you to give a title to the report. |
Schedule options | Options that allow you to either run the report immediately or schedule it for later. |
Repeat every | Check box with a drop-down menu allowing you to repeat the report at the following intervals: every day, week, weekday, weekend day, minute, and hour . |
Email report to | Entry field that allows you to send the report to an email recipient after it is generated. |
Finally, after generating a report, you can view it by navigating to Reports, View. After you select your report with its radio button, you have the option to view it within the existing window or to open the report in a new window.
The last tab sheet in Security Monitor is the Admin tab sheet, where you perform server administration and maintenance tasks. These tasks fall into the following categories:
Database maintenance Allows you to back up, restore, or prune the configuration database.
System configuration Enables you to configure the communication properties such as email server settings, PostOffice settings, and syslog settings and to update network IDS signatures.
Defining Event Viewer preferences Allows you to set your Event Viewer preferences and to create, edit, delete, activate, and de-activate correlated events. You de-activate correlated events by using event rules to specify what action to take when the correlated event is detected .
The first option in the Admin tab sheet is the Database Rules option. Security Monitor allows you to configure different actions to occur when a database rule is triggered. The database rules can be triggered when the Security Monitor database reaches a specified size, when a specified number of events occur, or on a daily basis.
Security Monitor database rules can be triggered when the Security Monitor database reaches a specified size, when a specified number of events occur, or on a daily basis. |
There are three predefined rules for database maintenance built in to Security Monitor:
Default pruning For alarm tables when the database reaches 2,000,000 total events
Default syslog pruning For syslog tables when the database reaches 2,000,000 events
Default audit log pruning For audit log pruning performed on a daily basis
Follow these steps to create your own custom database rule:
Setting | Description |
---|---|
Rule name | Name that is to be assigned to the rule. |
Database used space greater than (megabytes) | Check box that, if selected, triggers the database rule when the database reaches a size greater than specified. The default value is 500MB. |
Database free space less than (megabytes) | Check box that, if selected, triggers the database rule when the free space on the drive where the database is installed falls below the specified value. The default setting is 1MB. |
Total IDS events | Check box that, if selected, triggers the database rule when the number of events in the database exceeds the value specified. The default is 500,000. |
Total syslog events | Check box that, if selected, triggers the database rule when the total number of syslog events exceeds the value specified. The default is 500,000. |
Total events | Check box that, if selected, triggers the database rule when the total number of IDS and syslog events exceeds the specified value. The default setting is 1,000,000. |
Daily beginning | Check box that, if selected, triggers the database rule daily at a specified time, beginning on a specified date. The default is 24 hours from the time on the Security Monitor server's clock. |
Comment | Optional. |
Setting | Description |
---|---|
Notify via email | Check box that, if selected, enables Security Monitor to send an email when the database rule is triggered. |
Recipients | Addresses to receive an email when the database rule is triggered. Separate multiple addresses with a comma. |
Subject | Subject of the email that will be sent to the recipients. |
Message | Message body of the email that will be sent to the recipients. |
Log a console notification event | Check box that, if selected, enables Security Monitor to log a notification report to the console when the database rule is triggered. |
Subject | Subject of the notification report. |
Message | Message body of the notification report. |
Execute a script | Check box that, if selected, enables Security Monitor to execute a script when the database rule is triggered. |
Script file | Drop-down menu with a list of script options that can be executed if the Execute a Script box is selected. |
Argument | Additional arguments that can accompany a script which executes when the database rule is triggered. |
The next option after Database Rules under the Admin tab sheet is the System Configuration option. It is where you configure the email server, PostOffice settings, and syslog settings, and update IDS signatures. Configuring the email server and PostOffice settings is straightforward. Here we focus on syslog settings and updating the network IDS signatures.
You might recall that IOS IDS devices (those not using PostOffice) and PIX IDS devices use connectionless syslog messages to communicate with Security Monitor. Follow these steps to configure your syslog settings:
You can update sensor signatures through IDS MC, the command-line interface (CLI), or Security Monitor. Follow these steps to update signatures with Security Monitor:
You can use Security Monitor to update network IDS signatures. Download the update from the Cisco Web site, copy the file to the specified directory, and navigate to Admin, System Configuration, Update Network IDS Signatures to complete the update. |
Finally, we come to the last option of the last tab sheet, Admin, Event Viewer. Recall that the changes you made to customize your Event Viewer window were not persistent; that is, they are not saved when you shut down Event Viewer and open a new session. It can be cumbersome and repetitive to customize your views each time that you launch Event Viewer. From the Admin, Event Viewer page, you can define your Event Viewer preferences so that they are saved with your user account and reappear each time you log in to Security Monitor and launch Event Viewer.
You can configure the Event Viewer preferences for Your Preferences or for the Default Preferences, which changes the settings for all users. The steps and entry fields are the same whether you are editing your own preferences or the default ones, so we only go through the steps for your preferences here:
Setting | Description |
---|---|
Command timeout | Determines how long, in seconds, the Event Viewer waits for a response from a sensor before concluding that it has lost communications with the sensor. The default value is 10 seconds. |
Time to block | Specifies how long, in minutes, the sensor blocks traffic from the specified source when you issue a block command from the Event Viewer TOC. The default value is 1440 minutes (one day). |
Subnet mask | Subnet mask of the Security Monitor. |
Default expansion boundary | Amount of expansion that takes place when opening security event levels within the Event Viewer. |
Maximum events per grid | Maximum number of events that populate the Event Viewer grid. |
Auto collapse enabled | Check box that, if selected, enables the automatic collapsing of a cell . |
Query interval | Amount of time that the Event Viewer waits between queries to the database for new events. The default interval is 5 minutes. |
Auto query enabled | Check box that, if selected, enables automatic queries to the database for new security events. |
Event security indicator | Radio buttons that change the event severity indicator from a color to an icon or vice versa. |
Cells | Check boxes that, if selected, allow the Event Viewer to display security events blank left, blank right, or both. |
Sort by | Radio buttons that allow you to sort the security events by count or alphabetically by content. The default is content. |
[ LiB ] |