Alarms are generated by the sensors and sent to the Event
Viewer host via the PostOffice protocol. Once received, these alarms are stored
in a database. This database can then be viewed with the Event Viewer. This
section discusses the following topics that deal with alarm management:
Opening the Event Viewer
The Event Viewer can be accessed via CSPM’s tool menu. To
start the Event Viewer, choose Tools | View Sensor Events | Database. When the
View Database Events window appears, you can choose to view all alarms or you
can limit the number of displayed alarms by selecting the start time and/or the
stop time.
-
Start Time—The start time is used to view
alarms generated after the specified time. Alarms generated before the start
time aren’t displayed.
-
Stop Time—The stop time is used to limit
the number of alarms received. Alarms generated after the stop time aren’t
displayed.
-
Event Type—This is the IDS alarm type.
CIDS Alarms is the only option that can be selected.
To open and view alarms using the Event Viewer, use the following
steps:
-
Log in to the CSPM host using the administrative
account.
-
From within CSPM, select Tools | View Sensor Events |
Database.
-
Either select to view all events or specify the start and
stop times to limit the scope of alarms displayed.
You can open multiple instances of the Event Viewer. Once an
Event Viewer window is open, it can be customized and its display
characteristics can be modified independently of all other instances of the
Event Viewer. This enables you to open different Event Viewer windows containing
the same or different alarms, while adjusting the characteristics of each
instance to fulfill a particular need.
Alarm Fields
Each alarm viewed with Event Viewer is displayed as a row in
a table. Each row is made up of fields that contain specific data about the
alarm. The fields and explanations are provided in Table 26-3.
Table 26-3: Event Viewer Alarm Fields
|
Field |
Description |
|
Count |
Similar alarms are sometimes consolidated into a single row.
The count field specifies the number of alarms consolidated into this
row. |
|
Name |
The name of the alarm. |
|
Source Address |
The source IP address associated with the alarm listed in
this row. |
|
Destination Address |
The destination IP address associated with the alarm listed
in this row. |
|
Destination Port |
The destination UDP or TCP port associated with the
alarm. |
|
Source Port |
The source UDP or TCP port associated with the
alarm. |
|
Details |
Contains information specific to the signature that
generated the alarm. If the signature was a string signature, the string that
generated the alarm is listed in this field |
|
Source Location |
IN indicates the source IP address is on the local or
trusted network.
OUT indicates the source IP address is located on a remote
or untrusted network. |
|
Destination Location |
IN indicates the destination IP address is on the local or
trusted network.
OUT indicates the destination IP address is located on a
remote or untrusted network. |
|
Signature ID |
The numeric ID of the signature that generated the
alarm. |
|
Subsignature ID |
If the signature that generated the alarm has an associated
subsignature. the subID is listed in this field. Otherwise, this field is
blank. |
|
Severity |
The severity of the signature that generated the
alarm. |
|
Level |
The level, one to five, of the signature that generated the
alarm. |
|
Organization Name |
The organization name of the sensor that generated the
alarm. |
|
Sensor Name |
The name of the sensor that generated the
alarm. |
|
Application Name |
The name of the daemon that generated the alarm. All
intrusion alarms are generated by packetd. |
|
Local Date |
The date, as recorded by the sensor, when the alarm was
generated. |
|
Local Time |
The time, as recorded by the sensor, when the alarm was
generated. |
Resolving Host Names
While viewing alarms in the Event Viewer window, you can
easily identify the host names of both the attacking host and the host that was
attacked. To resolve the host names, right-click the alarm in question, and then
choose Resolve Host Names. A Host Name Resolution window appears, showing the
source and destination IP addresses, as well as their associated host name. If
the host name can’t be resolved, the window displays Cannot be
resolved.
Viewing the Context Buffer
For TCP-based, series 3000 signatures, the sensor captures
up to 256 characters of the TCP stream. This information is called the context buffer and you can use the Event Viewer to display
it. By viewing the context buffer, you can determine if this alarm was generated
by an actual intrusion attempt or simply an accident.
To view the context buffer, right-click the alarm in
question, and then choose Context Buffer from the Shortcut menu. A new window
will appear, displaying the information contained in the context buffer. If no
context buffer is available, the Shortcut menu won’t contain the Context Buffer
option.
Network Security Database
Cisco provides a database of network vulnerability
information that can be accessed via an HTML browser. If you need additional
information for any alarm listed in the Event Viewer, you can search the NSDB
for additional information. If the Event Viewer contains an alarm you want to
examine, you can open the NSDB to view information about that specific alarm. To
open the NSDB, you use the following steps:
-
From the Event Viewer, right-click the alarm in
question.
-
Choose Network Security Database.
A second method for opening the NSDM is as follows:
-
Select the alarm to examine.
-
Choose Tools | NSDM from the Event Viewer menu bar.
The NSDB Exploit Signature Page contains additional information
about the signature that triggered the alarm. Information provided on the NSDB
Exploit Signature page includes the following:
-
Signature name
-
ID
-
SubID
-
Recommended alarm level
-
Signature type
-
Signature structure
-
Implementation
-
Signature description
-
Benign triggers
-
Related vulnerability
-
User notes
|
STUDY TIP |
Be aware of how to open and view the
NSDB. |
Once you gain additional information about the matched signature,
you might want or need additional information on the related vulnerability. You
can select the link provided on the Exploit Signature page to research
additional information about the vulnerability. You can learn the following
Information via the Vulnerability page:
User Notes
Both the Exploit Signatures and Vulnerability page provides
a User Notes section. This link allows security administrators to record
additional information about the signature or vulnerability. This user-added
information is stored permanently in the NSDB database on the CSPM
host.
Suspending New Alarms
If desired, you can prevent the Event Viewer from displaying
any new or additional alarms. You can use this feature when you’re investigating
a previous alarm, and you want to prevent any additional alarms from being
displayed in the specific Event Viewer window. The alarms are still recorded and
stored in the alarm database, and any other instances of the Event Viewer will
continue to display additional alarms. To suspend new alarms in a Event Viewer
window, do the following:
-
Choose Edit | Suspend New Events on the Event Viewer menu
bar.
or
-
Click the Pause Live Feed button on the Event Viewer
toolbar.
To resume receiving new alarms:
-
Choose Edit | Resume New Events on the Event Viewer menu
bar.
or
-
Click the Resume Live Feed button on the Event Viewer
toolbar.
Deleting Alarms
Once you deal with an alarm in the Event Viewer, you might
want to remove the alarm record from the view or from the entire alarm database.
You can choose to delete an alarm from the current Event Viewer window, from all
Event Viewer instances, or from the CSPM database. To delete the alarm from the
current Event Viewer window:
-
Right-click the alarm and choose Delete Record.
-
Select From This Grid.
To delete the alarm from all Event Viewer windows:
-
Right-click the alarm and choose Delete Record.
-
Select From All Grids.
To delete the alarm from the entire database:
-
Right-click the alarm and choose Delete Record.
-
Select From Database.
|
Caution |
If the selected row contains multiple alarms (indicated by a
count greater that one) and you choose any of the deletion options, all alarms
represented by that row will be deleted. To delete a single alarm represented in
a row with multiple alarms, first expand the row, then select the appropriate
alarm, and then choose Delete Record. |
Sections
Comments (0 posted)
Syndication
