Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : How to Configure the CSID Director

How to Configure the CSID Director

Nov 24,2008 by admin

small font medium font large font
image

How to Configure the CSID Director

In order to configure the Director, use the NetRanger Configuration File Management Utility, better known as nrConfigure. In OpenView, you can launch nrConfigure from the Security drop-down menu. This is used to manage the configuration of the Director and sensors. It is similar to CSPM in that you can update configuration files for the Director and sensors, and add and delete sensors and basically manage all aspects of your IDS infrastructure. Once you get nrConfigure open, you see the local Director and any sensor that the Director has identified. Each item listed displays three categories of information:

  • Organization and Host Name

  • Configuration last modified date

  • A description of the host

Adding a New Sensor

To add a new sensor use, the Add Host Wizard from the nrConfigure menus. Follow these steps:

  1. Start the Add Host Wizard from the nrConfigure menus.

  2. Enter the following Sensor Identification Parameters. Once you have done so, click Next:

    • Organization Name

    • Organization ID

    • Host Name

    • Host ID

    • Host IP Address

  3. Select the Host Type and click Next. You have three options here:

    For a new sensor, select the first option, Initialize a newly installed Sensor. If you are connecting to a sensor that has already been configured, select Connect to a previously configured Sensor.

  4. Since this is a new sensor, select Initialize a newly installed Sensor.

  5. Enter the duration for IP blocking and session logging. The defaults are ten minutes. Click Next.

    • Number of minutes to log on an event: 1–1440 minutes

    • Number of minutes to shun an event: 1–1440 minutes

    • Network Interface Name.

  6. Select the sniffing interface. The different interface types are discussed earlier in Chapter 3.

  7. Define the characteristics for blocking/shunning and click Next. These include:

    • Router's username/password

    • Router's enable password

    • Router's NAT IP address

    • IP address of sensor from router

    • Router's external IP address

  8. At this point, the nrConfigure window displays the sensor under the correct folder. The folder name and the sensor's organization name should be the same. Exit the nrConfigure screen.

If you were to add a sensor that had been previously configured, you would change your selection in step 3 to Connect to a previously configured Sensor. You then finish the install by selecting Finish. The wizard uploads the configuration file from the sensor to the Director.

To delete a sensor from the nrConfigure screen, highlight the sensor to be deleted, right-click, and select Delete Host. Once the sensor is deleted, you remove the icon from nrConfigure by right-clicking the sensor icon to be deleted, and choose Delete Symbol.

Start Sidebar
Configuring & Implementing: Changing a Sensor's IP Address

To change a sensor IP address, you have to update a sensor's IP address, or change its NetRanger communication infrastructure. The following steps show you how.

  1. On the Director toolbar, choose Configure | Security to open nrConfigure.

  2. Double-click the sensor icon you want to reconfigure.

  3. Double-click the System Files folder. This shows you the current configuration version.

  4. Double-click Routes.

  5. Enter the new IP address and click OK.

  6. Highlight the new transient version, save and apply the changes. Close.

  7. At the sensor, log on as root and run sysconfig-sensor.

  8. Select option 1, IP address, and enter the new IP address. Exit and reboot the sensor.

End Sidebar

Event Processing

Events are forwarded to the Director and translated into alarms. Similar to the other event viewers, they are color-coded red, yellow, and green, for high, medium, and low alarms, respectively.

To view alarms, you have to drill down into the icons. Follow these steps.

  1. Double-click the netranger icon. The network topology submap opens. The network topology submap contains icons for all the sensors and Directors.

  2. Double-click a sensor or Director icon and another submap opens with all the daemons running on that particular device.

  3. Select a daemon and double-click. This opens another submap that displays all the events that have been generated by that daemon.

There are several different types of alarms:

  • Intrusion Alarms

  • Context Buffer Alarms

  • Error Alarms

  • OkAlarms

When an alarm is sent to the Director, one of the daemons, nrdirmap, translates the alarm and presents it in the submap. If multiple alarms from the same signature are sent, they are grouped into alarm sets.

Alarms are labeled with the name of the signature that corresponds to the signature ID. If the signature name cannot be located, then the alarm is labeled with the signature ID itself. The Director utilizes the signatures file in the /usr/nr/etc/ directory.


181 times read

Related news
» Cisco IDS Alarms and Signatures
by admin posted on Nov 24,2008
» Configuring the Appliance Sensor
by admin posted on Nov 24,2008
» Using the Master Blocking Sensor
by admin posted on Nov 26,2008
» Centralized Alarm Display and Management
by alperen posted on Feb 24,2010
» Signature and Alarm Management
by alperen posted on Mar 10,2010
Did you enjoy this article?
1 2 3 4 5
Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00Rating: 5.00 (total 12 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.