Cisco Intrusion Prevention System
What is Discovered and Monitored
Protocol | Information Discovered | Metrics Collected | Used For |
---|---|---|---|
SNMP | Performance and Availability Monitoring | ||
SDEE | Alerts | Security Monitoring |
Event Types
In ADMIN > Device Support > Event, search for "cisco ips" in the Device Type and Description columns to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "cisco ips" in the Name column to see the rules associated with this device.
Reports
In RESOURCE > Reports , search for "cisco ips" in the Name column to see the reports associated with this device.
Configuration
SNMP
- Log in to the device manager for your Cisco IPS.
- Go to Configuration > Allowed Hosts/Networks.
- Click Add.
- Enter the IP address of your FortiSIEM virtual appliance to add it to the access control list, and then click OK.
- Go to Configuration > Sensor Management > SNMP > General Configuration.
- For Read-Only Community String, enter
public
. - For Sensor Contact and Sensor Location, enter Unknown.
- For Sensor Agent Port, enter 161.
- For Sensor Agent Protocol, select udp.
If you must create an SDEE account for FortiSIEM to use, go to Configuration > Users and Add a new administrator.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting | Value |
---|---|
Name | <set name> |
Device Type | Cisco IPS |
Access Protocol | Cisco SDEE |
Pull Interval | 5 minutes |
Port | 443 |
Password config | See Password Configuration |
SNMP Access Credentials for All Devices
Set these Access Method Definition values to allow FortiSIEM to communicate with yourdevice over SNMP. Set the Name and Community String.
Setting | Value |
---|---|
Name | <set name> |
Device Type | Generic |
Access Protocol | SNMP |
Community String | <your own> |
Sample XML-Formatted Alert
<\!-\- CISCO IPS \--><evAlert eventId="1203541079317487802" severity="low"> <originator> <hostId>MainFW-IPS</hostId> <appName>sensorApp</appName> <appInstanceId>376</appInstanceId> </originator> <time offset="0" timeZone="UTC">1204938398491122000</time> <signature sigName="ICMP Network Sweep w/Echo" sigId="2100" subSigId="0" version="S2"></signature> <interfaceGroup>vs1</interfaceGroup><vlan>0</vlan> <participants> <attack> <attacker> <addr locality="OUT">2.2.2.1</addr> </attacker> <victim> <addr locality="OUT">171.64.10.225</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.87</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.86</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.84</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.85</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> <victim> <addr locality="OUT">171.66.255.82</addr> <os idSource="unknown" type="unknown" relevance="relevant"></os> </victim> </attack> </participants> <alertDetails>InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" </alertDetails></evAlert>