128. Cisco Intrusion Prevention Systems (CIDEE)
The Cisco IPS add-on supports collection of alerts from an IPS-enabled device. The Security Device Event Exchange (SDEE) API is used for communication between NXLog and the IPS.
128.1. Setup
-
Install the add-on.
-
Set the correct connection details in the script by editing the
sdee("cisco","cisco","192.168.100.254", "http","cgi-bin/sdee-server/","yes");
line in theread_data()
subroutine. Set the appropriate username, password, hostname or IP address, protocol, path, and force subscription.-
For username and password, a suitable user with the appropriate privilege level must be selected.
-
The protocol can be
http
orhttps
; however, HTTPS requires that the appropriate SSL options are enabled further down in thesdee()
subroutine. -
The default path for the SDEE service can be changed if necessary.
-
We recommend using force subscription, but the default of
yes
can be changed tono
if required.
-
-
Upon start-up, the script will open a connection to the device and request a subscription ID. It will then periodically ask for new alerts. The interval that the device is queried for new alerts can be set by changing the
set_read_timer()
NXLog function in the script.
Once alerts are available on the device the script will parse the XML source, format the alert, and pass it to NXLog.
Note
|
The script only collects alerts, but it can be modified to collect status and error messages too. The primary subroutine that sorts out the information received is
The final format of the alert messages is specified in the
|
128.2. NXLog Configuration
The im_perl module is used to execute the Perl script, which in turn connects to the device, requests a new subscription, and periodically collects any new alerts.
The configuration below collects IPS alerts from the configured Cisco IPS device. For simplicity, the output is saved to a file in this example.
1
2
3
4
5
6
7
8
9
10
11
12
13
<Input perl>
Module im_perl
PerlCode /opt/nxlog/bin/cisco-ips.pl
</Input>
<Output file>
Module om_file
File '/tmp/output.log'
</Output>
<Route perl_to_file>
Path perl => file
</Route>
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Body>
<sd:events
xmlns:cid="http://www.cisco.com/cids/2003/08/cidee"
xmlns:sd="http://example.org/2003/08/sdee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://example.org/2003/08/sdee sdee.xsd http://www.cisco.com/cids/2003/08/cidee cidee.xsd">
<sd:evIdsAlert eventId="15117815226791" vendor="Cisco" severity="medium">
<sd:originator>
<sd:hostId>R1</sd:hostId>
</sd:originator>
<sd:time offset="0" timeZone="UTC">1511781522011779176</sd:time>
<sd:signature description="SYN Flood DOS" id="6009" version="S593">
<cid:subsigId>0</cid:subsigId>
<cid:sigDetails>SYN Flood DOS</cid:sigDetails>
</sd:signature>
<cid:protocol>tcp</cid:protocol>
<cid:riskRatingValue>63</cid:riskRatingValue>
<sd:participants>
<sd:attacker>
<sd:addr>192.168.100.1</sd:addr>
<sd:port>53760</sd:port>
</sd:attacker>
<sd:target>
<sd:addr>192.168.99.10</sd:addr>
<sd:port>2717</sd:port>
</sd:target>
<sd:vrf_name>NONE</sd:vrf_name>
</sd:participants>
<sd:actions></sd:actions>
<cid:interface>Fa0/0</cid:interface>
<cid:vrf_name>NONE</cid:vrf_name>
</sd:evIdsAlert>
<sd:evIdsAlert eventId="15117815236793" vendor="Cisco" severity="informational">
<sd:originator>
<sd:hostId>R1</sd:hostId>
</sd:originator>
<sd:time offset="0" timeZone="UTC">1511781523475744440</sd:time>
<sd:signature description="Back Door Probe (TCP 1234)" id="9007" version="S256">
<cid:subsigId>0</cid:subsigId>
<cid:sigDetails>SYN to TCP 1234</cid:sigDetails>
</sd:signature>
<cid:protocol>tcp</cid:protocol>
<cid:riskRatingValue>18</cid:riskRatingValue>
<sd:participants>
<sd:attacker>
<sd:addr>192.168.100.1</sd:addr>
<sd:port>57422</sd:port>
</sd:attacker>
<sd:target>
<sd:addr>192.168.99.10</sd:addr>
<sd:port>1234</sd:port>
</sd:target>
<sd:vrf_name>NONE</sd:vrf_name>
</sd:participants>
<sd:actions></sd:actions>
<cid:interface>Fa0/0</cid:interface>
<cid:vrf_name>NONE</cid:vrf_name>
</sd:evIdsAlert>
</sd:events>
</env:Body>
</env:Envelope>
2017-11-28 22:29:41 UTC+0; eventid="15119009816528; hostId="R1"; severity="medium"; app_name=""; appInstanceId=""; signature="6009"; subSigid="0"; description="SYN Flood DOS"; attacker="192.168.100.1"; attacker_port="40784""; target="192.168.99.10"; target_port="4003; protocol="tcp"; risk_rating="63"; target_value_rating=""; interface="Fa0/0"; interface_group=""; vlan=""
2017-11-28 22:29:44 UTC+0; eventid="15119009846539; hostId="R1"; severity="informational"; app_name=""; appInstanceId=""; signature="9007"; subSigid="0"; description="SYN to TCP 1234"; attacker="192.168.100.1"; attacker_port="43242""; target="192.168.99.10"; target_port="1234; protocol="tcp"; risk_rating="18"; target_value_rating=""; interface="Fa0/0"; interface_group=""; vlan=""
Note
|
The two samples are from different but similar alerts. |