CSIDS Exam Cram 2 (Exam 642-531)

Although you will do most of your monitoring tasks through Event Viewer, you need to perform other supporting tasks to facilitate reporting and administration. The next sections cover the final two tab sheets in Security Monitor, Reports and Admin.

Security Monitor Reports

Security Monitor allows you to generate reports on demand. Alternatively, you can schedule reports to be generated at a specific time. Creating reports involves generating, scheduling, and viewing reports.

Generating On-Demand and Scheduled Reports

If you are a Security Monitor network security administrator, you can generate audit and alarm reports on demand or schedule them to generate at a specific time or at regular intervals. The steps to generate an IDS alarm report are as follows :

1. Navigate to the Generate options from the Reports tab sheet, where the Select Report page appears. Choose All from the Report Group drop-down menu. The list of Available Reports refreshes to display the full list of reports.

2. Select an IDS report radio button and click the Select action button to display the Report Filtering page. Enter the values as listed and described in Table 15.11.

   Table 15.11. Security Monitor Report Filtering Settings on the Reports, Generate Option

   Setting	Description
   Event level	The event level that is displayed in the selected report; available options are informational, low, medium, and high.
   Time/date	The time and date selected in the report; valid options are since installation, a specified number of units, or a time range.
   Source direction	The direction of the security violation; valid options are any, in, or out.
   Source address	The source address of the security violation; valid options are any, single, or a range of IP addresses.
   Destination direction	The direction of the security violation; valid options are any, in, or out.
   Destination address	The destination address of the security violation; valid options are any, single, or a range of IP addresses.
   IDS devices	The IDS devices that are viewed in the report; you can choose all devices that have been added to Security Monitor.
   IDS signatures	The IDS signatures that are viewed in the report; you can choose one or multiple signatures.
   IDS signature categories	The IDS signature categories that are viewed in the report; you can choose one or multiple signature categories.
   Top n	The top number of results in the report.

3. After entering your filter settings, click Next to display the Schedule Report page. Enter values for the settings, as listed and described in Table 15.12.

   Table 15.12. Security Monitor Schedule Reports Settings in Admin, Reports

   Setting	Description
   Report title	Description field that allows you to give a title to the report.
   Schedule options	Options that allow you to either run the report immediately or schedule it for later.
   Repeat every	Check box with a drop-down menu allowing you to repeat the report at the following intervals: every day, week, weekday, weekend day, minute, and hour .
   Email report to	Entry field that allows you to send the report to an email recipient after it is generated.

4. Click Finish. If you chose to generate the report immediately, the Report View page appears. Otherwise, the Select Report page appears.

Viewing Reports

Finally, after generating a report, you can view it by navigating to Reports, View. After you select your report with its radio button, you have the option to view it within the existing window or to open the report in a new window.

Security Monitor Administration

The last tab sheet in Security Monitor is the Admin tab sheet, where you perform server administration and maintenance tasks. These tasks fall into the following categories:

• Database maintenance Allows you to back up, restore, or prune the configuration database.

• System configuration Enables you to configure the communication properties such as email server settings, PostOffice settings, and syslog settings and to update network IDS signatures.

• Defining Event Viewer preferences Allows you to set your Event Viewer preferences and to create, edit, delete, activate, and de-activate correlated events. You de-activate correlated events by using event rules to specify what action to take when the correlated event is detected .

Database Rules

The first option in the Admin tab sheet is the Database Rules option. Security Monitor allows you to configure different actions to occur when a database rule is triggered. The database rules can be triggered when the Security Monitor database reaches a specified size, when a specified number of events occur, or on a daily basis.

There are three predefined rules for database maintenance built in to Security Monitor:

• Default pruning For alarm tables when the database reaches 2,000,000 total events

• Default syslog pruning For syslog tables when the database reaches 2,000,000 events

• Default audit log pruning For audit log pruning performed on a daily basis

Follow these steps to create your own custom database rule:

1. Navigate to Admin, Database Rules, Add to display the Specify the Trigger Condition page. Enter the values for the settings, as listed and described in Table 15.13.

   Table 15.13. Security Monitor Database Rules Trigger Conditions

   Setting	Description
   Rule name	Name that is to be assigned to the rule.
   Database used space greater than (megabytes)	Check box that, if selected, triggers the database rule when the database reaches a size greater than specified. The default value is 500MB.
   Database free space less than (megabytes)	Check box that, if selected, triggers the database rule when the free space on the drive where the database is installed falls below the specified value. The default setting is 1MB.
   Total IDS events	Check box that, if selected, triggers the database rule when the number of events in the database exceeds the value specified. The default is 500,000.
   Total syslog events	Check box that, if selected, triggers the database rule when the total number of syslog events exceeds the value specified. The default is 500,000.
   Total events	Check box that, if selected, triggers the database rule when the total number of IDS and syslog events exceeds the specified value. The default setting is 1,000,000.
   Daily beginning	Check box that, if selected, triggers the database rule daily at a specified time, beginning on a specified date. The default is 24 hours from the time on the Security Monitor server's clock.
   Comment	Optional.

2. Now that you've selected your database trigger conditions, click Next to display the Choose the Actions page. This page should look very familiar to the Admin, Event Rules page. Enter values for the settings as described in Table 15.14.

   Table 15.14. Security Monitor Database Rule Actions Settings in Admin, Database Rules

   Setting	Description
   Notify via email	Check box that, if selected, enables Security Monitor to send an email when the database rule is triggered.
   Recipients	Addresses to receive an email when the database rule is triggered. Separate multiple addresses with a comma.
   Subject	Subject of the email that will be sent to the recipients.
   Message	Message body of the email that will be sent to the recipients.
   Log a console notification event	Check box that, if selected, enables Security Monitor to log a notification report to the console when the database rule is triggered.
   Subject	Subject of the notification report.
   Message	Message body of the notification report.
   Execute a script	Check box that, if selected, enables Security Monitor to execute a script when the database rule is triggered.
   Script file	Drop-down menu with a list of script options that can be executed if the Execute a Script box is selected.
   Argument	Additional arguments that can accompany a script which executes when the database rule is triggered.

3. Click Finish to refresh the Database Rules page, which will then show the database rule that you have just created.

System Configuration Settings

The next option after Database Rules under the Admin tab sheet is the System Configuration option. It is where you configure the email server, PostOffice settings, and syslog settings, and update IDS signatures. Configuring the email server and PostOffice settings is straightforward. Here we focus on syslog settings and updating the network IDS signatures.

You might recall that IOS IDS devices (those not using PostOffice) and PIX IDS devices use connectionless syslog messages to communicate with Security Monitor. Follow these steps to configure your syslog settings:

1. Navigate to Admin, System Configuration and click on Syslog Settings from the TOC to display the Syslog Settings page.

2. Enter a new syslog port number in the Listen on UDP Port entry field.

3. Enter the new port to forward UDP syslog information to in the Forward to UDP Port entry field.

4. Click Apply to refresh the Syslog Settings page, which should now display the new port settings that you have just entered.

You can update sensor signatures through IDS MC, the command-line interface (CLI), or Security Monitor. Follow these steps to update signatures with Security Monitor:

1. Download the latest IDS updates for the Security Monitor from the Cisco Software center at http://www.cisco.com/cgi-bin/tablebuild.pl/ids4.

2. Copy the files into this directory: ...CSCOpx\MDC\etc\ids\updates .

3. Navigate to Admin, System Configuration and click on Update Network IDS Signatures from the TOC to display the Update Network Signatures page.

4. Use the Update File drop-down menu to choose the downloaded IDS signature update for the Security Monitor. Click Apply. If Security Monitor needs to be updated, the Update Summary page appears and you should go to Step 6. If Security Monitor doesn't need to be updated but sensors need signature updates, the Select Sensor page appears and you should go to Step 5.

5. Select the check boxes of the sensors that need to be updated and click Next to display the Update Summary page.

6. Click Continue to display the Update Network IDS Signatures page and complete the update.

Defining Event Viewer Preferences

Finally, we come to the last option of the last tab sheet, Admin, Event Viewer. Recall that the changes you made to customize your Event Viewer window were not persistent; that is, they are not saved when you shut down Event Viewer and open a new session. It can be cumbersome and repetitive to customize your views each time that you launch Event Viewer. From the Admin, Event Viewer page, you can define your Event Viewer preferences so that they are saved with your user account and reappear each time you log in to Security Monitor and launch Event Viewer.

You can configure the Event Viewer preferences for Your Preferences or for the Default Preferences, which changes the settings for all users. The steps and entry fields are the same whether you are editing your own preferences or the default ones, so we only go through the steps for your preferences here:

1. Navigate to Admin, Event Viewer, Your Preferences to display the Your Preferences page.

2. Enter the values for the settings, as listed and described in Table 15.15.

   Table 15.15. Security Monitor Your Preference Settings at the Admin, Event Viewer, Your Preferences Page

   Setting	Description
   Command timeout	Determines how long, in seconds, the Event Viewer waits for a response from a sensor before concluding that it has lost communications with the sensor. The default value is 10 seconds.
   Time to block	Specifies how long, in minutes, the sensor blocks traffic from the specified source when you issue a block command from the Event Viewer TOC. The default value is 1440 minutes (one day).
   Subnet mask	Subnet mask of the Security Monitor.
   Default expansion boundary	Amount of expansion that takes place when opening security event levels within the Event Viewer.
   Maximum events per grid	Maximum number of events that populate the Event Viewer grid.
   Auto collapse enabled	Check box that, if selected, enables the automatic collapsing of a cell .
   Query interval	Amount of time that the Event Viewer waits between queries to the database for new events. The default interval is 5 minutes.
   Auto query enabled	Check box that, if selected, enables automatic queries to the database for new security events.
   Event security indicator	Radio buttons that change the event severity indicator from a color to an icon or vice versa.
   Cells	Check boxes that, if selected, allow the Event Viewer to display security events blank left, blank right, or both.
   Sort by	Radio buttons that allow you to sort the security events by count or alphabetically by content. The default is content.