Configure SDEE Plugins

Applies to Product: USM Appliance™ AlienVault OSSIM®

Cisco Systems IPS Sensor 5.0 uses the Security Device Event Exchange (SDEE) protocol to specify the format of messages used to collect events generated by certain Cisco security devices. AlienVault supports this type of log collection and USM Appliance captures events specifically from

  • Cisco Network Prevention Systems (IPS)
  • Cisco Network Detection Systems (IDS)
  • Cisco Switch IDS
  • Cisco IOS routers with the Inline Intrusion Prevention System (IPS) functions
  • Cisco IDS modules for routers
  • Cisco PIX Firewalls
  • Cisco Catalyst 6500 Series firewall service modules (FWSMs)
  • Management Center for Cisco Security Agents
  • CiscoWorks Monitoring Center for Security

 

# Plugin cisco-ips id:1597 version: 0.0.2

# Last modification: 2015-05-13 16:11

#

# Plugin Selection Info:

# Cisco:IPS Intrusion Prevention System:-

#

# END-HEADER

# Accepted products:

# cisco - intrusion_prevention_system 6.0

# cisco - intrusion_prevention_system 6.0.2.0

# cisco - intrusion_prevention_system 7.0

# cisco - intrusion_prevention_system 7.0%281%29e3

# cisco - intrusion_prevention_system 7.0%282%29e3

# cisco - intrusion_prevention_system 7.0%282%29e4

# cisco - intrusion_prevention_system 7.0%283%29e4

# cisco - intrusion_prevention_system 7.0%284%29e4

# cisco - intrusion_prevention_system 7.0%285a%29e4

# cisco - intrusion_prevention_system 7.0%286%29e4

# cisco - intrusion_prevention_system 7.0%287%29e4

# cisco - intrusion_prevention_system 7.0%288%29e4

# cisco - intrusion_prevention_system 7.0%289%29e4

# cisco - intrusion_prevention_system 7.1

# Description:

# http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html

#

#

[DEFAULT]

plugin_id=1597

[config]

type=detector

enable=yes

source=sdee

source_ip=

user=

password=

sleep=5

process=

start=no

stop=no

Working with the SDEE Devices

Each time a new session begins with a SDEE device, USM Appliance provides a subscription ID. (The latest Subscription ID can be found under /etc/ossim/agent/sdee_sid.data.)

To see messages related to the subscription

  1. Connect to the AlienVault Console through SSH and use your credentials to log in.

    The AlienVault Setup menu displays.

  2. On the AlienVault Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. Enter

    grep subs /var/log/ossim/agent.log

Normally, when the session finishes, the AlienVault Agent service closes the session automatically. If it does not, you should do it manually.

To close the last session

  • Enter

    python /usr/share/ossim/scripts/closeSDEEsession.py <SubscriptionID>

    If you still have problems, look for the SDEE-related messages in the agent log.

To find SDEE messages in the agent log

  • Enter

    grep SDEE /var/log/ossim/agent.log

Additional Configuration Required Before You Enable an SDEE Plugin

You must configure USM Appliance to accept events from SDEE-capable devices from your USM Appliance assets before you enable the plugin.

This procedure describes how to configure the AlienVault Agent service to accept events from an SDEE-capable device. You will need command line access to USM Appliance to complete this task.

To configure USM Appliance to collect events from an SDEE device

  1. Create the file /etc/ossim/agent/plugins/cisco-ips.cfg.local.

  2. In the cisco-ips.cfg.local file, add the following lines.

    [config]

     

    source_ip=<source_IP>

    user=<your_user>

    password=<your_password>

    Where

    • source_ip is the IP address of the SDEE device.
    • user is an user account for the SDEE device.
    • password is the password for the user account on the SDEE device.
  1. Save the file.

To configure the AlienVault Agent service to accept events from multiple SDEE-capable devices, you will need command line access to USM Appliance to complete this task.

To configure USM Appliance to collect events from multiple SDEE devices

  1. Create the file /etc/ossim/agent/cisco_sdee.csv.
  2. In the .csv file, specify the IP addresses for the different SDEE devices and their login credentials. You must enter one device per line.

    3. 1.2.3.4,user1,pass1

    1.2.3.5,user2,pass2

    1.2.3.6,user3,pass3

    Important: You must not have any empty lines after the credentials.

  3. Create the file /etc/ossim/agent/plugins/cisco-ips.cfg.local.

  4. In the cisco-ips.cfg.local file add the following lines. The # means to comment out those three lines.

    [config]

     

    #source_ip=

    #user=

    #password=

     

    credentials_file=/etc/ossim/agent/cisco_sdee.csv

  5. Save the file.

You can now enable the SDEE plugin. See Enable Plugins on Assets.

Occasionally you may download or receive new signatures for your Cisco IPS devices. If you want to use those signatures in USM Appliance, you will need to update the USM Appliance database manually. You will need command line access to USM Appliance to complete this task.

To populate the USM Appliance database with new signatures

  1. Go to /usr/share/ossim/scripts/ and execute the following script to generate the plugin sid information.

    python createCiscoIPSSidmap.py <signature_file>.xml > sdee.sql

    where <signature_file>.xml is the file you downloaded or received from Cisco.

    This script generates the sql needed to update the USM Appliance database.

    DELETE FROM plugin WHERE id = "1597";

    DELETE FROM plugin_sid where plugin_id = "1597";

    INSERT INTO plugin (id, type, name, description) VALUES (1597, 1, 'Cisco-IPS',

    'Cisco Intrusion Prevention System');

    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,

    reliability) VALUES (1597, 5986, NULL, NULL, 'Cisco-IPS: Microsoft GDI GIF Parsing

    Vulnerability', 3, 4);

    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,

    reliability) VALUES (1597, 5984, NULL, NULL, 'Cisco-IPS: IE COM Object Code

    Execution', 3, 4);

    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,

    reliability) VALUES (1597, 5985, NULL, NULL, 'Cisco-IPS: Quicktime RTSP Content-

    Type Excessive Length', 3, 4);

    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,

    reliability) VALUES (1597, 19159, NULL, NULL, 'Cisco-IPS: Green Dam Youth Escort

    Software Update Check', 1, 4);

    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,

    reliability) VALUES (1597, 19401, NULL, NULL, 'Cisco-IPS: Microsoft Publisher File

    Parsing Vulnerability', 3, 4);

  2. Update the USM Appliance database with the sql output.

    ossim-db < sdee.sql

  3. Generate the cross-correlation information.

    python ciscoIPSOsMap.py <signature_file>.xml > sdee-os.sql

    This script generates the following sql to update the USM Appliance database with cross-correlation information.

    replace into plugin_reference values (1597, 1109, 3001, 3);

    replace into plugin_reference values (1597, 1109, 3001, 3);

    replace into plugin_reference values (1597, 1109, 3001, 3);

    replace into plugin_reference values (1597, 1109, 3001, 3);

    replace into plugin_reference values (1597, 2156, 3001, 1);

    replace into plugin_reference values (1597, 2157, 3001, 3);

    replace into plugin_reference values (1597, 2157, 3001, 3);

    replace into plugin_reference values (1597, 2157, 3001, 3);

    ...

  4. Update the USM Appliance database with the sql output.

    ossim-db < sdee-os.sql

  5. Clear the cache by restarting USM Appliance.