Applies to Product: |
|
|
Cisco Systems IPS Sensor 5.0 uses the Security Device Event Exchange (SDEE) protocol to specify the format of messages used to collect events generated by certain Cisco security devices. AlienVault supports this type of log collection and USM Appliance captures events specifically from
- Cisco Network Prevention Systems (IPS)
- Cisco Network Detection Systems (IDS)
- Cisco Switch IDS
- Cisco IOS routers with the Inline Intrusion Prevention System (IPS) functions
- Cisco IDS modules for routers
- Cisco PIX Firewalls
- Cisco Catalyst 6500 Series firewall service modules (FWSMs)
- Management Center for Cisco Security Agents
- CiscoWorks Monitoring Center for Security

# Plugin cisco-ips id:1597 version: 0.0.2
# Last modification: 2015-05-13 16:11
#
# Plugin Selection Info:
# Cisco:IPS Intrusion Prevention System:-
#
# END-HEADER
# Accepted products:
# cisco - intrusion_prevention_system 6.0
# cisco - intrusion_prevention_system 6.0.2.0
# cisco - intrusion_prevention_system 7.0
# cisco - intrusion_prevention_system 7.0%281%29e3
# cisco - intrusion_prevention_system 7.0%282%29e3
# cisco - intrusion_prevention_system 7.0%282%29e4
# cisco - intrusion_prevention_system 7.0%283%29e4
# cisco - intrusion_prevention_system 7.0%284%29e4
# cisco - intrusion_prevention_system 7.0%285a%29e4
# cisco - intrusion_prevention_system 7.0%286%29e4
# cisco - intrusion_prevention_system 7.0%287%29e4
# cisco - intrusion_prevention_system 7.0%288%29e4
# cisco - intrusion_prevention_system 7.0%289%29e4
# cisco - intrusion_prevention_system 7.1
# Description:
# http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html
#
#
[DEFAULT]
plugin_id=1597
[config]
type=detector
enable=yes
source=sdee
source_ip=
user=
password=
sleep=5
process=
start=no
stop=no
Working with the SDEE Devices
Each time a new session begins with a SDEE device, USM Appliance provides a subscription ID. (The latest Subscription ID can be found under /etc/ossim/agent/sdee_sid.data.)
To see messages related to the subscription
-
Connect to the AlienVault Console through SSH and use your credentials to log in.
The AlienVault Setup menu displays.
-
On the AlienVault Setup main menu, select Jailbreak System to gain command line access.
Select Yes when prompted. You will be in the root directory.
-
Enter
grep subs /var/log/ossim/agent.log
Normally, when the session finishes, the AlienVault Agent service closes the session automatically. If it does not, you should do it manually.
To close the last session
-
Enter
python /usr/share/ossim/scripts/closeSDEEsession.py <SubscriptionID>
If you still have problems, look for the SDEE-related messages in the agent log.
To find SDEE messages in the agent log
-
Enter
grep SDEE /var/log/ossim/agent.log
Additional Configuration Required Before You Enable an SDEE Plugin
You must configure USM Appliance to accept events from SDEE-capable devices from your USM Appliance assets before you enable the plugin.

This procedure describes how to configure the AlienVault Agent service to accept events from an SDEE-capable device. You will need command line access to USM Appliance to complete this task.
To configure USM Appliance to collect events from an SDEE device
- Create the file /etc/ossim/agent/plugins/cisco-ips.cfg.local.
-
In the cisco-ips.cfg.local file, add the following lines.
[config]
source_ip=<source_IP>
user=<your_user>
password=<your_password>
Where
- source_ip is the IP address of the SDEE device.
- user is an user account for the SDEE device.
- password is the password for the user account on the SDEE device.
- Save the file.

To configure the AlienVault Agent service to accept events from multiple SDEE-capable devices, you will need command line access to USM Appliance to complete this task.
To configure USM Appliance to collect events from multiple SDEE devices
- Create the file /etc/ossim/agent/cisco_sdee.csv.
- In the .csv file, specify the IP addresses for the different SDEE devices and their login credentials. You must enter one device per line.
-
Create the file /etc/ossim/agent/plugins/cisco-ips.cfg.local.
-
In the cisco-ips.cfg.local file add the following lines. The # means to comment out those three lines.
[config]
#source_ip=
#user=
#password=
credentials_file=/etc/ossim/agent/cisco_sdee.csv
- Save the file.
1.2.3.4,user1,pass1
1.2.3.5,user2,pass2
1.2.3.6,user3,pass3
Important: You must not have any empty lines after the credentials.
You can now enable the SDEE plugin. See Enable Plugins on Assets.

Occasionally you may download or receive new signatures for your Cisco IPS devices. If you want to use those signatures in USM Appliance, you will need to update the USM Appliance database manually. You will need command line access to USM Appliance to complete this task.
To populate the USM Appliance database with new signatures
-
Go to /usr/share/ossim/scripts/ and execute the following script to generate the plugin sid information.
python createCiscoIPSSidmap.py <signature_file>.xml > sdee.sql
where <signature_file>.xml is the file you downloaded or received from Cisco.
This script generates the sql needed to update the USM Appliance database.
DELETE FROM plugin WHERE id = "1597";
DELETE FROM plugin_sid where plugin_id = "1597";
INSERT INTO plugin (id, type, name, description) VALUES (1597, 1, 'Cisco-IPS',
'Cisco Intrusion Prevention System');
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
reliability) VALUES (1597, 5986, NULL, NULL, 'Cisco-IPS: Microsoft GDI GIF Parsing
Vulnerability', 3, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
reliability) VALUES (1597, 5984, NULL, NULL, 'Cisco-IPS: IE COM Object Code
Execution', 3, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
reliability) VALUES (1597, 5985, NULL, NULL, 'Cisco-IPS: Quicktime RTSP Content-
Type Excessive Length', 3, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
reliability) VALUES (1597, 19159, NULL, NULL, 'Cisco-IPS: Green Dam Youth Escort
Software Update Check', 1, 4);
INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
reliability) VALUES (1597, 19401, NULL, NULL, 'Cisco-IPS: Microsoft Publisher File
Parsing Vulnerability', 3, 4);
-
Update the USM Appliance database with the sql output.
ossim-db < sdee.sql
-
Generate the cross-correlation information.
python ciscoIPSOsMap.py <signature_file>.xml > sdee-os.sql
This script generates the following sql to update the USM Appliance database with cross-correlation information.
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 1109, 3001, 3);
replace into plugin_reference values (1597, 2156, 3001, 1);
replace into plugin_reference values (1597, 2157, 3001, 3);
replace into plugin_reference values (1597, 2157, 3001, 3);
replace into plugin_reference values (1597, 2157, 3001, 3);
...
-
Update the USM Appliance database with the sql output.
ossim-db < sdee-os.sql
-
Clear the cache by restarting USM Appliance.