IPS 6.0 Security Monitor

Will the 6.0 sensors work with SecMon? And please don't tell me I will be forced to use CS MARS. So will there be an update to SecMon to allow it to work with 6.0?

I will outline several critical needs for any device that will serve as a centralized log analysis vehicle for the IPS/IDS's.
SecMon
1)Real-Time event Alerting - Yes
2)Drill down option - Yes
3)Instant View to Host, Dest, Content - Yes
4)Ability to Handle Custom Sig - Yes
5)Ability to Handle New Sig Release - Yes
CS-MARS
1)Real-Time event Alerting - Nope *Time Interval Incident reporting*
2)Drill down option - Some, but you have to constantly run queries to focus in on your investigation.
3)Instant View to Host, Dest, Content - Nope
4)Ability to Handle Custom Sig - Never!!!, You can make rules to alert on the events, but you cannot add new Security Events to Mars. Yeah that was smart.
5)Ability to Handle New Sig Release - Unless you're happy with seeing that a majority of the events on the MARS box as ***Unknown Security Event*** then by all mean go spend the money on MARS. PS, they never mention this when they sell it to you. Oh yeah and netflow, ask them to actually display netflow logs :-) unless this has been fixed already.
As for Netforensics, I'm not interested in spending even more on a box that does pretty much what Event Viewer does but for more than 5 appliances at once!
Look, I want to use SecMon, I just whish that Cisco extended a hand to the people who use their product for input, I would love to participate in a way that we the end users can have a product that does what we need the most. Now, sadly SecMon which is part of the horrid VMS setup is now going away, seriously I hope Cisco reconsider their decision about SecMon, if anything include a SecMon Functionality in MARS!
So in conclusion, please Cisco, please do not let SecMon disappear.
I hope that fellow users speak up too, Keep SecMon or some form of it!!!

Similar Messages

  • How to display events of only one IPS in Security Monitor?

    Hello,
    i searched the forum with no result. I have CW 2.2 with IDSMC 2.1. I got two IPS and 2 IDSM-2 (4.x is in production / 5.x is in test) which have all their four interfaces sniffing in different network segments. Now i am flooded by the thousands of messages from the internet with no possibilty to just concentrate my view on the events generated on only one special interface of a single IPS.
    To temporarily focus only one one interface of a single IPS how can i filter the events in Security Monitor to only display the events of a this device and a single interface?
    This would be extremly helpfull for to simulate attacks in an test environment with shuning/blocking. I have rare possiblities to set up a second CW IDSMC on another machine. And after all, i would appreciate to focus (filter) in that way for later examining my network to tune signatures and events.
    Furthermore, on IEV 4.1 i was able to get a real time dashboard showing 'real time' events. I did not see this functionality for IPS 5.x and IDSMC. How can i view real time data there to see my networks reaction to simulated attacks.
    Any ideas how to only display only wanted data in Security-Monitor?
    Thanks in advance, Gerhard

    As far as I know, you cannot display the events of only one IPS in Sec Mon.

  • In vms 2.3 with security monitor 2.2 all signature is showing as false

    Hi,
    We are having cisco IPS 4255 with IPS version 5.1.1 and latest signature. We are connected IPS is in promiscuous mode and we are seeing all the signature are false in security monitor 2.2. Please help me to overcome from this problem.
    Regards,
    Ram

    Where are you seeing this? What does it mean by saying that a signature is "false"? Are you referring to false positives that the signatures fire?

  • 7600 w/ G3 use for security monitor

    I have a 7600 with A/V In/Outs,Sonnet G3 card, spare scsi card and lg HD. I would like to use this system or how can I convert this to securty monitor. Tank you in advance

    smart friendly,
    This is an easy one. Take a digital camera with a yellow av out plug, plug it into the video in port, open up Apple Video player and click on the camera. Turn the digital camera on and the viewfinder becomes a low res video camera. The camera is the lense and the hard drive becomes your tape. Fun to play with. Try it.
    As for long term taping as a security monitor? A standard vcr still works best. Just found surveillance cameras for $25 at my favorite electric surplus supply shop. Find someone who is upgrading their system and pick up the outdated stuff cheap.
    Jim

  • Security Monitor Events display incorrect time

    I have a time issue between a 4240 sensor (5.0) and Security Monitor (2.1). The events in the sensor are correct but 7 hours off in Security Monitor, even though the VMS server understands the correct time (knows there are events in the last hour) but will not display them. After doing some research, it looks as though we needed to load CSCOids2.1.0-sol_SecMon_2_1_Service_Pack_1-6.tar right? Well I did, ran the perl script, everthing was successful. CiscoWorks shows the patch as being applied. Reloaded VMS and the sensor, and still I have what seems like a UTC problem (UTC offset always =0 yet time zone=arizona). Any suggestions?
    Thanks!

    Is the correct offset configured on the sensor?
    Execute "show conf" and verify the value for the timezone offset. Remember that this is in minutes and not hours. If the timezone diffence is 7 hours then the value on the sensor should be 7hours*60minutes=420minutes.
    Also use "show events" on the sensor to look at a few alerts on the sensor itself. It will report both the UTC/GMT time and the Local time. Verify that the offset between the 2 is correct on the sensor. (be sure to account for summertime/daylight savings time)

  • ArchSentrix - remote security monitoring solution

    What  ArchSentrix is.
    A free software based platform for remote security monitoring enabling the integration of video surveillance with networking and telephone technology.
    Built on Arch Linux, a lightweight and flexible i686 optimized linux distribution.
    Video monitoring, recording, motion detection and remote access is handled by ZoneMinder, an integrated set of applications built on LAMP.
    Telephone capabilities are provided by Asterisk, allowing use of both voip and analog (POTS) technology.
    A livecd / liveusb installer solution that can be customized endlessly to suit the needs of users or their clients.
    Post installation configuration, maintainance, and user access can preferably be done remotely using a web browser interface. However a lightweight graphical desktop user environment is provided making the system self contained if needed.
    http://www.ctu-web.com/archsentrix/
    http://www.ctu-web.com/archsentrix/iso/ … .1.iso.md5
    http://www.ctu-web.com/archsentrix/iso/ … ix-0.1.iso

    Does ZoneMinder work with IP cameras?
    Yes indeed. Axis cameras are very well supported, including PTZ features.

  • Informational events in security monitor

    I am looking for the configuration method so that the VMS security monitor will display informational events in addition to low, med., and high events..
    The documentation I have found explains what the informational event is, but I cannot find out how to enable it in security monitor..
    thanks!

    It should display all events unless you have an event viewer filter. An event viewer filter can be configured for example to only show high severity events.
    http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/ch04.htm#wp322119

  • CiscoWorks VMS Security Monitor competed reports fail to email

    Windows Server 2000
    VMS 2.2
    SecMon 2.2
    We periodically have an issue with CiscoWorks VMS Security Monitor Reporting where VMS will stop emailing completed reports. In the past when we reboot the server the email which has been queued up somewhere all gets delivered and the email delivery will work for a few months until it stops again. We rebooted the server this time and the completed reports emails are still not being delivered.
    When I test email functionality from the Windows command prompt with blat I can send email from the system through the mail server to my email address. All of the CiscoWorks processes are running without errors.
    Where else can I look to troubleshoot this issue?
    Thanks in advance

    There might be probelm in contacting mail server configured in SecMon
    See this URL for Configuring the E-mail Notifications with Scripts for IDS Alerts Using CiscoWorks Monitoring Center for Security:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00801fc770.shtml#maintask1

  • Security monitoring tool for Cisco ASA

    Please suggest a checp and best security monitoring tool for Cisco ASA devices.

    You can use ossec, open source tool installed on linux:
    http://www.ossec.net/

  • VMS Security Monitor Event Rules - Email Script Question

    Reference: "Configure E-mail Notifications with Scripts for IDS Alerts Using CiscoWorks Monitoring Center for Security"
    http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_example09186a00801fc770.shtml#fivesensor
    Good day all -
    I have created the Email Notification process as desribed in the linked article. The script runs as expected when a High severity alert is triggered but does not fill in the variables within the email body. I have double-checked that I have the right version of the script for the sensors that we are using. Has anyone else been working with this (or some other) scripting solution and maybe have a suggestions on what to try next?

    Try the configuration available at the URL http://cisco.com/en/US/docs/security/security_management/vms/security_monitor/2.2/user/guide/ch05.html.

  • Can I have both IPS and Content security on ASA5510?

    Hi expert
    We want to have a ASA5510 with both IPS function and Content Security feature, while I checked on Cisco website, looks like ASA5510 or 5520 only have one SSM slot, so I can only use either AIP module or CSC module, does it mean I can not get both features at the same time.
    Right now I want to have IPS function and anti-spam, anti-virus, antiphishing, content filtering, URL blocking such feature, so what do I need to buy to have all of these function in one device?
    Thanks

    Dear Echo Chan .
               You can go with CSC module for your requirement , most of your requirement could be satisified by CSC module except IPS functionality
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_qas0900aecd8040397e_ps9774_Products_Q_and_A_Item.html
    The Cisco ASA 5500 Series CSC-SSM is an add-on services module for Cisco ASA 5500 Series appliances. It delivers industry-leading threat protection and content control at the Internet edge, providing comprehensive antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking and filtering, and content filtering services.
    HTH
    Thks
    Santhosh Sarav

  • Use syslog to send alert from Security Monitor to VMS Server

    Hi all,
    I use Catalyst 6513 + IDSM-2, I also use Cisco Work VMS 2.3 to manage IDSM-2. Now, I want to configure whenever IDSM-2 sees an attack, it sends snmp or some thing like that by syslog to VMS server.
    If you see unclearly, you can ask me.
    Duy Khang

    Commands required to configure the IDSM module in catalyst 6000 series switches will be given by the following configuration guide.
    http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_configuration_guide09186a00800b474c.html#wp300330

  • IPS Auto Update Error

    I am having an issue with the IPS. I have configured it for auto update and I am trying to download a new signature package. It seems to be working. However, once it comes across the package to download, it gives me this error:
    evError: eventId=1232049941352795438 severity=error vendor=Cisco
    originator:
    hostId: xxxxips11
    appName: mainApp
    appInstanceId: 347
    time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
    errorMessage: name=errSystemError autoUpdate successfully selected a package () from the cisco.com locator service, however, package download failed: This package file does not have the required .pkg extension
    I know that it is trying to download the correct package because I get this message prior:
    evStatus: eventId=1232049941352795436 vendor=Cisco
    originator:
    hostId: xxxxips11
    appName: mainApp
    appInstanceId: 342
    time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
    autoUpgradeServerCheck:
    uri: xxxxxx@//
    packageFileName: IPS-sig-S378-req-E3.pkg
    result: status=true
    Does anyone know what this could possibly be?

    Upgrade IPS MC and Security Monitor to 2.2.

  • Adding a 5.1(1)s221 sensor to vms 2.3

    What is the correct way to bring the vms server back in sync with the sensor signature version?
    E.g. if the sensor is already at version 5.1(1)S221.0 because upgrades to the sensor were applied via the CLI and you would now like to add the sensor to a group on the vms server, but you don’t yet have the option to select the version 5.1(1)s221 for the sensor that you are about to import.
    Do you just apply the s221.zip file to the management station?
    When do you have the option to select 5.1.5s221 on the VMS station?

    You must have VMS 2.3 installed to install IPS MC and Security Monitor 2.2.
    IPS MC and Security Monitor are components of the VPN/Security Management Solution (VMS). CiscoWorks Common Services 2.2, another component of VMS, is required for IPS MC and Security Monitor to work. CiscoWorks Common Services 2.2 provides the CiscoWorks Server base components and software developed to support IPS MC and Security Monitor, including the necessary software libraries and packages
    http://www.cisco.com/en/US/products/sw/cscowork/ps3990/prod_release_note09186a00805b1c33.html

  • IPS Sensor - Event Notification via Email?

    Good day all.
    I have been asked to re-create some functionality that was lost after the customer upgraded from VMS to CSM but without CS-MARS or any other event monitor. The user had the system set to generate an email when an event was fired. It apparently was noisy in the begining but after tuning was not a bad solution. No one knows how it was originally set up but I can only assume it was the method described in the Cisco document at: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_example09186a00801fc770.shtml#fivesensor
    Now, however, since the CSM does not recieve event data is it possible to recreate this 'notification' process?
    The are using CSM 3.02 and the Sensors are still at 5.14. The Sensors will be updated to 5.17 later today. I will then either be upgrading the customer to the latest revisions and service packs for CSM or rolling them back to VMS depending on whether I can get the notifications to work with CSM.
    NOTE: They are ordering a CS-MARS appliance with the belief that it will resolve the issue but as last word it will be several months at least before they could get it in. I am concerned that CS-MARS will NOT give them back this functionality. Can anyone confirm/deny?
    Lastly - Since CSM does not include a Security Monitor like VMS did, and CS-MARS does not really recreate that sort of view or management of the events - what solution(s) are there to replicate the Security Monitor functionality? Is there? Is CS-MARS the new bully on the block?

    Since customer is staying at a 5.1(x) version then you have 3 options:
    1) downgrade to VMS and continue using Security Monitor
    2) Stay with CSM and purchase CS-MARS for the event monitoring. CS-MARS should provide email notification capability.
    3) Stay with CSM and install and use IEV 5.2(1).
    IEV 5.2(1) can either be installed on a separate machine from CSM as a standalone utility:
    http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev
    IEV 5.2(1) contains the new feature for email notification for alerts.
    OR IEV 5.2(1) can be installed as part of the CSM installation (I know it is in CSM 3.1, but not sure about earlier CSM versions).
    Here is some documentation on running IEV 5.2(1) within the CSM framework:
    http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/monidiag.html#wp1203768
    NOTE: IEV 5.2(1) is targeted for use in networks with 5 or less sensors. When running with 5 or more sensors then CS-MARS would be the recommened veiwer.
    When the user later upgrades to version 6.x, then option 1 (downgrading to VMS) is no longer an option and either option 2 or 3 would be required.

Maybe you are looking for

  • HT1420 Help I've hit the limit of my authorized computers to use iTunes.

    Can someone help me with the following questions to help me free up some computers for my 5 computer authorized computer limit to iTunes. Is it possible to get a list of which computers are authorized? This would be helpful so I can find the computer

  • Tried to backup Itunes music, now it's gone

    I'm getting the error message on all my Itunes songs, "original file could not be found." The songs don't seem to be anywhere on my computer...A couple weeks ago, I dragged my Itunes music folder onto my flash drive. Now I'm out of the country, and m

  • Rebate accrual up to certain quantiy

    Hi, We have an requirement where in rebate needs to be accrued only for certain quanity. For Eg:- Material A, Quantity is 1600 PCs, so rebate should accrue for all customers for specific materail  only for 1600 pcs . Once system reaches 1600 pcs accr

  • JSF and WML

    Hi, I would like to know how to render a JSF page with WML rendering. is it possible to produce such thing with Creator ? Is it necessary to use a specific tld ? Best regards R�gis

  • Question about AppleScript command.

    I am looking for a command in AppleScript that will Operate a Key Binding. For example, I want to, in my script, have the computer use "Command-Shift-Z" without me touching the keyboard. I have looked through the entire AppleScript PDF from Apple and