RE: Reports from Cisco IDS

I use a combination of KIWI, and Ciscoworks VMS to produce IDS activity reports for the management.

The KIWI software is excellent, and very affordable. I believe it cost $39 per license. I feed SNMP traps, and SYSLOG messages from all of our network equipment (especially ACL violations) to a central KIWI server. KIWI will allow me to filter the syslog/trap messages into 10 separate screen displays. KIWI can also record the filtered events into 10 separate text files. KIWI allows for the usual notification facilities. Excellent product at a great price!

The Ciscoworks VMS plugin is very new. We were actually one of the first customers to use it. It's a HUGE improvement over the older CSPM based product. VMS produces HTML, and text based reports that can be sent to your managers as web links. VMS has a very good "live" IDS event viewer built in as well. The last VMS component worth mentioning is the web based IDS management interface. This interface allows you to group your IDS sensors. You can then manage the sensors as a group from one central interface, The common configuration can be pushed out to the sensors in the group. VMS also reports on the HIDS (Entracept)product that Cisco sells.

I don't believe the IDS sensor can write to SYSLOG. The sensor does build a log of IP activity (a little like tcpdump format) but I don't think the data in its raw format will be very useful.

The VMS product is not cheap but I feel it has been a good tool in our environment. Its not a customizable as SNORT but it's much easier to get up and running.

Mark

>
> On the network at work, we use a Cisco PIX (which comes with
Received on Mon Dec 9 00:15:58 2002