© 2001, Cisco Systems, Inc. CSIDS 2.06-1 Chapter 6 Alarm Management. - презентация

1 © 2001, Cisco Systems, Inc. CSIDS Chapter 6 Alarm Management

2 © 2001, Cisco Systems, Inc. CSIDS Objectives Upon completion of this chapter, you will be able to perform the following tasks: Respond to and manage the alarms displayed on the Event Viewer in CSPM. Customize the Event Viewer display options and preferences. Determine the Sensors communication status, service versions, service status, and statistics.

3 © 2001, Cisco Systems, Inc. CSIDS Managing Alarms

4 © 2001, Cisco Systems, Inc. CSIDS Opening the Event Viewer Choose Tools>View Sensor Events >Database

5 © 2001, Cisco Systems, Inc. CSIDS Alarm Fields Destination Address Details Source Port Destination Port Source Address Name Count

6 © 2001, Cisco Systems, Inc. CSIDS Alarms Fields (cont.) Local Date Severity SubSig ID Signature ID Destination Location Source Location Org Name Sensor Name Application Name Local Time Level

7 © 2001, Cisco Systems, Inc. CSIDS Resolving Hostnames Right-click and choose Resolve Hostnames

8 © 2001, Cisco Systems, Inc. CSIDS Viewing the Context Buffer Right-click and choose Context Buffer

9 © 2001, Cisco Systems, Inc. CSIDS Opening the NSDB Right-click and choose Network Security Database

10 © 2001, Cisco Systems, Inc. CSIDS Exploit Signature Information

11 © 2001, Cisco Systems, Inc. CSIDS Related Vulnerability Information

12 © 2001, Cisco Systems, Inc. CSIDS User Notes

13 © 2001, Cisco Systems, Inc. CSIDS Suspending and Resuming Alarm Display Choose Suspend New Events or Resume New Events

14 © 2001, Cisco Systems, Inc. CSIDS Deleting Alarms Right-click and choose Delete Rows>From This Grid, Delete Rows>From All Grids, or Delete Rows>From Database Right-click and choose Delete Rows>From This Grid, Delete Rows>From All Grids, or Delete Rows>From Database

15 © 2001, Cisco Systems, Inc. CSIDS Customizing the Event Viewer

16 © 2001, Cisco Systems, Inc. CSIDS Expanding the Row One Column to the Right Click the Expand This Branch One Column to the Right button

17 © 2001, Cisco Systems, Inc. CSIDS Expanding the Row All the Way to the Right Click the Expand This Branch all the way to the Right button

18 © 2001, Cisco Systems, Inc. CSIDS Collapsing the Row One Column to the Left Click the Collapse This Branch One Column to the Left button

19 © 2001, Cisco Systems, Inc. CSIDS Collapsing the Row to the Currently Selected Column Click the Collapse This Branch to the Currently Selected Column button

20 © 2001, Cisco Systems, Inc. CSIDS Changing the Alarm Expansion Boundary Right-click and choose Set Event Expansion Boundary

21 © 2001, Cisco Systems, Inc. CSIDS Moving Columns Click and drag the header of the column to be moved

22 © 2001, Cisco Systems, Inc. CSIDS Deleting Columns from the Event Viewer Choose Delete Column

23 © 2001, Cisco Systems, Inc. CSIDS Selecting Columns to Be Displayed Choose Edit>Insert/Modify Column(s) Select or deselect Choose or Click OK Click Up or Down Click Recommended

24 © 2001, Cisco Systems, Inc. CSIDS Preference Settings

25 © 2001, Cisco Systems, Inc. CSIDS Changing the Preference Settings Choose Edit>Preferences

26 © 2001, Cisco Systems, Inc. CSIDS Actions Command Timeout How long CSPM waits for a response from a Sensor Time to Block How long a Sensor blocks a host when a manual block is issued Subnet Mask The subnet mask used when manually blocking a network

27 © 2001, Cisco Systems, Inc. CSIDS Cells Blank Left Cells to the left of the default boundary with similar values with be blanked. Blank Right Cells to the right of the default boundary with similar values with be collapsed.

28 © 2001, Cisco Systems, Inc. CSIDS Cells (cont.) Blank left selected Blank left selected Blank right deselected Blank right deselected Blank left deselected Blank left deselected Blank right selected Blank right selected

29 © 2001, Cisco Systems, Inc. CSIDS Status Events Show Status Events in Grid Status events are reported as an event in the Event Viewer Grid Display Popup Window Popup Window with the status event description is displayed

30 © 2001, Cisco Systems, Inc. CSIDS Status Events (cont.) Show the status of events in the grid selected Display the popup window Selected Display the popup window Selected

31 © 2001, Cisco Systems, Inc. CSIDS Event Severity Indicator Event Severity Indicator Events can either be represented by an icon or a color.

32 © 2001, Cisco Systems, Inc. CSIDS Event Severity Indicator (cont.) Color Selected Color Selected Icon Selected Icon Selected

33 © 2001, Cisco Systems, Inc. CSIDS Boundaries Default Expansion BoundaryDefault number of expanded columns Maximum Events Per GridHow many alarms can be displayed in a single Event Viewer Event Batching TimeoutHow often the Event Viewer is updated during an alarm flood

34 © 2001, Cisco Systems, Inc. CSIDS Severity Mapping Low –Fixed to 1 –Default range is 1–2 Medium –Must be greater than or equal to Low –Default setting is 3 –Default range is 3–4 High –Must be greater than or equal to Medium –Default setting is 5

35 © 2001, Cisco Systems, Inc. CSIDS Sensor Status Reporting

36 © 2001, Cisco Systems, Inc. CSIDS Connection Status Pane Choose View>Connection Status Pane

37 © 2001, Cisco Systems, Inc. CSIDS Connection Status Right-click and choose Connection Status

38 © 2001, Cisco Systems, Inc. CSIDS Service Status Right-click and choose Service Status

39 © 2001, Cisco Systems, Inc. CSIDS Service Versions Right-click and choose Service Versions

40 © 2001, Cisco Systems, Inc. CSIDS Statistics Choose View>Statistics

41 © 2001, Cisco Systems, Inc. CSIDS Reset Statistics Choose Actions>Reset Statistics

42 © 2001, Cisco Systems, Inc. CSIDS Summary

43 © 2001, Cisco Systems, Inc. CSIDS Summary Use the Event Viewer in CSPM to respond to and manage the alarms. The Event Viewer provides many display options and preferences to customize how alarms are displayed. The Sensor status reporting functions are used to view the status of communications between Sensors and CSPM.

44 © 2001, Cisco Systems, Inc. CSIDS Lab Managing Alarms