© 2001, Cisco Systems, Inc. CSIDS Chapter 6 Alarm Management

© 2001, Cisco Systems, Inc. CSIDS Objectives Upon completion of this chapter, you will be able to perform the following tasks: Respond to and manage the alarms displayed on the Event Viewer in CSPM. Customize the Event Viewer display options and preferences. Determine the Sensors communication status, service versions, service status, and statistics.

© 2001, Cisco Systems, Inc. CSIDS Managing Alarms

© 2001, Cisco Systems, Inc. CSIDS Opening the Event Viewer Choose Tools>View Sensor Events >Database

© 2001, Cisco Systems, Inc. CSIDS Alarm Fields Destination Address Details Source Port Destination Port Source Address Name Count

© 2001, Cisco Systems, Inc. CSIDS Alarms Fields (cont.) Local Date Severity SubSig ID Signature ID Destination Location Source Location Org Name Sensor Name Application Name Local Time Level

© 2001, Cisco Systems, Inc. CSIDS Resolving Hostnames Right-click and choose Resolve Hostnames

© 2001, Cisco Systems, Inc. CSIDS Viewing the Context Buffer Right-click and choose Context Buffer

© 2001, Cisco Systems, Inc. CSIDS Opening the NSDB Right-click and choose Network Security Database

© 2001, Cisco Systems, Inc. CSIDS Exploit Signature Information

© 2001, Cisco Systems, Inc. CSIDS Related Vulnerability Information

© 2001, Cisco Systems, Inc. CSIDS User Notes

© 2001, Cisco Systems, Inc. CSIDS Suspending and Resuming Alarm Display Choose Suspend New Events or Resume New Events

© 2001, Cisco Systems, Inc. CSIDS Deleting Alarms Right-click and choose Delete Rows>From This Grid, Delete Rows>From All Grids, or Delete Rows>From Database Right-click and choose Delete Rows>From This Grid, Delete Rows>From All Grids, or Delete Rows>From Database

© 2001, Cisco Systems, Inc. CSIDS Customizing the Event Viewer

© 2001, Cisco Systems, Inc. CSIDS Expanding the Row One Column to the Right Click the Expand This Branch One Column to the Right button

© 2001, Cisco Systems, Inc. CSIDS Expanding the Row All the Way to the Right Click the Expand This Branch all the way to the Right button

© 2001, Cisco Systems, Inc. CSIDS Collapsing the Row One Column to the Left Click the Collapse This Branch One Column to the Left button

© 2001, Cisco Systems, Inc. CSIDS Collapsing the Row to the Currently Selected Column Click the Collapse This Branch to the Currently Selected Column button

© 2001, Cisco Systems, Inc. CSIDS Changing the Alarm Expansion Boundary Right-click and choose Set Event Expansion Boundary

© 2001, Cisco Systems, Inc. CSIDS Moving Columns Click and drag the header of the column to be moved

© 2001, Cisco Systems, Inc. CSIDS Deleting Columns from the Event Viewer Choose Delete Column

© 2001, Cisco Systems, Inc. CSIDS Selecting Columns to Be Displayed Choose Edit>Insert/Modify Column(s) Select or deselect Choose or Click OK Click Up or Down Click Recommended

© 2001, Cisco Systems, Inc. CSIDS Preference Settings

© 2001, Cisco Systems, Inc. CSIDS Changing the Preference Settings Choose Edit>Preferences

© 2001, Cisco Systems, Inc. CSIDS Actions Command Timeout How long CSPM waits for a response from a Sensor Time to Block How long a Sensor blocks a host when a manual block is issued Subnet Mask The subnet mask used when manually blocking a network

© 2001, Cisco Systems, Inc. CSIDS Cells Blank Left Cells to the left of the default boundary with similar values with be blanked. Blank Right Cells to the right of the default boundary with similar values with be collapsed.

© 2001, Cisco Systems, Inc. CSIDS Cells (cont.) Blank left selected Blank left selected Blank right deselected Blank right deselected Blank left deselected Blank left deselected Blank right selected Blank right selected

© 2001, Cisco Systems, Inc. CSIDS Status Events Show Status Events in Grid Status events are reported as an event in the Event Viewer Grid Display Popup Window Popup Window with the status event description is displayed

© 2001, Cisco Systems, Inc. CSIDS Status Events (cont.) Show the status of events in the grid selected Display the popup window Selected Display the popup window Selected

© 2001, Cisco Systems, Inc. CSIDS Event Severity Indicator Event Severity Indicator Events can either be represented by an icon or a color.

© 2001, Cisco Systems, Inc. CSIDS Event Severity Indicator (cont.) Color Selected Color Selected Icon Selected Icon Selected

© 2001, Cisco Systems, Inc. CSIDS Boundaries Default Expansion BoundaryDefault number of expanded columns Maximum Events Per GridHow many alarms can be displayed in a single Event Viewer Event Batching TimeoutHow often the Event Viewer is updated during an alarm flood

© 2001, Cisco Systems, Inc. CSIDS Severity Mapping Low –Fixed to 1 –Default range is 1–2 Medium –Must be greater than or equal to Low –Default setting is 3 –Default range is 3–4 High –Must be greater than or equal to Medium –Default setting is 5

© 2001, Cisco Systems, Inc. CSIDS Sensor Status Reporting

© 2001, Cisco Systems, Inc. CSIDS Connection Status Pane Choose View>Connection Status Pane

© 2001, Cisco Systems, Inc. CSIDS Connection Status Right-click and choose Connection Status

© 2001, Cisco Systems, Inc. CSIDS Service Status Right-click and choose Service Status

© 2001, Cisco Systems, Inc. CSIDS Service Versions Right-click and choose Service Versions

© 2001, Cisco Systems, Inc. CSIDS Statistics Choose View>Statistics

© 2001, Cisco Systems, Inc. CSIDS Reset Statistics Choose Actions>Reset Statistics

© 2001, Cisco Systems, Inc. CSIDS Summary

© 2001, Cisco Systems, Inc. CSIDS Summary Use the Event Viewer in CSPM to respond to and manage the alarms. The Event Viewer provides many display options and preferences to customize how alarms are displayed. The Sensor status reporting functions are used to view the status of communications between Sensors and CSPM.

© 2001, Cisco Systems, Inc. CSIDS Lab Managing Alarms