Cisco Intrusion Prevention Systems (CIDEE)

This add-on is available for purchase. For more information, please contact us.

The Cisco IPS add-on supports collection of alerts from an IPS-enabled device. The Security Device Event Exchange (SDEE) API is used for communication between NXLog and the IPS.

Setup

Install the add-on.
Set the correct connection details in the script by editing the sdee("cisco","cisco","192.168.100.254", "http","cgi-bin/sdee-server/","yes"); line in the read_data() subroutine. Set the appropriate username, password, hostname or IP address, protocol, path, and force subscription.
- For username and password, a suitable user with the appropriate privilege level must be selected.
- The protocol can be http or https; however, HTTPS requires that the appropriate SSL options are enabled further down in the sdee() subroutine.
- The default path for the SDEE service can be changed if necessary.
- We recommend using force subscription, but the default of yes can be changed to no if required.
Upon start-up, the script will open a connection to the device and request a subscription ID. It will then periodically ask for new alerts. The interval that the device is queried for new alerts can be set by changing the set_read_timer() NXLog function in the script.

Once alerts are available on the device the script will parse the XML source, format the alert, and pass it to NXLog.

The script only collects alerts, but it can be modified to collect status and error messages too.

The primary subroutine that sorts out the information received is idsmxml_parse_alerts(). If the device uses a different CIDEE version, or to filter/modify information, modify the code there.

The final format of the alert messages is specified in the generate_raw_event() subroutine.

NXLog configuration

The im_perl module is used to execute the Perl script, which in turn connects to the device, requests a new subscription, and periodically collects any new alerts.

Example 1. Collecting Cisco IPS alerts

The configuration below collects IPS alerts from the configured Cisco IPS device. For simplicity, the output is saved to a file in this example.

nxlog.conf

<Input perl>
    Module      im_perl
    PerlCode    /opt/nxlog/bin/cisco-ips.pl
</Input>

<Output file>
    Module      om_file
    File        '/tmp/output.log'
</Output>

<Route perl_to_file>
    Path        perl => file
</Route>

Input sample

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
  <env:Body>
    <sd:events
      xmlns:cid="http://www.cisco.com/cids/2003/08/cidee"
      xmlns:sd="http://example.org/2003/08/sdee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://example.org/2003/08/sdee sdee.xsd http://www.cisco.com/cids/2003/08/cidee cidee.xsd">
      <sd:evIdsAlert eventId="15117815226791" vendor="Cisco" severity="medium">
        <sd:originator>
          <sd:hostId>R1</sd:hostId>
        </sd:originator>
        <sd:time offset="0" timeZone="UTC">1511781522011779176</sd:time>
        <sd:signature description="SYN Flood DOS" id="6009" version="S593">
          <cid:subsigId>0</cid:subsigId>
          <cid:sigDetails>SYN Flood DOS</cid:sigDetails>
        </sd:signature>
        <cid:protocol>tcp</cid:protocol>
        <cid:riskRatingValue>63</cid:riskRatingValue>
        <sd:participants>
          <sd:attacker>
            <sd:addr>192.168.100.1</sd:addr>
            <sd:port>53760</sd:port>
          </sd:attacker>
          <sd:target>
            <sd:addr>192.168.99.10</sd:addr>
            <sd:port>2717</sd:port>
          </sd:target>
          <sd:vrf_name>NONE</sd:vrf_name>
        </sd:participants>
        <sd:actions></sd:actions>
        <cid:interface>Fa0/0</cid:interface>
        <cid:vrf_name>NONE</cid:vrf_name>
      </sd:evIdsAlert>
      <sd:evIdsAlert eventId="15117815236793" vendor="Cisco" severity="informational">
        <sd:originator>
          <sd:hostId>R1</sd:hostId>
        </sd:originator>
        <sd:time offset="0" timeZone="UTC">1511781523475744440</sd:time>
        <sd:signature description="Back Door Probe (TCP 1234)" id="9007" version="S256">
          <cid:subsigId>0</cid:subsigId>
          <cid:sigDetails>SYN to TCP 1234</cid:sigDetails>
        </sd:signature>
        <cid:protocol>tcp</cid:protocol>
        <cid:riskRatingValue>18</cid:riskRatingValue>
        <sd:participants>
          <sd:attacker>
            <sd:addr>192.168.100.1</sd:addr>
            <sd:port>57422</sd:port>
          </sd:attacker>
          <sd:target>
            <sd:addr>192.168.99.10</sd:addr>
            <sd:port>1234</sd:port>
          </sd:target>
          <sd:vrf_name>NONE</sd:vrf_name>
        </sd:participants>
        <sd:actions></sd:actions>
        <cid:interface>Fa0/0</cid:interface>
        <cid:vrf_name>NONE</cid:vrf_name>
      </sd:evIdsAlert>
    </sd:events>
  </env:Body>
</env:Envelope>

Output sample

2017-11-28 22:29:41 UTC+0; eventid="15119009816528; hostId="R1"; severity="medium"; app_name=""; appInstanceId=""; signature="6009"; subSigid="0"; description="SYN Flood DOS"; attacker="192.168.100.1"; attacker_port="40784""; target="192.168.99.10"; target_port="4003; protocol="tcp"; risk_rating="63"; target_value_rating=""; interface="Fa0/0"; interface_group=""; vlan=""
2017-11-28 22:29:44 UTC+0; eventid="15119009846539; hostId="R1"; severity="informational"; app_name=""; appInstanceId=""; signature="9007"; subSigid="0"; description="SYN to TCP 1234"; attacker="192.168.100.1"; attacker_port="43242""; target="192.168.99.10"; target_port="1234; protocol="tcp"; risk_rating="18"; target_value_rating=""; interface="Fa0/0"; interface_group=""; vlan=""

The two samples are from different but similar alerts.