Tuesday, November 25, 2008

Email Alerts based on the Incident Severity

I got asked the question the other day, if it was possible only to receive an email, when Incidents were of the RED Severity.

Now if you think about it, its an option to get an email when an Incident is created, but you cannot be selective if this was RED, AMBER or GREEN.

Now there is a noddy way to achieve this, if you want to go the trouble, and this would be based on duplicating rules...

Consider this RULE below...

If fires based on events received in the Info/UncommonTraffic/Chat and Info/UncommonTraffic/Chat/Proxy groups, but for ANY severity. There is no "Action" defined for this Rule.

If we duplicate the Rule in question, then edit the Severity to be RED Only, then we can apply an Action of email.

If you leave the default rule, to ANY, then you will probably get 2 Incidents Fired, but only 1 email.

So it may be worth changing the default rule, or duplicating again, to set GREEN or YELLOW Severity Events. (You may want to create a second offset, with an OR operation).

You would need to proceed with caution with this method, as the example choosen has only 1 condition to be met. If you select a more complex rule, then you may get in hot water, and render the rule useless!!!

Take care....

Wednesday, November 05, 2008

Cisco MARS 6.01 Patch Available

Cisco have released a patch, CS-MARS 6.0.1 3070, for users on MARS 6.0.1 release (3066).

Who should apply the Patch

1) Users who have the following devices reporting to MARS: Cisco Switch IOS, Cisco IPS
- User has a Cisco Switch-IOS configured to send syslogs to the MARS (CSCsu94548)
- User downloaded and installed MARS IPS packages S333, S351, or S354 from http://www.cisco.com/cgi-bin/tablebuild.pl/mars-ips-sigup, or configured the dynamic autoupdate utility to download these packages (CSCsu96311)

2) Users who attempt to download raw messages from the database in the GMT+ timezone (CSCsv01999)
3) Users who make use of source/destination port ranking queries (CSCsq48971)

This patch is being released to address four issues

1) CSCsu94548 - None of the Cisco Switch-IOS syslog messages are parsed by MARS
2) CSCsu96311 - Need to fix missing/mis-mapped IPS events in database.
3) CSCsv01999 - Not able to retrieve raw message files using MARS GUI
4) CSCsq48971 - service filter for src/dest port ranking query displays all ports

I suggest you read the readme file before applying.