# Plugin cisco-ips id:1597 version: 0.0.2 # Last modification: 2015-05-13 16:11 # # Plugin Selection Info: # Cisco:IPS Intrusion Prevention System:- # # END-HEADER # Accepted products: # cisco - intrusion_prevention_system 6.0 # cisco - intrusion_prevention_system 6.0.2.0 # cisco - intrusion_prevention_system 7.0 # cisco - intrusion_prevention_system 7.0%281%29e3 # cisco - intrusion_prevention_system 7.0%282%29e3 # cisco - intrusion_prevention_system 7.0%282%29e4 # cisco - intrusion_prevention_system 7.0%283%29e4 # cisco - intrusion_prevention_system 7.0%284%29e4 # cisco - intrusion_prevention_system 7.0%285a%29e4 # cisco - intrusion_prevention_system 7.0%286%29e4 # cisco - intrusion_prevention_system 7.0%287%29e4 # cisco - intrusion_prevention_system 7.0%288%29e4 # cisco - intrusion_prevention_system 7.0%289%29e4 # cisco - intrusion_prevention_system 7.1 # Description: # http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html # # [DEFAULT] plugin_id=1597 [config] type=detector enable=yes source=sdee source_ip= user= password= sleep=5 process= start=no stop=no
/etc/vigilante/agent/sdee_sid.data.
)
To see messages related to the subscription Connect to the Sheriff Console through SSH and use your credentials to log in.
The Sheriff Setup menu displays.
On the Sheriff Setup main menu, select Jailbreak System to gain command line access.
Select Yes when prompted. You will be in the root directory.
Enter:
grep subs /var/log/vigilante/agent.log
Enter:
python /usr/share/vigilante/scripts/closeSDEEsession.py _<SubscriptionID>_
If you still have problems, look for the SDEE-related messages in the agent log.
Enter:
grep SDEE /var/log/vigilante/agent.log
/etc/vigilante/agent/plugins/cisco-ips.cfg.local.
In the cisco-ips.cfg.local file, add the following lines.
[config] source_ip=<source_IP> user=<your_user> password=<your_password>
Where
source_ip
is the IP address of the SDEE device.
user
is an user account for the SDEE device.
password
is the password for the user account on the SDEE device.
Save the file.
Create the file /etc/vigilante/agent/cisco_sdee.csv.
In the .csv
file, specify the IP addresses for the different SDEE devices and their login credentials. You must enter one device per line.
1.2.3.4,user1,pass1 1.2.3.5,user2,pass2 1.2.3.6,user3,pass3
Important: You must not have any empty lines after the credentials.
Create the file /etc/vigilante/agent/plugins/cisco-ips.cfg.local.
In the cisco-ips.cfg.local
file add the following lines. The # means to comment out those three lines.
[config] #source_ip= #user= #password= credentials_file=/etc/vigilante/agent/cisco_sdee.csv
Go to /usr/share/vigilante/scripts/
and execute the following script to generate the plugin sid information.
python createCiscoIPSSidmap.py <signature_file>.xml > sdee.sql
where <signature_file>.xml
is the file you downloaded or received from Cisco.
This script generates the sql needed to update the Sheriff CSM database.
DELETE FROM plugin WHERE id = "1597"; DELETE FROM plugin_sid where plugin_id = "1597"; INSERT INTO plugin (id, type, name, description) VALUES (1597, 1, 'Cisco-IPS', 'Cisco Intrusion Prevention System'); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5986, NULL, NULL, 'Cisco-IPS: Microsoft GDI GIF Parsing Vulnerability', 3, 4); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5984, NULL, NULL, 'Cisco-IPS: IE COM Object Code Execution', 3, 4); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5985, NULL, NULL, 'Cisco-IPS: Quicktime RTSP Content- Type Excessive Length', 3, 4); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19159, NULL, NULL, 'Cisco-IPS: Green Dam Youth Escort Software Update Check', 1, 4); INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19401, NULL, NULL, 'Cisco-IPS: Microsoft Publisher File Parsing Vulnerability', 3, 4);
vigilante-db < sdee.sql
Generate the cross-correlation information.
python ciscoIPSOsMap.py <signature_file>.xml > sdee-os.sql
This script generates the following sql
to update the Sheriff CSM database with cross-correlation information.
replace into plugin_reference values (1597, 1109, 3001, 3); replace into plugin_reference values (1597, 1109, 3001, 3); replace into plugin_reference values (1597, 1109, 3001, 3); replace into plugin_reference values (1597, 1109, 3001, 3); replace into plugin_reference values (1597, 2156, 3001, 1); replace into plugin_reference values (1597, 2157, 3001, 3); replace into plugin_reference values (1597, 2157, 3001, 3); replace into plugin_reference values (1597, 2157, 3001, 3); ...
Update the Sheriff CSM database with the sql output.
vigilante-db < sdee-os.sql
Clear the cache by restarting Sheriff CSM.