Up
Previous Next

Sheriff CSMâ„¢

Configure SDEE Plugins

Cisco Systems IPS Sensor 5.0 uses the Security Device Event Exchange (SDEE) protocol to specify the format of messages used to collect events generated by certain Cisco security devices. Sheriff supports this type of log collection and Sheriff CSM captures events specifically from

  • Cisco Network Prevention Systems (IPS)
  • Cisco Network Detection Systems (IDS)
  • Cisco Switch IDS
  • Cisco IOS routers with the Inline Intrusion Prevention System (IPS) functions
  • Cisco IDS modules for routers
  • Cisco PIX Firewalls
  • Cisco Catalyst 6500 Series firewall service modules (FWSMs)
  • Management Center for Cisco Security Agents
  • CiscoWorks Monitoring Center for Security

    # Plugin cisco-ips id:1597 version: 0.0.2
       # Last modification: 2015-05-13 16:11
       #
       # Plugin Selection Info:
       # Cisco:IPS Intrusion Prevention System:-
       #
       # END-HEADER
       # Accepted products:
       # cisco - intrusion_prevention_system 6.0
       # cisco - intrusion_prevention_system 6.0.2.0
       # cisco - intrusion_prevention_system 7.0
       # cisco - intrusion_prevention_system 7.0%281%29e3
       # cisco - intrusion_prevention_system 7.0%282%29e3
       # cisco - intrusion_prevention_system 7.0%282%29e4
       # cisco - intrusion_prevention_system 7.0%283%29e4
       # cisco - intrusion_prevention_system 7.0%284%29e4
       # cisco - intrusion_prevention_system 7.0%285a%29e4
       # cisco - intrusion_prevention_system 7.0%286%29e4
       # cisco - intrusion_prevention_system 7.0%287%29e4
       # cisco - intrusion_prevention_system 7.0%288%29e4
       # cisco - intrusion_prevention_system 7.0%289%29e4
       # cisco - intrusion_prevention_system 7.1
       # Description:
       # http://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html
       #
       #
       [DEFAULT]
       plugin_id=1597
       [config]
       type=detector
       enable=yes
       source=sdee
       source_ip=
       user=
       password=
       sleep=5
       process=
       start=no
       stop=no

Working with the SDEE Devices

Each time a new session begins with a SDEE device, Sheriff CSM provides a subscription ID. (The latest Subscription ID can be found under /etc/vigilante/agent/sdee_sid.data.)

To see messages related to the subscription
  1. Connect to the Sheriff Console through SSH and use your credentials to log in.

    The Sheriff Setup menu displays.

  2. On the Sheriff Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. Enter:

    grep subs /var/log/vigilante/agent.log
Normally, when the session finishes, the Sheriff Agent service closes the session automatically. If it does not, you should do it manually.

To close the last session
  • Enter:

    python /usr/share/vigilante/scripts/closeSDEEsession.py _<SubscriptionID>_

    If you still have problems, look for the SDEE-related messages in the agent log.

To find SDEE messages in the agent log
  • Enter:

    grep SDEE /var/log/vigilante/agent.log

Additional Configuration Required Before You Enable an SDEE Plugin

You must configure Sheriff CSM to accept events from SDEE-capable devices from your Sheriff CSM assets before you enable the plugin.

This procedure describes how to configure the Sheriff Agent service to accept events from an SDEE-capable device. You will need command line access to Sheriff CSM to complete this task.

To configure Sheriff CSM to collect events from an SDEE device
  1. Create the file /etc/vigilante/agent/plugins/cisco-ips.cfg.local.
  2. In the cisco-ips.cfg.local file, add the following lines.

    [config]
     
    source_ip=<source_IP>
    user=<your_user>
    password=<your_password>

    Where

    • source_ip is the IP address of the SDEE device.
    • user is an user account for the SDEE device.
    • password is the password for the user account on the SDEE device.
  3. Save the file.

To configure the Sheriff Agent service to accept events from multiple SDEE-capable devices, you will need command line access to Sheriff CSM to complete this task.

To configure Sheriff CSM to collect events from multiple SDEE devices
  1. Create the file /etc/vigilante/agent/cisco_sdee.csv.

  2. In the .csv file, specify the IP addresses for the different SDEE devices and their login credentials. You must enter one device per line.

    1.2.3.4,user1,pass1 
    1.2.3.5,user2,pass2 
    1.2.3.6,user3,pass3 

    Important: You must not have any empty lines after the credentials.

  3. Create the file /etc/vigilante/agent/plugins/cisco-ips.cfg.local.

  4. In the cisco-ips.cfg.local file add the following lines. The # means to comment out those three lines.

    [config] 
    
    #source_ip= 
    #user= 
    #password= 
    
    credentials_file=/etc/vigilante/agent/cisco_sdee.csv
  5. Save the file.
You can now enable the SDEE plugin. See Enable Plugins on Assets.

Occasionally you may download or receive new signatures for your Cisco IPS devices. If you want to use those signatures in Sheriff CSM, you will need to update the Sheriff CSM database manually. You will need command line access to Sheriff CSM to complete this task.

To populate the Sheriff CSM database with new signatures
  1. Go to /usr/share/vigilante/scripts/ and execute the following script to generate the plugin sid information.

    python createCiscoIPSSidmap.py <signature_file>.xml > sdee.sql

    where <signature_file>.xml is the file you downloaded or received from Cisco.

    This script generates the sql needed to update the Sheriff CSM database.

    DELETE FROM plugin WHERE id = "1597";
    DELETE FROM plugin_sid where plugin_id = "1597";
    INSERT INTO plugin (id, type, name, description) VALUES (1597, 1, 'Cisco-IPS',
    'Cisco Intrusion Prevention System');
    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
    reliability) VALUES (1597, 5986, NULL, NULL, 'Cisco-IPS: Microsoft GDI GIF Parsing
    Vulnerability', 3, 4);
    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
    reliability) VALUES (1597, 5984, NULL, NULL, 'Cisco-IPS: IE COM Object Code
    Execution', 3, 4);
    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
    reliability) VALUES (1597, 5985, NULL, NULL, 'Cisco-IPS: Quicktime RTSP Content-
    Type Excessive Length', 3, 4);
    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
    reliability) VALUES (1597, 19159, NULL, NULL, 'Cisco-IPS: Green Dam Youth Escort
    Software Update Check', 1, 4);
    INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority,
    reliability) VALUES (1597, 19401, NULL, NULL, 'Cisco-IPS: Microsoft Publisher File
    Parsing Vulnerability', 3, 4);
  2. Update the Sheriff CSM database with the sql output.
    vigilante-db < sdee.sql
  3. Generate the cross-correlation information.

    python ciscoIPSOsMap.py <signature_file>.xml > sdee-os.sql

    This script generates the following sql to update the Sheriff CSM database with cross-correlation information.

    replace into plugin_reference values (1597, 1109, 3001, 3);
    replace into plugin_reference values (1597, 1109, 3001, 3);
    replace into plugin_reference values (1597, 1109, 3001, 3);
    replace into plugin_reference values (1597, 1109, 3001, 3);
    replace into plugin_reference values (1597, 2156, 3001, 1);
    replace into plugin_reference values (1597, 2157, 3001, 3);
    replace into plugin_reference values (1597, 2157, 3001, 3);
    replace into plugin_reference values (1597, 2157, 3001, 3);
    ...
  4. Update the Sheriff CSM database with the sql output.

    vigilante-db < sdee-os.sql
  5. Clear the cache by restarting Sheriff CSM.

Topic revision: r15 - 09 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.