Using the CSID Director for Unix
What is the Cisco Secure Intrusion Detection (CSID) Director for Unix? CSID Director for Unix is another application that you can use to manage your IDS sensors. CSID Director runs on a Solaris or HPUX platform and has hooks into HP OpenView Network Node Manager (NNM). Without the NNM software, the installation will not succeed. This section assumes you have NNM installed on either a Solaris or HPUX platform.
Installing and Starting the Director
Very little about working with the CSID Director is simple. You will find that most of the initial setup and commands require a firm grasp of Unix.
To install the Director, follow these steps:
-
Log on to the system you plan to install the CSID Director software onto. You must be root to run this install.
-
Insert the CSID Director install CD into the CD-ROM. Mount the CD-ROM device.
-
Run the install script by typing /cdrom/cdrom0/install.
-
If you are downloading the image, you must first uncompress the downloaded file and then untar the file to a temp directory. After that, you can initiate the install script by typing ./install.
-
When prompted, enter a password for the netrangr account. The netrangr account is created by default during the installation.
-
Once you have set the password, you will be required to run the sysconfig-director utility. Enter y when prompted to run the script. The sysconfig-director utility has to be run and the configuration completed before running the NNM. The settings in the sysconfig-director utility are the same as those for the sysconfig-sensor utility discussed in Chapter 3. The settings are shown in Table 4.1.
Table 4.1: sysconfig-director Parameters Field
Input
Director Host ID
1-65535
Director Organization ID
1-65535
Director Host Name
256 alphanumeric characters, no spaces, "-" and "_" are okay.
Director Organization Name
256 alphanumeric characters, no spaces, "-" and "_" are okay.
Director IP Address
Valid IP address
HTML Browser Location
Enter the path to Netscape if the Director does not find it. The install path is /opt/netscape/netscape.
-
The major differences here are that there is no option to add IDS Manager information and you must specify the location of Netscape. Remember, you are on the CSID Director and not the sensor! Once you have entered the required information, type y to create the configuration files. You are then prompted to reboot. Type y to reboot the system. Once the system reboots, log on to the CSID Director as netrangr.
-
From here, you need to start up and configure HP OpenView and configure. First though, make sure all the daemons are running.
Remember in Chapter 3 when we discussed all the commands you can execute from netrangr? Specifically, idsstatus was used to verify the daemons were running. With the Director, the command is nrstatus. Once the sysconfig-director utility is run, the following daemons are started:
-
nr.loggerd
-
nr.postofficed
-
nr.sapd
-
nr.configd
-
nr.filexferd
-
nr.smid
Starting the NNM is fairly simple. Execute the following command:
ovw &
This is one of those times where Unix familiarity comes in handy. The "&" forces NNM to run in the background.
How to Configure the CSID Director
In order to configure the Director, use the NetRanger Configuration File Management Utility, better known as nrConfigure. In OpenView, you can launch nrConfigure from the Security drop-down menu. This is used to manage the configuration of the Director and sensors. It is similar to CSPM in that you can update configuration files for the Director and sensors, and add and delete sensors and basically manage all aspects of your IDS infrastructure. Once you get nrConfigure open, you see the local Director and any sensor that the Director has identified. Each item listed displays three categories of information:
-
Organization and Host Name
-
Configuration last modified date
-
A description of the host
Adding a New Sensor
To add a new sensor use, the Add Host Wizard from the nrConfigure menus. Follow these steps:
-
Start the Add Host Wizard from the nrConfigure menus.
-
Enter the following Sensor Identification Parameters. Once you have done so, click Next:
-
Organization Name
-
Organization ID
-
Host Name
-
Host ID
-
Host IP Address
-
-
Select the Host Type and click Next. You have three options here:
-
Initialize a newly installed Sensor
-
Connect to a previously configured Sensor.
For a new sensor, select the first option, Initialize a newly installed Sensor. If you are connecting to a sensor that has already been configured, select Connect to a previously configured Sensor.
-
-
Since this is a new sensor, select Initialize a newly installed Sensor.
-
Enter the duration for IP blocking and session logging. The defaults are ten minutes. Click Next.
-
Number of minutes to log on an event: 1–1440 minutes
-
Number of minutes to shun an event: 1–1440 minutes
-
Network Interface Name.
-
-
Select the sniffing interface. The different interface types are discussed earlier in Chapter 3.
-
Define the characteristics for blocking/shunning and click Next. These include:
-
Router's username/password
-
Router's enable password
-
Router's NAT IP address
-
IP address of sensor from router
-
Router's external IP address
-
-
At this point, the nrConfigure window displays the sensor under the correct folder. The folder name and the sensor's organization name should be the same. Exit the nrConfigure screen.
If you were to add a sensor that had been previously configured, you would change your selection in step 3 to Connect to a previously configured Sensor. You then finish the install by selecting Finish. The wizard uploads the configuration file from the sensor to the Director.
To delete a sensor from the nrConfigure screen, highlight the sensor to be deleted, right-click, and select Delete Host. Once the sensor is deleted, you remove the icon from nrConfigure by right-clicking the sensor icon to be deleted, and choose Delete Symbol.
Event Processing
Events are forwarded to the Director and translated into alarms. Similar to the other event viewers, they are color-coded red, yellow, and green, for high, medium, and low alarms, respectively.
To view alarms, you have to drill down into the icons. Follow these steps.
-
Double-click the netranger icon. The network topology submap opens. The network topology submap contains icons for all the sensors and Directors.
-
Double-click a sensor or Director icon and another submap opens with all the daemons running on that particular device.
-
Select a daemon and double-click. This opens another submap that displays all the events that have been generated by that daemon.
There are several different types of alarms:
-
Intrusion Alarms
-
Context Buffer Alarms
-
Error Alarms
-
OkAlarms
When an alarm is sent to the Director, one of the daemons, nrdirmap, translates the alarm and presents it in the submap. If multiple alarms from the same signature are sent, they are grouped into alarm sets.
Alarms are labeled with the name of the signature that corresponds to the signature ID. If the signature name cannot be located, then the alarm is labeled with the signature ID itself. The Director utilizes the signatures file in the /usr/nr/etc/ directory