RE: Viewing Cisco NSDB information

DDOBBELA_at_ncsbe.jnj.com
Date: 01/24/04

  • Next message: Thierry Ble: "Taps supporting traffic aggregation ..."
    To: jon.lowther@activis.com, focus-ids@securityfocus.com
    Date: Sat, 24 Jan 2004 11:12:01 +0100
    
    

    something from the CSIDS 4.1 release notes:

    Step 1 Create a service account on the sensor:
    a. Log into the sensor using an account with administrator privileges
    (cisco).
    b. Enter Configuration mode:
    sensor# configure terminal
    c. Specify the parameters for the service account:
    sensor(config)# username service privilege service password
    serviceAccountPassword
    Step 2 Log into the service account.
    Step 3 At the prompt, execute the following command:
    # su - root
    Step 4 Enter the service account password.
    Step 1 Create a service account on the sensor:
    a. Log into the sensor using an account with administrator privileges
    (cisco).
    b. Enter Configuration mode:
    sensor# configure terminal
    c. Specify the parameters for the service account:
    sensor(config)# username service privilege service password
    serviceAccountPassword
    Step 2 Log into the service account.
    Step 3 At the prompt, execute the following command:
    # su - root
    Step 4 Enter the service account password.

    Now you can use the appliance as a normal linux box.
    Have phun
    David

    Johnson & Johnson
    Networking & Computing Services
    A division of Janssen Pharmaceutica NV

    > Turnhoutseweg 30 * B-2340 Beerse * Belgium
    > PHONE: *+32(0)14/60.78.47
    > E-MAIL: * ddobbela@ncsbe.jnj.com
    >
    >
    >
    ============================================================================
    =========
    > Confidentiality Notice: This e-mail transmission may contain confidential
    or legally privileged information that is intended only for the individual
    or entity named in the e-mail address. If you are not the intended
    recipient, you are hereby notified that any disclosure, copying,
    distribution, or reliance upon the contents of this e-mail is strictly
    prohibited. If you have received this e-mail transmission in error, please
    reply to the sender, so that Johnson & Johnson can arrange for proper
    delivery, and then please delete the message from your inbox. Thank you.
    >
    ============================================================================
    =========
    >

    -----Original Message-----
    From: Jonathan Lowther [mailto:jon.lowther@activis.com]
    Sent: Friday, 23 January 2004 17:23
    To: focus-ids@securityfocus.com
    Subject: Viewing Cisco NSDB information

    Is there a way of accessing the .html files that make up the NSDB on a Cisco
    sensor?? I mean the files called expsig_<ID>.html.

    My company has its own internal knowledgebase of alerts, and I wanted to
    import the data from the Cisco NSDB into our own database (we do something
    similar for ISS alerts).

    We used to do this with version 3.x (this was before my time) but we needed
    to install the updates to the Cisco Secure Policy Manager and we could then
    get the .html files.

    However, we are now migrating to 4.1 and I don't want to have Cisco Secure
    Policy manager (or any other system) just to be able to view the NSDB.

    I know that I can view the NSDB by logging into the sensor, but I am not
    really able to access the files themselves because the command line
    interface is all menu driven. For example, I can't log on to the sensor and
    just FTP the .html files to my desktop where I run my import script.

    I had the idea that the .html files must be contained in the update files
    (for example, IDS-sig-4.1-3-S66.rpm.pkg), but I can't seem to unpack them. I
    managed to get a utility to extract RPMs, but I am not able to extract the
    .pkg file.

    Has anyone got any ideas of how I can obtain the .html files from the NSDB?
    If I can obtain from direct from a signature update file then that would be
    best because I could probably automate the process.

    FYI. I have a Cisco 4210 Sensor running 4.1(3)S61

    Thanks in advance,

    Jonathan Lowther

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Thierry Ble: "Taps supporting traffic aggregation ..."

    Relevant Pages

    • Re: Viewing Cisco NSDB information
      ... > I know that I can view the NSDB by logging into the sensor, ... system with a "service account" wich may be created by any "administrator" ...
      (Focus-IDS)
    • Cannot change service account through EM (error from xp_setsqlsecu
      ... I want to chnage the service account under which sqlserver runs to another ... local user with less ... privileges. ...
      (microsoft.public.sqlserver.security)
    • Re: Running STSADM without being in local Administrator group?
      ... experiment with giving the account the following rights (if not ... This process works if I place the service account into the ... > Client User Name: - ... > Privileges: SeCreateGlobalPrivilege ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: Korgo Virus
      ... > service account for a web application to an administrator level one, ... > how I had to grant that same account SA privileges to the SQL Servers, ...
      (microsoft.public.cert.exam.mcse)