Lab 12.4.1 Event Notification and Alarm Reporting
Objectives
In this lab you will complete the following tasks:
■
Add a SMTP server to the CSPM NTT for e-mail notification.
■
Configure e-mail notification in CSPM.
■
Launch an attack that will trigger an IDS event to generate an e-mail
notification.
■
Generate IDS Alarm Reports.
Visual Objective
This figure displays the information you will need to complete this laboratory
exercise.
Pod P
Your Pod
Pod Q
Peer Pod
172.30.1.0/24
e0/1
rP
e0/0
.10P
.1
10.0.P.0 /24
CSPM
10.0.P.3
Host ID = 3, Org ID = P
Host Name = cspmP,
Org Name = podP
sensorP
.4
.6
idsmP
e0/1
rQ
e0/0
10.0.Q.0 /24
.1
.10Q
.4
.6
sensorQ
idsmQ
CSPM
10.0.Q.3
Host ID = 3, Org ID = Q
Host Name = cspmQ,
Org Name = podQ
A pair of students has been assigned to a pod. Each pod has a complete set of
equipment to do the lab.
Task 1—Add an SMTP Server to the CSPM NTT
Complete the following steps to add a host with the SMTP service to the NTT:
Step 1
Right-click the network Net- 10.0.P.0 from the NTT.
(where P = pod number)
Step 2
Choose New>Host. A host general properties panel appears in the right pane. The
cursor focus is in the hostname box.
Step 3
Rename the host to my smtp server. The new name appears in the NTT.
Step 4
Enter the IP address of the host in the IP addresses box.
12-2
Cisco Secure Intrusion Detection System 2.1—Lab 12.4.1
Copyright
2001, Cisco Systems, Inc.
IP Address
Step 5
Click the top Add button. The IP address appears in the IP address list box.
Step 6
Click the bottom Add button. The Add Client/Server Product window opens.
Step 7
Choose SMTP from the list of Product Types.
Step 8
Click OK to return the host properties pane.
Step 9
Click the SMTP tab in the host properties pane. The SMTP properties pane
appears.
Note
The SMTP tab has a version number appended to it.
Step 10
Rename the SMTP service name to podP smtp service.
Step 11
Click OK to accept the changes.
Step 12
Click Save in the main toolbar to save the changes to the CSPM database.
Task 2—Define the CSPM Host’s SMTP Server
Complete the following steps to define which SMTP server the CSPM host will
use for e-mail notifications:
Step 1
Select the CSPM host, directorP, from the NTT. The CSPM host General
properties pane appears.
(where P = pod number)
Step 2
Choose my smtp server from the SMTP server drop-down menu.
Step 3
Click OK to accept the changes.
Step 4
Click Save in the main toolbar to save the changes to the CSPM database.
Task 3—Configure E-Mail Notification for High Severity Alarms
Complete the following steps to configure e-mail notification when the CSPM
host receives a high severity alarm:
Step 1
Choose Tools>Configure Notifications. The Configure Logging and
Notifications pane appears.
Step 2
Select IDS events in the Select Event Category group box.
Step 3
Choose High Severity Alarms from the list of Event Descriptions.
Step 4
Choose the Event Disposition Log Event and issue notification specified
below.
Step 5
Accept the default Notification Scheduling values.
Step 6
Select Include event description in the Notification Message group box.
Step 7
Click Message. The Notification message content window opens.
Step 8
Enter the following in the Subject field:
High Severity Notification
Copyright
2001, Cisco Systems, Inc.
Cisco Secure Intrusion Detection System 2.1—Lab 12.4.1
12-3
Step 9
Enter the following message in the text box (the variable names will be
substituted with the actual alarm values in the message):
Sensor ${HostID} detected Signature ${SigID} launched by ${SrcIpAddr}:${SrcIpPort}
against ${DstIpAddr}:${DstIpPort} at ${TimeStr} on ${DateStr}.
Note
The variable names are case sensitive. Enter the variable names exactly as they
appear.
Step 10
Click OK to accept the message subject and body content.
Step 11
Select the notification method: E-mail.
Step 12
Click Address to add a list of e-mail recipients. The E-mail recipients window
opens.
Step 13
Enter the e-mail addresses of the recipients as assigned by the instructor.
E-mail Address
Step 14
Click Add. The e-mail recipient’s address appears.
Step 15
Click OK to close the E-mail recipient’s window.
Step 16
Click Apply to accept the notification settings.
Step 17
Click Save in the main toolbar to save the changes to the CSPM database.
Task 4—Test E-Mail Notification
Complete the following tasks to generate high severity alarms that will cause an e-
mail notification to be generated. Your instructor will assign a peer’s pod number
(Q).
Step 1
Launch your web browser.
Step 2
Enter the following string in your web browser:
http://10.0.Q.3/../..
(where Q = peer pod number)
Step 3
Enter the following string in your web browser:
http://10.0.Q.3/msadc/msadcs.dll
(where Q = peer pod number)
Step 4
Launch your mail client software.
Step 5
Retrieve your e-mail from the mail server.
Task 5—Generate CIDS Alarm Reports
Complete the following tasks to generate CIDS alarm reports:
Step 1
Launch your web browser and enter the following in the URL field:
https://localhost/Reports
Step 2
Select a report as assigned by the instructor.
12-4
Cisco Secure Intrusion Detection System 2.1—Lab 12.4.1
Copyright
2001, Cisco Systems, Inc.
Step 3
Authenticate when prompted.
Step 4
Click View (Window) to generate a default report. A new web browser opens
displaying the CIDS alarm report.