Lab 12.4.1 Event Notification and Alarm Reporting

Objectives

In this lab you will complete the following tasks:

■

Add a SMTP server to the CSPM NTT for e-mail notification.

■

Configure e-mail notification in CSPM.

■

Launch an attack that will trigger an IDS event to generate an e-mail
notification.

■

Generate IDS Alarm Reports.

Visual Objective

This figure displays the information you will need to complete this laboratory
exercise.

Pod P

Your Pod

Pod Q

Peer Pod

172.30.1.0/24

e0/1

rP

e0/0

.10P

.1

10.0.P.0 /24

CSPM

10.0.P.3

Host ID = 3, Org ID = P

Host Name = cspmP,

Org Name = podP

sensorP

.4

.6

idsmP

e0/1

rQ

e0/0

10.0.Q.0 /24

.1

.10Q

.4

.6

sensorQ

idsmQ

CSPM

10.0.Q.3

Host ID = 3, Org ID = Q

Host Name = cspmQ,

Org Name = podQ

A pair of students has been assigned to a pod. Each pod has a complete set of
equipment to do the lab.

Task 1—Add an SMTP Server to the CSPM NTT

Complete the following steps to add a host with the SMTP service to the NTT:

Step 1

Right-click the network Net- 10.0.P.0 from the NTT.

(where P = pod number)

Step 2

Choose New>Host. A host general properties panel appears in the right pane. The
cursor focus is in the hostname box.

Step 3

Rename the host to my smtp server. The new name appears in the NTT.

Step 4

Enter the IP address of the host in the IP addresses box.

12-2

Cisco Secure Intrusion Detection System 2.1—Lab 12.4.1

Copyright



2001, Cisco Systems, Inc.

IP Address

Step 5

Click the top Add button. The IP address appears in the IP address list box.

Step 6

Click the bottom Add button. The Add Client/Server Product window opens.

Step 7

Choose SMTP from the list of Product Types.

Step 8

Click OK to return the host properties pane.

Step 9

Click the SMTP tab in the host properties pane. The SMTP properties pane
appears.

Note

The SMTP tab has a version number appended to it.

Step 10

Rename the SMTP service name to podP smtp service.

Step 11

Click OK to accept the changes.

Step 12

Click Save in the main toolbar to save the changes to the CSPM database.

Task 2—Define the CSPM Host’s SMTP Server

Complete the following steps to define which SMTP server the CSPM host will
use for e-mail notifications:

Step 1

Select the CSPM host, directorP, from the NTT. The CSPM host General
properties pane appears.

(where P = pod number)

Step 2

Choose my smtp server from the SMTP server drop-down menu.

Step 3

Click OK to accept the changes.

Step 4

Click Save in the main toolbar to save the changes to the CSPM database.

Task 3—Configure E-Mail Notification for High Severity Alarms

Complete the following steps to configure e-mail notification when the CSPM
host receives a high severity alarm:

Step 1

Choose Tools>Configure Notifications. The Configure Logging and
Notifications pane appears.

Step 2

Select IDS events in the Select Event Category group box.

Step 3

Choose High Severity Alarms from the list of Event Descriptions.

Step 4

Choose the Event Disposition Log Event and issue notification specified
below.

Step 5

Accept the default Notification Scheduling values.

Step 6

Select Include event description in the Notification Message group box.

Step 7

Click Message. The Notification message content window opens.

Step 8

Enter the following in the Subject field:

High Severity Notification

Copyright



2001, Cisco Systems, Inc.

Cisco Secure Intrusion Detection System 2.1—Lab 12.4.1

12-3

Step 9

Enter the following message in the text box (the variable names will be
substituted with the actual alarm values in the message):

Sensor ${HostID} detected Signature ${SigID} launched by ${SrcIpAddr}:${SrcIpPort}

against ${DstIpAddr}:${DstIpPort} at ${TimeStr} on ${DateStr}.

Note

The variable names are case sensitive. Enter the variable names exactly as they

appear.

Step 10

Click OK to accept the message subject and body content.

Step 11

Select the notification method: E-mail.

Step 12

Click Address to add a list of e-mail recipients. The E-mail recipients window
opens.

Step 13

Enter the e-mail addresses of the recipients as assigned by the instructor.

E-mail Address

Step 14

Click Add. The e-mail recipient’s address appears.

Step 15

Click OK to close the E-mail recipient’s window.

Step 16

Click Apply to accept the notification settings.

Step 17

Click Save in the main toolbar to save the changes to the CSPM database.

Task 4—Test E-Mail Notification

Complete the following tasks to generate high severity alarms that will cause an e-
mail notification to be generated. Your instructor will assign a peer’s pod number
(Q).

Step 1

Launch your web browser.

Step 2

Enter the following string in your web browser:

http://10.0.Q.3/../..

(where Q = peer pod number)

Step 3

Enter the following string in your web browser:

http://10.0.Q.3/msadc/msadcs.dll

(where Q = peer pod number)

Step 4

Launch your mail client software.

Step 5

Retrieve your e-mail from the mail server.

Task 5—Generate CIDS Alarm Reports

Complete the following tasks to generate CIDS alarm reports:

Step 1

Launch your web browser and enter the following in the URL field:

https://localhost/Reports

Step 2

Select a report as assigned by the instructor.

12-4

Cisco Secure Intrusion Detection System 2.1—Lab 12.4.1

Copyright



2001, Cisco Systems, Inc.

Step 3

Authenticate when prompted.

Step 4

Click View (Window) to generate a default report. A new web browser opens
displaying the CIDS alarm report.