Ossim: Using Cisco SDEE Protocol to collect security events

October 29, 2009 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

We added support to collect events via Security Device Event Exchange (SDEE) Protocol that lets us capture events from:

  • Cisco Network Prevention Systems (IPS)
  • Cisco Network Detection Systems (IPS)
  • Cisco Switch IDS
  • Cisco IOS routers with Inline Intrusion Prevention System (IPS) functions
  • Cisco IDS modules for routers
  • Cisco PIX Firewalls
  • Cisco Catalyst 6500 Series firewall services modules (FWSMs)
  • Cisco Management Center for Cisco security agents
  • CiscoWorks Monitoring Center for Security servers

This protocol replaces Remote Data Exchange Protocol (RDEP).

Ossim has the possibility of collecting via SDEE and supports inventory correlation (OS Correlation).

Configuration:

- Updating plugin sids with the latest IPS signature update package:

If you have your own update package from your vendor, you can populate the Ossim database with the new signatures.

To update plugin sid information, go to /usr/share/ossim/scripts/:

mac-jaime:scripts$ python createCiscoIPSSidmap.py IOS-S416-CLI.pkg.xml

DELETE FROM plugin WHERE id = "1597";



DELETE FROM plugin_sid where plugin_id = "1597";



INSERT INTO plugin (id, type, name, description) VALUES (1597, 1, 'Cisco-IPS', 'Cisco Intrusion Prevention System');



INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5986, NULL, NULL, 'Cisco-IPS: Microsoft GDI+ GIF Parsing Vulnerability', 3, 4);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5984, NULL, NULL, 'Cisco-IPS: IE COM Object Code Execution', 3, 4);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 5985, NULL, NULL, 'Cisco-IPS: Quicktime RTSP Content-Type  Excessive Length', 3, 4);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19159, NULL, NULL, 'Cisco-IPS: Green Dam Youth Escort Software Update Check', 1, 4);

INSERT INTO plugin_sid (plugin_id, sid, category_id, class_id, name, priority, reliability) VALUES (1597, 19401, NULL, NULL, 'Cisco-IPS: Microsoft Publisher File Parsing Vulnerability', 3, 4);

...

...

This script will generate the needed SQL information to update Ossim database, to insert the information:

mac-jaime:scripts$ python createCiscoIPSSidmap.py IOS-S416-CLI.pkg.xml > sdee.sql

mac-jaime:scripts$ ossim-db < sdee.sql

If you want to update cross-correlation information:

mac-jaime:scripts$ python ciscoIPSOsMap.py IOS-S416-CLI.pkg.xml



replace into plugin_reference values (1597, 1109, 3001, 3);

replace into plugin_reference values (1597, 1109, 3001, 3);

replace into plugin_reference values (1597, 1109, 3001, 3);

replace into plugin_reference values (1597, 1109, 3001, 3);

replace into plugin_reference values (1597, 2156, 3001, 1);

replace into plugin_reference values (1597, 2157, 3001, 3);

replace into plugin_reference values (1597, 2157, 3001, 3);

replace into plugin_reference values (1597, 2157, 3001, 3);

...

...



mac-jaime:scripts$ python ciscoIPSOsMap.py IOS-S416-CLI.pkg.xml > sdee-os.sql

mac-jaime:scripts$ ossim-db < sdee-os.sql

Remember to restart ossim-server in order to update Ossim server cache.

- Configuring Ossim Agent to collect from SDEE capable device:

Add sdee reference to /etc/ossim/agent/config.cfg

Edit /etc/ossim/agent/plugins/cisco-ips.cfg:

[DEFAULT]

plugin_id=1597



[config]

type=detector

enable=yes



source=sdee

source_ip=

user=

password=

sleep=5



process=

start=no

stop=no

Insert your source_ip, user and password data.

Restart the ossim agent and it should begin receiving data from the SDEE device.

- Common problems:

When you begin a session with a SDEE device, it will provide you with a Subscription ID. Sometimes if the device close the connection or you loss connectivity you have to close the session in order to continue collecting from the device.

Ossim Agent will automatically do it but if for some reason it can’t, you should manually close the session.

You will find the latest Subscription ID provided in /etc/ossim/agent/sdee_sid.data

Configure your device credentials on /usr/share/ossim/scripts/closeSDEEsession.py and execute:

mac-jaime:scripts$ python /usr/share/ossim/scripts/closeSDEEsession.py SubscriptionID

This should close the last session. If you still have problems you can execute:

mac-jaime:scripts$ grep subs /var/log/ossim/agent.log

To obtain a list of the last Subscription ID’s used.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL