Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionThe Splunk for Cisco IPS technology add-on is a collection of scripted inputs, field extractions, and other search-time knowledge that is used to drive reporting and search for data collected from Cisco IPS devices. The scripted input included in this add-on can be configured to collect data from Cisco IPS sensors using the Security Device Event Exchange (SDEE) format. Security Device Event Exchange (SDEE) is a standard proposed by ICSA that specifies the format of messages and protocol used to communicate events generated by security devices. This protocol is used in the Cisco IPS Sensor 5.0 software to replace Remote Data Exchange Protocol (RDEP), which is used by earlier versions of the Cisco IDS Sensor software. The IPS data format is XML. Splunk for SDEE translates and maps the data into key value pairs. This add-on can be used standalone, or it can be installed with the Cisco Security Suite umbrella app and other Cisco Security Suite apps and add-ons to provide a single pane of glass interface and get out of box reports on Cisco firewall devices and other Cisco technology data. Important note: This add-on, under its new name, Splunk for Cisco IPS, replaces the older and very popular Cisco IPS SDEE Data Collector and contains all of the functionality of its predecessor plus the enhancements listed in the release notes below. Additional information and download for Cisco Security Suite can be found on Splunkbase. The other Cisco Security Suite apps and add-ons include:
Installation and configuration instructions for this add-on can be found in the README file within the downloaded package. Versions and Release Notes
Version 2.0.0 (current version - updated Jan 25, 2013)
release notes:
Reports and dashboards have been removed from the plug-in and placed in the Cisco Security Suite. Please download the Cisco Security Suite for the search head components.
Version 1.0.0
(updated Jan 25, 2013)
release notes:
- Updated to provide compatibility with Splunk 4.2
Version 1.1.1
(updated Jul 02, 2012)
release notes:
1.1.1 (2012-06-29) 1.1.0 (2012-05-29)
Version 1.0.4
(updated Feb 15, 2012)
release notes:
- Added log rotation feature.
Version 1.0.4
(updated Feb 15, 2012)
release notes:
- Added log rotation feature.
Version 1.0.2
(updated May 21, 2011)
release notes:
Resolved the following issues:
Version 1.0.1
(updated Mar 22, 2011)
release notes:
This maintenance release includes a fix for: Bug SOLN-829 Cisco IPS scripts refer to incorrect folder name "cisco_ips" See http://answers.splunk.com/questions/12692/app-not-installing-correctly |
Wrong details being pulled by get_ips_feed.py for 'Signature'. Currently we have the signature field being pulled by sigDetails from the Cisco IPS logs. We should pull signature from Signature --> Description instead. which carry more useful data with respect to Signature for an event.
Can some please help on this.
That is correct. In the Splunk for Cisco IPS App, the 'Signature' field maps to the 'signatureID' and the 'Description' field maps to the 'sigDetails' and the 'signatureDescription' is not being recorded. Is that a problem? How would you like to see it displayed?
Has anyone got this to work with multiple IPS devices, when I installed; it only asked for 1 ip address, with acct/pw, I have 25 devices, but it doesn't give the option to pull information from more than one device.
I haven't personally done it, but if you go to Manger --> Apps, find the Cisco IPS app, and choose setup, it says "You can re-run this setup program at any time from the Splunk Manager to add additional data inputs for other Cisco IPS devices. "
So, it would appear that you would have to run the setup 24 more times to get the rest of your devices set up...
Hello
Is it possible for SDEE collected logs cto be converted into Syslog format and forwarded to a Syslog server?
Has anyone made this and Splunk work together? We're running into many issues and could use a hand. Specifically, this error:
Wed Jan 11 10:23:27 2012 - ERROR - Exception thrown while parsing SDEE payload: Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py", line 74, in run
alert_obj_list = idsmxml.parse_alerts( result_xml )
File "C:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\pysdee\idsmxml.py", line 243, in parse_alerts
alert_obj.signature = build_sig(sig[0])
File "C:\Program Files\Splunk\etc\apps\Splunk_CiscoIPS\bin\pysdee\idsmxml.py", line 190, in build_sig
signature.marscategory = node.getElementsByTagName('marsCategory')[0].firstChild.wholeText
IndexError: list index out of range
The script get_ips_feed.py runs forever, because of "while 1". So the option "interval" wants to be modify, it seems it can not work.
Thanks for your advice !
