Chapter 7 Configuring Host-Based Ids And Ips Devices; Entercept Entercept 2.5 And 4.0; Extracting Entercept Agent Information Into A Csv File (For Entercept Version 2.5) - Cisco CS-MARS-20-K9 - Security MARS 20 User Manual

Configuring Host-Based IDS and IPS Devices
Host-based intrusion detection and prevention devices provide MARS with detailed information about
attacks seen at the host level, rather than the network level. They also provide information about the host
operating system and successful prevention of attacks, both of which provide more targeted data for false
positive analysis.
This chapter explains how to bootstrap and add the following host-based IDS and IPS devices to MARS:
•
•

Entercept Entercept 2.5 and 4.0

To configure Entercept in MARS, you must perform the following tasks:
1.
2.
3.
4.
5.
The following sections provide details on performing each of these tasks:
•
•
•
Extracting Entercept Agent Information into a CSV file (for Entercept Version
2.5)
Entercept agent information is saved in a database file on the Entercept console.
Note
78-17020-01
Entercept Entercept 2.5 and 4.0, page 7-1
Cisco Security Agent 4.x Device, page 7-5
Generate CSV file that identifies each of the Entercept hosts by logging into the host running the
Entercept console and copying the data out of the database table.
Configure the Entercept console to send SNMP traps to the MARS Appliance
Identify the events that should be generated as SNMP traps.
Define a host that represents the management console (Entercept console) in MARS web interface.
From that host in the MARS web interface, import the CSV seed file to identify the Entercept agents
running on other hosts.
Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5), page 7-1
Define the MARS Appliance as an SNMP Trap Target, page 7-2
Specific the Events to Generate SNMP Traps for MARS, page 7-2
C H A P T E R
User Guide for Cisco Security MARS Local Controller
7
7-1