The Splunk for Cisco IPS technology add-on is a collection of scripted inputs, field extractions, and other search-time knowledge that is used to drive reporting and search for data collected from Cisco IPS devices. The scripted input included in this add-on can be configured to collect data from Cisco IPS sensors using the Security Device Event Exchange (SDEE) format.
Reports and dashboards have been removed from the plug-in and placed in the Cisco Security Suite. Please download the Cisco Security Suite for the search head components.
- Added an additional field passed to get_ips_feed.py that causes the script to wait a specified ammount of time (in seconds) in between polls of the IPS. If the value is not passed, it will default to 15 seconds (for backwards compatibility). If a value of 0 is specified, it will poll continuously (like previous versions).
- Changed date/time stamp in the alert to be a human-readable format. Alert time from the IPS is sent as “time in nanoseconds from 1970-01-01T00:00:00Z”. So, the time showed as a large integer such as 1339900639985884000. Changed to to display as YYYY-MM- DD HH:MM:SS instead.
- Made MARS Category field optional. If IPS provides it, it will be included, if not, it won't. Resolves bug where Splunk for Cisco IPS app crashes on IPS version 7.x.
- Removed redundant protocol entry in output
- Added context field that will be present if IPS device provides it. This is common if running the IPS in a multi-context ASA.
- Changed packet data to remove new-line characters so it will all fit on one line instead of being spread out over many lines. And included the packet data into one big event instead of a separate one.
- Removed isDropped field. Not necessary any more, see next item.
- Added the following values that will be present if the following actions were taken.
- Added actions field that will contain a comma separated list of all actions taken from list above
- Added summary_count and initial_alert for summary alerts.
- Added log rotation feature.
- Removed Cisco MARS category.
Resolved the following issues:
- Cisco IPS get_ips_feed.py script fails on Windows when package extracted using Winzip (SOLN-949)
- Cisco IPS setup fails to configure scripted inputs with appropriate OS path separators (SOLN-925)
This maintenance release includes a fix for:
Bug SOLN-829 Cisco IPS scripts refer to incorrect folder name "cisco_ips"
- Updated to provide compatibility with Splunk 4.2
- Updated to include a new setup workflow to assist with initial configuration
Security Device Event Exchange (SDEE) is a standard proposed by ICSA that specifies the format of messages and protocol used to communicate events generated by security devices. This protocol is used in the Cisco IPS Sensor 5.0 software to replace Remote Data Exchange Protocol (RDEP), which is used by earlier versions of the Cisco IDS Sensor software. The IPS data format is XML. Splunk for SDEE translates and maps the data into key value pairs.
This add-on can be used standalone, or it can be installed with the Cisco Security Suite umbrella app and other Cisco Security Suite apps and add-ons to provide a single pane of glass interface and get out of box reports on Cisco firewall devices and other Cisco technology data.
Important note: This add-on, under its new name, Splunk for Cisco IPS, replaces the older and very popular Cisco IPS SDEE Data Collector and contains all of the functionality of its predecessor plus the enhancements listed in the release notes below.
Additional information and download for Cisco Security Suite can be found on Splunkbase. The other Cisco Security Suite apps and add-ons include:
- Cisco Security Suite
- Splunk for Cisco Client Security Agent (CSA)
- Splunk for Cisco IronPort Email Security Appliance (ESA)
- Splunk for Cisco IronPort Web Security Appliance (WSA)
- Splunk for Cisco Firewalls (PIX, FWSM, ASA)
- Splunk for Cisco IPS
- Splunk for Cisco MARS
Installation and configuration instructions for this add-on can be found in the README file within the downloaded package.
Support for this content
This app is authored by Splunk but is not officially supported by Splunk Support. If you have a current Splunk Enterprise Support entitlement, Splunk will provide best-effort support for cases involving this app directly, but such cases will not be subject to the Splunk Enterprise Support SLA.