Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
New ListingsDirectory Tree
Cisco IPS Management
Owner
Hits
95197
Files:
| File | Description |
|---|---|
| cisco_ips.pl | Cisco IPS management perl plugin |
| CIPS-Sample-Nagios-Configs.txt | Sample nagios configuration for Cisco IPS |
This script can be used as two separate service checks and also as an event handler to reset the sensor if needed.
The main check (-c) provides the following information from the sensor:
-Service & Signature Pack Versions (can be checked against expected versions using -v)
--Exceptions can be made by individual sensor. Warning state is triggered if versions do not match
-Hardware Platform
-Serial Number
-License (warning state if license expires within -L days, critical state if license is expired)
-Uptime
-Missed Packet Percentage (Average of missed packet percentage for all sensing interfaces)
--Will trigger a warning state if no active sensing interfaces are found
-MainApp/AnalysisEngine (SensorApp) Version & Status
--Intended to be used with -r reset event handler to reset the sensor if AnalysisEngine is NotRunning
The users check (-e) can be used in conjunction with the -c check (and -U/--user-data-dir option) to verify that the correct user accounts are configured on the sensor.
The reset (-r) option can be configured as an event handler to reset the sensor when needed, especially if the AnalysisEngine (SensorApp) is found to be 'NotRunning'.
USAGE INFORMATION:
FUNCTIONS:
-c, --check
Perform the Cisco IPS health check
-e, --examine-users
Examine the data stored in the file that is output from -c -U/--user-data-dir file
-r, --reset=SERVICESTATE,OUTPUT
Attempt to connect to the sensor and reset it. Intended for when Analysis Engine is in status 'NotRunning'
(Reset the sensor if SERVICESTATE is critical and OUTPUT contains NotRunning)
OPTIONS:
-C, --critical-users=USERS
A comma separated list of users expected to be found on the IPS device (-e check only)
-D, --domain=DOMAIN
Domain to append to hostname (Example: If -H abc and -D def.org, connection will be made to abc.def.org)
-d, --debug
Print debug information while running the check. Can be used with Nagios 3 to provide multiline output
-H, --hostname=HOST
IP or hostname of the Cisco IPS sensor
-h, --help
Print this help screen
-I, --interval=MINUTES
Trigger a warning when the stored user data is older than interval (-e check only)
-i, --identity-file=SSHPRIVATEKEY
Private key to be used to log into the sensor (-c and -r only)
-L, --license-threshold=DAYS
Warn if remaining days of license fall below this threshold. Default: 7 (-c check only)
-l, --log=LOGFILE
Log results of the check to the LOGFILE. Recommended for sensor resets (-c and -r only)
-o, --options=ARGUMENTS
Used to pass SSH configuration file style options. For details see ssh_config(5) (-c and -r only)
-p, --password=PASSWORD
Password to log into the sensor (-c and -r only)
-t, --timeout=TIMEOUT
Timeout for connecting to the host and expect commands in seconds. Default: 10 (-c and -r only)
-U, --user-data-dir=USERDIR
Directory to log users data file to, to verify certain users are configured on the sensor (-c and -e only)
-u, --username=USER
Username to log into the sensor (-c and -r only)
-v, --versions=VERSIONFILE
File that contains service and signature pack versions to compare against (-c only)
FORMAT:
all,service pack version,sig pack version (the versions all sensors should be at)
hostname,service pack version,sig pack version (individual exceptions)
SECURITY WARNING:
If you provide a password as an argument to this check it will be visible to any
user that has access to view running processes of the Nagios user or that has
access to your Nagios configuration files.
It is possible to add SSH version 1 authorized keys to the sensor using the
'ssh authorized-key' command in config mode. This can be used to eliminate the
need of using a password to access the sensor.
The service account functionality on the Cisco IPS is not officially supported
It is intended only for TAC support. However, it can be used in order to add
a SSH version 2 public key to the authorized_keys file of a particular user.
Please see the following for more information about the service account:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wp1073485
The following Perl modules can be found on CPAN and are required:
Date::Manip (calculate the amount of time left on the license)
Expect (connect to the sensor using expect and SSH)
IO::Capture::Stdout (capture stdout returned from expect)
Term::ReadKey (only required for reading a password from the user - for testing)
This plugin has been developed and tested with Nagios 3, but should be compatible with earlier versions.
The main check (-c) provides the following information from the sensor:
-Service & Signature Pack Versions (can be checked against expected versions using -v)
--Exceptions can be made by individual sensor. Warning state is triggered if versions do not match
-Hardware Platform
-Serial Number
-License (warning state if license expires within -L days, critical state if license is expired)
-Uptime
-Missed Packet Percentage (Average of missed packet percentage for all sensing interfaces)
--Will trigger a warning state if no active sensing interfaces are found
-MainApp/AnalysisEngine (SensorApp) Version & Status
--Intended to be used with -r reset event handler to reset the sensor if AnalysisEngine is NotRunning
The users check (-e) can be used in conjunction with the -c check (and -U/--user-data-dir option) to verify that the correct user accounts are configured on the sensor.
The reset (-r) option can be configured as an event handler to reset the sensor when needed, especially if the AnalysisEngine (SensorApp) is found to be 'NotRunning'.
USAGE INFORMATION:
FUNCTIONS:
-c, --check
Perform the Cisco IPS health check
-e, --examine-users
Examine the data stored in the file that is output from -c -U/--user-data-dir file
-r, --reset=SERVICESTATE,OUTPUT
Attempt to connect to the sensor and reset it. Intended for when Analysis Engine is in status 'NotRunning'
(Reset the sensor if SERVICESTATE is critical and OUTPUT contains NotRunning)
OPTIONS:
-C, --critical-users=USERS
A comma separated list of users expected to be found on the IPS device (-e check only)
-D, --domain=DOMAIN
Domain to append to hostname (Example: If -H abc and -D def.org, connection will be made to abc.def.org)
-d, --debug
Print debug information while running the check. Can be used with Nagios 3 to provide multiline output
-H, --hostname=HOST
IP or hostname of the Cisco IPS sensor
-h, --help
Print this help screen
-I, --interval=MINUTES
Trigger a warning when the stored user data is older than interval (-e check only)
-i, --identity-file=SSHPRIVATEKEY
Private key to be used to log into the sensor (-c and -r only)
-L, --license-threshold=DAYS
Warn if remaining days of license fall below this threshold. Default: 7 (-c check only)
-l, --log=LOGFILE
Log results of the check to the LOGFILE. Recommended for sensor resets (-c and -r only)
-o, --options=ARGUMENTS
Used to pass SSH configuration file style options. For details see ssh_config(5) (-c and -r only)
-p, --password=PASSWORD
Password to log into the sensor (-c and -r only)
-t, --timeout=TIMEOUT
Timeout for connecting to the host and expect commands in seconds. Default: 10 (-c and -r only)
-U, --user-data-dir=USERDIR
Directory to log users data file to, to verify certain users are configured on the sensor (-c and -e only)
-u, --username=USER
Username to log into the sensor (-c and -r only)
-v, --versions=VERSIONFILE
File that contains service and signature pack versions to compare against (-c only)
FORMAT:
all,service pack version,sig pack version (the versions all sensors should be at)
hostname,service pack version,sig pack version (individual exceptions)
SECURITY WARNING:
If you provide a password as an argument to this check it will be visible to any
user that has access to view running processes of the Nagios user or that has
access to your Nagios configuration files.
It is possible to add SSH version 1 authorized keys to the sensor using the
'ssh authorized-key' command in config mode. This can be used to eliminate the
need of using a password to access the sensor.
The service account functionality on the Cisco IPS is not officially supported
It is intended only for TAC support. However, it can be used in order to add
a SSH version 2 public key to the authorized_keys file of a particular user.
Please see the following for more information about the service account:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliTasks.html#wp1073485
The following Perl modules can be found on CPAN and are required:
Date::Manip (calculate the amount of time left on the license)
Expect (connect to the sensor using expect and SSH)
IO::Capture::Stdout (capture stdout returned from expect)
Term::ReadKey (only required for reading a password from the user - for testing)
This plugin has been developed and tested with Nagios 3, but should be compatible with earlier versions.
Reviews (1)
byiBrewBeer, June 26, 2012
This works great for checking health, but I can't figure out how to check the version of the signatures installed. I don't want to compare to anything, I just want to see what version is installed and running.
Thanks!
Thanks!
