cc/td/doc/product/iaabu/ics/ics10
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Using Watch Lists

About Watch Lists

Monitoring the Network

About the Risk Index

Clearing the Watch List

Setting the Monitored the Network

Including the Entire Network

Specifying the Monitored Network

Viewing the Watch List Window

Manually Removing Hosts from the Watch List

Exporting the Watch List


Using Watch Lists


This chapter explains how to use watch lists to monitor potentially infected hosts. It contains the following sections:

About Watch Lists

Setting the Monitored the Network

Viewing the Watch List Window

Manually Removing Hosts from the Watch List

Exporting the Watch List

About Watch Lists

A watch list is an at-a-glance summary of potentially infected hosts on the network. Each outbreak management task has an associated watch list for its threat. When an IPS device detects network traffic containing the threat, Cisco ICS automatically puts the host from which the traffic originated on the watch list. Use the watch list to view summary information for these hosts, access host logs, and clean damage on host machines.

This section describes the watch list and contains the following topics:

Monitoring the Network

About the Risk Index

Clearing the Watch List

Monitoring the Network

Before Cisco ICS can add hosts to a watch list, you must specify a portion of the network for Cisco ICS to monitor. Only hosts on the monitored network can be included on the watch list. For more information, see Setting the Monitored the Network.

About the Risk Index

The watch list section of a specific task shows the number of hosts that the threat infected and a risk index, which indicates how many infected hosts are currently on the network. The risk index calculation is as follows:

Risk Index = Infected Hosts - Cleaned Hosts

Clearing the Watch List

Cisco ICS removes hosts from the watch list only after DCS successfully cleans the host and you selected automatic removal on the monitored network window (Damage Cleanup Settings tab). Alternatively, you can manually remove hosts from the Watch List window.

Setting the Monitored the Network

Cisco ICS can automatically add infected hosts to the watch list associated with a specific outbreak management task. However, you must manually add a specific host or range of hosts to the monitored network first. Only hosts on the monitored network can appear on a task-specific watch list.

When you modify the monitored network, the watch lists for active tasks do not reflect the change. Only watch lists for later tasks use the new monitored network settings.

This section describes the monitored network and contains the following topics:

Including the Entire Network

Specifying the Monitored Network

Including the Entire Network

By default, the entire network is included on the monitored network. However, after you add a host IP address or range of addresses, Cisco ICS no longer monitors other hosts for inclusion on the watch list. If you clear the monitored network again, Cisco ICS monitors the entire network.


Tip For the most comprehensive watch list inclusion, do not add any hosts to the monitored network. Then Cisco ICS monitors the entire network.


Specifying the Monitored Network

To specify the monitored network, follow these steps:


Step 1 Choose Outbreak Management > Outbreak Settings > Monitored Network.

The Monitored Network window appears, showing the Watch List tab.

Step 2 Click Add.

The Add Hosts window appears.

Step 3 Click one of the following:

IP addressEnter a single host IP address and the corresponding mask. The mask determines which IP address bits to include. Cisco ICS uses the exact value of the IP address bits that correspond to the 1 bits in the mask. For example, if you use the IP address 10.10.10.10 with the mask 255.255.0.0, Cisco ICS adds IP addresses 10.10.0.0 to 10.10.255.255.

IP rangeEnter a range of IP addresses to add multiple hosts or an entire segment of the network.

Step 4 Click Save.


Viewing the Watch List Window

To view the Watch List window, follow these steps:


Step 1 Choose Outbreak Management > Outbreak Management Summary.

Step 2 Click an active task name.

The summary window for that task appears.

Step 3 Under Watch List, click the link for the number of infected hosts or the number of cleaned hosts. The Watch List window appears, displaying the following:

Risk IndexThe number of hosts still infected or under attack from the associated threat. The risk index calculation is as follows:

Risk Index = Infected Hosts - Cleaned Hosts.

Host IP address.

Hostname.

Host MAC address.

Network DeviceThe device that detected the infected host.

InterfaceThe interface that leads to the network where the host is located.

VLANThe VLAN of which the host is a member, if any. The word default is displayed if the host is not a member of a VLAN group.

CleanedThe status of the hosts. (This item appears only when a DCS server is registered to Cisco ICS.)

Step 4 If too many hosts appear on the watch list, filter the list to display the infected hosts or the cleaned hosts or filter by the network device that detected the infected host.

Next to Display, select All hosts, Infected hosts, or Cleaned hosts in the first drop-down list.

From the second list, select All devices or any single device name.

From the third list, select the number of hosts per page.

Click a heading in the list to sort by that item.


Manually Removing Hosts from the Watch List

After DCS successfully cleans a host, you might not need to keep it on the watch list.

To manually remove hosts from the watch list, follow these steps:


Step 1 Choose Outbreak Management > Outbreak Management Summary.

Step 2 Click an active task name.

The summary window for that task appears.

Step 3 Under Watch List, click the link that shows the number of infected hosts or cleaned hosts.

The Watch List window appears.

Step 4 Check the check boxes next to the hosts to remove or check the check box at the top to select all hosts.

Step 5 Click Remove.

A confirmation message appears.

Step 6 Click OK.


Exporting the Watch List

You can export and save the watch list as a .csv file to view in a spreadsheet application.

To export and save the watch list, follow these steps:


Step 1 Choose Outbreak Management > Outbreak Management Summary.

Step 2 Click an active task name.

The summary window for that task appears.

Step 3 Under Watch List, click the link that shows the number of infected hosts or cleaned hosts.

The Watch List window appears.

Step 4 Click Export.

Step 5 Click Save.

Step 6 Select a location to save the watch list.

Step 7 Click Save.



hometocprevnextglossaryfeedbacksearchhelp

Posted: Fri Apr 7 09:32:04 PDT 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.