RSA Admin

Correlated Alert Error with Juniper IDS - "no devices configured"

Discussion created by RSA Admin Employee on Jul 1, 2012

I have a correlated alert that should be simple. Just look for a specific event from one IDS device.

 

The Alerter generates this error: " Detail: 3740: 9769 view=Juniper IDPS Alerts error no devices configured."

 

I think the device is being defined correctly in the statement. Device selection is based on "Select devices by Device Class/Type". Then I choose "Security/IPS", list the devices and choose the IP address for the relevant device.

 

Then in event selection I choose "Event ID", find the right device type, then choose the value from the list of Event IDs. I don't understand how it can fail with the error "no devices configured" when I choose it in Device Selection and I have the correct IP address listed in the XML file.

 

Here's the XML for the alert:

- <cad timestamp="2012-07-02 12:05:28" decaytime="0" level="5" eventcategory="1901000000" content="A collection of specific IDP/IDS alerts generated by the Juniper SRXs" ipapattern="" ipacount="-1">
- <circuit id="LDAP-Alerts">
- <statement id="LDAP-Brute-Force-Attack" thp="false">
- <device comparison="IN">
- <devvalue dclass="IPS" case="false" regex="false">
  <ipadd value="192.168.40.51" />
  </devvalue>
  </device>
- <eventset>
- <eventid comparison="IN">
  <evalue msgid="LDAP:FAILED:BRUTE-FORCE" dtype="LogicalSystemIDP" case="false" regex="false" />
  </eventid>
  </eventset>
  </statement>
  </circuit>
  </cad>

Outcomes