Cisco Wireless Intrusion Detection Events to Elastic-Stack

In this blog post I’m showing how to get Wireless Intrusion Detection Events from Cisco’s WIDS included in Cisco’s Wireless Controllers into an Elastic-Stack.

The architecture might look like this:

  • The Wireless Access points are generating Events from Radio, Client, CleanAir, and so on

  • The Wireless Controllers are sending those events by SNMP-Traps to a central Trap-Collector

  • Logstash is acting as the central SNMP-Trap-Collector and sends the events to an Elastic-Stack

  • Kibana is used to view the generated events and Graphs in a Dashboard

This drawing illustrates the architecture described above:

Cisco WLC WIDS events to a Central Log Management System
Cisco WLCWIDS events to a Central Log Management System

Note: SNMP works at udp/161, SNMP-Traps work at udp/162!

Configuring Cisco WLC to send SNMP-Traps to Logstash

The Events collected by the Cisco WLCWIDS are not send as syslog messages but as SNMP-Traps. The Cisco WLC is acting here as a SNMP-Agent and sends it’s WIDS events to a SNMP-Manager, the SNMP-Manager in this case will be Logstash.

To configure the SNMP-Trap receiver on command line:

    >config snmp trapreceiver create [ELASTIC_SNMPTRAP] [IP_ADDR]
    >config snmp trapreceiver ipsec profile none [ELASTIC_SNMPTRAP]
    >config snmp trapreceiver port 11162
    >config snmp trapreceiver mode enable [ELASTIC_SNMPTRAP]
Cisco WLC: CLI configuration of SNMP-Trap receiver

To configure the SNMP-Trap receiver by Web-UI:

Cisco WLC: Web-UI configuration of SNMP-Trap receiver
Cisco WLC: Web-UI configuration of SNMP-Trap receiver

SNMP-MIBS used by Cisco WLC-IDS events

Cisco provides at Cisco Wireless LAN Controller Software / Error and System Messages a list of SNMP-Traps in which the used MIB’s (Management information base) can be identified. Based on those MIB’s, the identifiers can be extracted with the libsmi tools. Those extracted SMI identifiers (Structure of Management Information) can be “converted” into a YAML format which is used by Logstash.

Instead of doing the manual “conversion” from SMI to YAML, you can also search the internet or use the YAML files I’m providing at by GitHub at: security/Cisco-WLC-IDS

Configuring Logstash with SNMP-Trap Input module

A simple SNMP-Trap input module configuration for Logstash might look like this:

    input {
      snmptrap {
        #
        # Community-String, set same on Cisco WLC for SNMP-Traps
        #
        community => "elastic-logstash"
        #
        # Root permission required for ports <1024, therefore udp/11162 instead of udp/162
        #
        port => 11162
        codec => "plain"
        #
        # Path to MIBS (SNMP-Traps Cisco WLC)
        #
        yamlmibdir => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/snmp-1.3.2/data/ruby/snmp/mibs/"
        type => "wlcids_snmptrap"
      }
    }
    filter {
    }
Logstash SNMP-Trap input: /etc/logstash/conf.d/20-input-snmptrap.conf

Please note that Logstash (written in Java) requires root permission to listen on privileged ports (<1024). Therefore Logstash’s SNMP-Trap input module is listening on udp/11162 instead of udp/162.

yamlmibdir might point to some other directory, based on the Linux System or version installed. For Debian 11 Bullseye, it’s the directory shown in the configuration file.

type identifies the SNMP-Traps as index in the Elastic-Stack.

When the configuration file is completed, Logstash can be restarted with systemctl restart logstash.

Creating Kibana Index Pattern for WLC-IDS events

The next step is to verify if the index configured in Logstash is available in Elastic-Stack. To check the existence of the index wlcids_snmptrap just check it in “Management > Data > Index Management”.

Elastic: Verify WLCIDS index
Elastic: Verify WLCIDS index

To use the events collected by Logstash in a Kibana Dashboard, an index pattern for the WLCIDS events must be created. This index can be created in “Managemet > Kibana > Index Patterns”.

Elastic: Create WLCIDS index pattern
Elastic: Create WLCIDS index pattern

Creating Kibana Dashboard for WLC-IDS events

Based on the created Kibana Index Pattern, a Dashboard with some lenses can be created. For example I’m using a lens called “WLC-IDS: Wireless Controllers” which shows how much SNMP-Traps are created by Wireless Controller (useful if more than one).

Or “WLC-IDS: SNMP-Trap Events by Type” to get an overview of the Event Types like SignatureAttackDetected or a simple seaach with the “WLC-IDS: SNMP-Trap OID’s” for a textual representation of the Events.

Elastic: Kibana Dashboard with Cisco WIDS Events
Elastic: Kibana Dashboard with Cisco WIDS Events

Share: