Re: IDS - sensing interfaces

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri Dec 02 2005 - 01:16:25 GMT-3

• Next message: rosy bird: "Anybody taking the lab in india in Dec"
• Previous message: Schulz, Dave: "RE: Preventing an EIGRP/OSPF Neighbor Forming"
• Maybe in reply to: Tim: "IDS - sensing interfaces"
• Next in thread: Christopher M. Heffner: "RE: IDS - sensing interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

TIM AFAIK signatures are processed on per 'logical group' basis, by default
all sensing interfaces are placed in logical group 0, you can create
separate logical groups , and them move those particular interface(s) from
the default logical group to the new one

interface group 0
    no sensing-interface int2,3
    sensing-interface int0,int1

interface group 1
    sensing-interface int2,int3

and so on...

for IDM Configuration >> Sensing Engine >> Interface Groups

by default 'virtualSensor' is defined, associated with the default (logical)
interface group 0

However i dont think the sensor currently supports creating a separate
virtuals sensor other than the default 'virtualSensor' (at least not in 4.1
)

From the student guide:

"The virtualSensor provides the ability to run multiple virtual Sensors on
the same appliance,
each configured with different signature behavior and traffic feeds.
Although only one
virtualSensor is supported in Cisco IDS 4.x software, the basic
infrastructure is in place to
support multiple virtualSensors in future versions."

So what you are trying to acheive is not possible with 4.1 and older
versions..dont know about 5.0

HTH

Regards

Farrukh

On 12/2/05, Tim <ccie2be@nyc.rr.com> wrote:
>
> Hi guys,
>
>
>
> Can the types of intrusions being monitored for be different on different
> sensing interfaces on the same IDS device?
>
>
>
> For example, let's say an IDS has 3 sensing interfaces each monitoring
> different subnets.
>
>
>
> On one subnet - the outside untrusted subnet, I want to monitor for DOS
> attacks and some other things but on my inside, trusted subnets I don't
> want
> to monitor for DOS attacks.
>
>
>
> Is this possible? And, if so, how would I configure this?
>
>
>
> Thanks, Tim
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: rosy bird: "Anybody taking the lab in india in Dec"
• Previous message: Schulz, Dave: "RE: Preventing an EIGRP/OSPF Neighbor Forming"
• Maybe in reply to: Tim: "IDS - sensing interfaces"
• Next in thread: Christopher M. Heffner: "RE: IDS - sensing interfaces"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:50 GMT-3