Re: IDS configuration issues

From: Kal Han (calikali2006@gmail.com)
Date: Wed Sep 20 2006 - 15:46:45 ART

• Next message: xprtofnet: "RSPAN"
• Previous message: Naveed Khan: "Re: TCL script"
• Maybe in reply to: 2nd CCIE: "IDS configuration issues"
• Next in thread: Park, Young: "RE: IDS configuration issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Did you mean you dont see any events or
you see events but not high-severity as you made icmp *
as high severity ?

1) Login to the sensor and use "show events" command to see
the local events. Thats one way.

Since you already have your sensor connected to the monitor
destination port, one way I can think is change the destination
port to the PC and run ethereal. This will make sure your switch
monitor session config is correct. Then you can revert back to
sensor being the destination. and you can be sure the switch is sending
copies to that interface.

Can you send the config on the sensor port on switch ?
( Fa0/12 )

If your monitor session config is working fine, the other thing is to see
if your device config on the IEV is correct. I mean the information about
the
sensor you use in the IEV.

Thanks
Kal

On 9/20/06, 2nd CCIE <doubleccie@yahoo.com> wrote:
>
> I did that ...i made the severity to be high ..however i never seen
> anything on the IEV ..only informational serverity increases ..but 0 high
> serverity .
>
> how can i make sure that the switch is actually sending anything to the
> sensing interface?
>
> thanks for your help
>
>
> *Kal Han <calikali2006@gmail.com>* wrote:
>
> Hi
> Just enable ICMP echo and ICMP echo-reply signatures on the sensor,
> Add your sensor to the IEV and ping any host in vlan11.
> That triggers an event by the sensor ( if the monitoring
> is working and sending a copy of traffic to the sensor )
> and you can see the event on your IEV.
> Does this help ?
> Thanks
> Kal
>
>
> On 9/20/06, 2nd CCIE <doubleccie@yahoo.com> wrote:
> >
> > Hi Folks ;
> > I am trying to practise some IDS , I have an IDS 4.1 .
> >
> > my setup is simple PC --------sw1------------(sniff)
> > IDS-(c&c)-------sw1-----------IEV
> >
> > I am using separate vlan for the PC and Sniff port than the C&C port and
> > IEV
> >
> > the IEV can ping the cc port , I can also login via IDM to the sensor
> >
> > my configuration on the switch is as follows
> >
> > monitor session 1 source vlan 11 rx
> > monitor session 1 destination interface Fa0/12
> >
> > my first question here is that ..how can i make sure that the monitoring
> > is actually working and sends traffic to the sniff port of the IDS ???
> >
> > I have access via IDM as well as keyboard and monitor .
> >
> > can someone help that so i can post my other questions ?:)
> >
> >
> >
> >
> > ---------------------------------
> > How low will we go? Check out Yahoo! Messengers low PC-to-Phone call
> > rates.
> >
> >
>
> ------------------------------
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
> starting at 1"/min.
>
<http://us.rd.yahoo.com/mail_us/taglines/postman7/*http://us.rd.yahoo.com/evt
=39666/*http://messenger.yahoo.com>

• Next message: xprtofnet: "RSPAN"
• Previous message: Naveed Khan: "Re: TCL script"
• Maybe in reply to: 2nd CCIE: "IDS configuration issues"
• Next in thread: Park, Young: "RE: IDS configuration issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART