RE: IDS configuration issues

From: Park, Young (YPark@unch.unc.edu)
Date: Wed Sep 20 2006 - 16:35:46 ART

Is the sniffing interface enabled on the sensor?
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Kal Han
Sent: Wednesday, September 20, 2006 2:47 PM
To: 2nd CCIE
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: IDS configuration issues

Did you mean you dont see any events or
you see events but not high-severity as you made icmp * as high severity
?

1) Login to the sensor and use "show events" command to see the local
events. Thats one way.

Since you already have your sensor connected to the monitor destination
port, one way I can think is change the destination port to the PC and
run ethereal. This will make sure your switch monitor session config is
correct. Then you can revert back to sensor being the destination. and
you can be sure the switch is sending copies to that interface.

Can you send the config on the sensor port on switch ?
( Fa0/12 )

If your monitor session config is working fine, the other thing is to
see if your device config on the IEV is correct. I mean the information
about the sensor you use in the IEV.

Thanks
Kal

On 9/20/06, 2nd CCIE <doubleccie@yahoo.com> wrote:
>
> I did that ...i made the severity to be high ..however i never seen
> anything on the IEV ..only informational serverity increases ..but 0
> high serverity .
>
> how can i make sure that the switch is actually sending anything to
> the sensing interface?
>
> thanks for your help
>
>
> *Kal Han <calikali2006@gmail.com>* wrote:
>
> Hi
> Just enable ICMP echo and ICMP echo-reply signatures on the sensor,
> Add your sensor to the IEV and ping any host in vlan11.
> That triggers an event by the sensor ( if the monitoring is working
> and sending a copy of traffic to the sensor ) and you can see the
> event on your IEV.
> Does this help ?
> Thanks
> Kal
>
>
> On 9/20/06, 2nd CCIE <doubleccie@yahoo.com> wrote:
> >
> > Hi Folks ;
> > I am trying to practise some IDS , I have an IDS 4.1 .
> >
> > my setup is simple PC --------sw1------------(sniff)
> > IDS-(c&c)-------sw1-----------IEV
> >
> > I am using separate vlan for the PC and Sniff port than the C&C port

> > and IEV
> >
> > the IEV can ping the cc port , I can also login via IDM to the
> > sensor
> >
> > my configuration on the switch is as follows
> >
> > monitor session 1 source vlan 11 rx
> > monitor session 1 destination interface Fa0/12
> >
> > my first question here is that ..how can i make sure that the
> > monitoring is actually working and sends traffic to the sniff port
of the IDS ???
> >
> > I have access via IDM as well as keyboard and monitor .
> >
> > can someone help that so i can post my other questions ?:)
> >
> >
> >
> >
> > ---------------------------------
> > How low will we go? Check out Yahoo! Messengers low PC-to-Phone
> > call rates.
> >
> >
>
> ------------------------------
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
> rates starting at 1"/min.
>
<http://us.rd.yahoo.com/mail_us/taglines/postman7/*http://us.rd.yahoo.co
m/evt
=39666/*http://messenger.yahoo.com>

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART