Re: IDS configuration issues

From: Kal Han (calikali2006@gmail.com)
Date: Wed Sep 20 2006 - 17:03:48 ART

Thats a very common mistake and good point.. It happened to me :)
Did you enable the sniffing interface

On 9/20/06, Park, Young <YPark@unch.unc.edu> wrote:
>
> Is the sniffing interface enabled on the sensor?
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Kal Han
> Sent: Wednesday, September 20, 2006 2:47 PM
> To: 2nd CCIE
> Cc: ccielab@groupstudy.com; security@groupstudy.com
> Subject: Re: IDS configuration issues
>
> Did you mean you dont see any events or
> you see events but not high-severity as you made icmp * as high severity
> ?
>
> 1) Login to the sensor and use "show events" command to see the local
> events. Thats one way.
>
> Since you already have your sensor connected to the monitor destination
> port, one way I can think is change the destination port to the PC and
> run ethereal. This will make sure your switch monitor session config is
> correct. Then you can revert back to sensor being the destination. and
> you can be sure the switch is sending copies to that interface.
>
> Can you send the config on the sensor port on switch ?
> ( Fa0/12 )
>
> If your monitor session config is working fine, the other thing is to
> see if your device config on the IEV is correct. I mean the information
> about the sensor you use in the IEV.
>
> Thanks
> Kal
>
> On 9/20/06, 2nd CCIE <doubleccie@yahoo.com> wrote:
> >
> > I did that ...i made the severity to be high ..however i never seen
> > anything on the IEV ..only informational serverity increases ..but 0
> > high serverity .
> >
> > how can i make sure that the switch is actually sending anything to
> > the sensing interface?
> >
> > thanks for your help
> >
> >
> > *Kal Han <calikali2006@gmail.com>* wrote:
> >
> > Hi
> > Just enable ICMP echo and ICMP echo-reply signatures on the sensor,
> > Add your sensor to the IEV and ping any host in vlan11.
> > That triggers an event by the sensor ( if the monitoring is working
> > and sending a copy of traffic to the sensor ) and you can see the
> > event on your IEV.
> > Does this help ?
> > Thanks
> > Kal
> >
> >
> > On 9/20/06, 2nd CCIE <doubleccie@yahoo.com> wrote:
> > >
> > > Hi Folks ;
> > > I am trying to practise some IDS , I have an IDS 4.1 .
> > >
> > > my setup is simple PC --------sw1------------(sniff)
> > > IDS-(c&c)-------sw1-----------IEV
> > >
> > > I am using separate vlan for the PC and Sniff port than the C&C port
>
> > > and IEV
> > >
> > > the IEV can ping the cc port , I can also login via IDM to the
> > > sensor
> > >
> > > my configuration on the switch is as follows
> > >
> > > monitor session 1 source vlan 11 rx
> > > monitor session 1 destination interface Fa0/12
> > >
> > > my first question here is that ..how can i make sure that the
> > > monitoring is actually working and sends traffic to the sniff port
> of the IDS ???
> > >
> > > I have access via IDM as well as keyboard and monitor .
> > >
> > > can someone help that so i can post my other questions ?:)
> > >
> > >
> > >
> > >
> > > ---------------------------------
> > > How low will we go? Check out Yahoo! Messengers low PC-to-Phone
> > > call rates.
> > >
> > >
> >
> > ------------------------------
> > Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great
> > rates starting at 1"/min.
> >
> <http://us.rd.yahoo.com/mail_us/taglines/postman7/*http://us.rd.yahoo.co
> m/evt
> =39666/*http://messenger.yahoo.com>

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART