Re: IDS configuration issues

From: 2nd CCIE (doubleccie@yahoo.com)
Date: Wed Sep 20 2006 - 17:08:23 ART

• Next message: David Timmons: "Re: Default-router in DHCP POOL"
• Previous message: Kal Han: "Re: IDS configuration issues"
• Maybe in reply to: 2nd CCIE: "IDS configuration issues"
• Next in thread: Kal Han: "Re: IDS configuration issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well ...I am not sure about your question
   
  I have enabled the signature and made the alarm severity to high (sign 2000 and 2004)
  however i have never seen any alarms generated as high severity
   
  the sensing interface is showing up on the sensor config\interfaces tab
   
  is there any other place where i need to enable the interface for certain signature ?
   
   
  I tried also to enable some debugs on the switch to see if the SPAN is actually working ..but i never get anything as output of that ...i will try the ethereal suggestion of kal han
   
   
  any suggestions will be appreciated
   
  thanks

Danshtr <danshtr@gmail.com> wrote:
  have you enabled the interface on the signature tab?

  On 9/20/06, 2nd CCIE <doubleccie@yahoo.com> wrote: I did that ...i made the severity to be high ..however i never seen anything on the IEV ..only informational serverity increases ..but 0 high serverity .

  how can i make sure that the switch is actually sending anything to the sensing interface?

  thanks for your help

Kal Han <calikali2006@gmail.com> wrote:
    Hi
  Just enable ICMP echo and ICMP echo-reply signatures on the sensor,
  Add your sensor to the IEV and ping any host in vlan11.
  That triggers an event by the sensor ( if the monitoring
  is working and sending a copy of traffic to the sensor )
  and you can see the event on your IEV.
  Does this help ?
  Thanks
  Kal

  On 9/20/06, 2nd CCIE <doubleccie@yahoo.com> wrote: Hi Folks ;
I am trying to practise some IDS , I have an IDS 4.1 .

my setup is simple PC --------sw1------------(sniff) IDS-(c&c)-------sw1-----------IEV

I am using separate vlan for the PC and Sniff port than the C&C port and IEV

the IEV can ping the cc port , I can also login via IDM to the sensor

my configuration on the switch is as follows

monitor session 1 source vlan 11 rx
monitor session 1 destination interface Fa0/12

my first question here is that ..how can i make sure that the monitoring is actually working and sends traffic to the sniff port of the IDS ???

I have access via IDM as well as keyboard and monitor .

can someone help that so i can post my other questions ?:)

---------------------------------
How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.

---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1"/min.

• Next message: David Timmons: "Re: Default-router in DHCP POOL"
• Previous message: Kal Han: "Re: IDS configuration issues"
• Maybe in reply to: 2nd CCIE: "IDS configuration issues"
• Next in thread: Kal Han: "Re: IDS configuration issues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART