https://community.cisco.com/t5/network-security/ids-module-setup-what-traffic-to-capture/m-p/1491254#M66993 <HTML><HEAD></HEAD><BODY><P>Well, it all depends on what traffic is going through your network.</P><P>If you have apps different than email, http and https that you want to be IDS protected then you would need to expand the VACL.</P><P></P><P>You can use Netflow to see what applications are running through the network.</P><P>Then you can decide which ones you don't trust and want the IDS to monitor.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Thu, 08 Jul 2010 21:19:52 GMT Panos Kampanakis 2010-07-08T21:19:52Z https://community.cisco.com/t5/network-security/ids-module-setup-what-traffic-to-capture/m-p/1491253#M66992 <P class="MsoNormal" style="margin: 0in 0in 0pt;"><SPAN style="font-family: Times New Roman; color: #000000; font-size: 12pt;">I have a WS-SVC-IDSM-2 that I have been tasked to setup. Currently the focus is around our pair of ASA’s that are used for internet access but the scope could increase. I am getting some conflicting information on how to setup the packet capture to the IDS module. I am leaning towards VACLS but I keep wondering if I do that will I miss traffic somewhere? As an example if I setup the VACL to capture TCP port 80,443, and 25 I am afraid I may miss some type of traffic on that VLAN. How do I determine what traffic I should send to the IDS module? </SPAN></P> Sun, 10 Mar 2019 12:03:16 GMT https://community.cisco.com/t5/network-security/ids-module-setup-what-traffic-to-capture/m-p/1491253#M66992 Bill19795_2 2019-03-10T12:03:16Z https://community.cisco.com/t5/network-security/ids-module-setup-what-traffic-to-capture/m-p/1491254#M66993 <HTML><HEAD></HEAD><BODY><P>Well, it all depends on what traffic is going through your network.</P><P>If you have apps different than email, http and https that you want to be IDS protected then you would need to expand the VACL.</P><P></P><P>You can use Netflow to see what applications are running through the network.</P><P>Then you can decide which ones you don't trust and want the IDS to monitor.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Thu, 08 Jul 2010 21:19:52 GMT https://community.cisco.com/t5/network-security/ids-module-setup-what-traffic-to-capture/m-p/1491254#M66993 Panos Kampanakis 2010-07-08T21:19:52Z https://community.cisco.com/t5/network-security/ids-module-setup-what-traffic-to-capture/m-p/1491255#M66994 <HTML><HEAD></HEAD><BODY><P>In addition to Panos' recommendations on methods for determining traffic to inspect with the IDSM-2, also keep in mind that the IDSM-2 is rated to inspect ~500 Mbps of traffic.&nbsp; If the traffic you will be sending to the IDSM-2 exceeds that amount, it will most likely not be inspected.</P><P></P><P>That you mention having ASAs in your environment, have you considered deploying Cisco's AIP-SSM within the ASA?&nbsp; There are multiple models for different traffic requirements, and they can inspect traffic that is flowing through the ASA.&nbsp; You can find out more about the AIP-SSM here:</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/go/aipssm">http://www.cisco.com/go/aipssm</A></P><P></P><P>Scott</P></BODY></HTML> Fri, 09 Jul 2010 10:42:30 GMT https://community.cisco.com/t5/network-security/ids-module-setup-what-traffic-to-capture/m-p/1491255#M66994 Scott Fringer 2010-07-09T10:42:30Z https://community.cisco.com/t5/network-security/ids-module-setup-what-traffic-to-capture/m-p/1491256#M66995 <HTML><HEAD></HEAD><BODY><P>When using a VACL to capture traffic on a 6500 I want to capture several types of traffic on my internal LAN. I have the VACL to do this. I also want to make sure I capture everything destined for and sourced from my ASA. Can I use a MAC ACL to capture the traffic? If I capture the traffic with a MAC ACL and apply that to the VACL will the IPS device process it?</P></BODY></HTML> Mon, 12 Jul 2010 23:43:06 GMT https://community.cisco.com/t5/network-security/ids-module-setup-what-traffic-to-capture/m-p/1491256#M66995 Bill19795_2 2010-07-12T23:43:06Z