topic Re: IDS traffic in Network Security

IDS traffic

tasksrl7808 — Sun, 10 Mar 2019 09:45:05 GMT

Hi!

In one hour IDS generates 95 MB of HTTPS traffic to my IP!! (I have Cisco Event Viewer installed). Is it normal even if Event Viewer isn't working? What is the reason?

I have another question: is there the possibility of excluding an IP address (a target address) from the RESET, even if the rule is matched?

Thanks in advance

Francesco

Re: IDS traffic

scothrel — Mon, 14 Nov 2005 15:47:00 GMT

Can't really say for sure if 95MB is reasonable for your situation. It would depend on how many signatures you have enabled and alarming and they type of alarms you have generated.

For the second part, look for "Never Shun" settings.

Scott

Re: IDS traffic

tasksrl7808 — Mon, 14 Nov 2005 17:00:42 GMT

Do you mean the "Never Block Adresses"?

I have tried this setting but it's only to exclude an IP from the shun connection or shun host action.

Francesco

Re: IDS traffic

scothrel — Mon, 14 Nov 2005 19:49:15 GMT

Indeed, I was thinking Never Block...and you're right, that won't do what you want.

Re: IDS traffic

marcabal — Mon, 14 Nov 2005 22:03:42 GMT

As for removing the RESET.

The answer is somewhat dependant on software version.

In version 4.x sensors the filtering system would only allow filtering of all actions. This included generation of TCP Resets and producing the actual alert. So in 4.x you coudl filter the event, but it would prevent the alert creation as well as the tcp resets (as well as any other action configured).

In version 5.x sensors the filtering system is more advanced and does allow the filtering of separate actions on an event. So a filter can created to remove just the TCP Reset action and still leave the produce alert action. So the alert will still be generated, without sending the tcp resets to shut down the connection.

Re: IDS traffic

jlin1 — Tue, 15 Nov 2005 04:44:30 GMT

What is the sensor version? As regarding to IEV not working, were you not getting any alerts in Cisco IDS Event Viewer? In CLI, did you see alerts coming when you do "show events"? If so, make sure the sensor has been added into IEV's device list. Also IEV host can connect to the sensor successfully. You can verify the connetion by double clicking that sensor device name in IEV and see if IDM can be successfully launched in the browser.

Re: IDS traffic

tasksrl7808 — Tue, 15 Nov 2005 09:21:06 GMT

My software version is 4.x on an ISD 4235.

How can I update to 5.x version?

Regarding IEV is all ok! In my previus post i would like to intend "not running", instead of "not working"..i'm sorry. Is it normal to have traffic even if IEV isn't running and my PC not connected to IDS?

Francesco