I am pretty new to IDSM's, just trying to learn about them. I am working on a production network so I'm having to be pretty careful..
We have 2 X 6513 with two IDSM-2 installed in each which have just been upgraded to 7.0.2. They are all in promiscuous mode and we are using VACLS to redirect traffic to them for checking, I want to ensure there is no way that the production traffic can be affected, I can see most of the actions that affect traffic require the IDSM's to be working in INLINE mode.
The action I was worried about was the TCP RESET, from what I read it seems that this is sent from the management interface of the device and I believe (I may not be correct) that this is available both in inline and in promiscuous mode. Can anyone confirm if this is correct, is the TCP RESET available in PROMISCUOUS mode and if it is how do I turn it off. Currently we only want the devices to monitor and then move to the more advanced features after we get a better understanding of our network.
P.S. Could anyone suggest a good document on how to go about managing and making use of the amount of alerts, and also IDSM setting up and tuning in general..
Any help anyone could give would be gratefully appreciated.
The action that you specify on each signature defines the action taken. When in promiscuous mode (IDS), actions like drop inline etc will not be available. The best way to go about what you want is to set all your signatures to just fire alerts when they trigger. Some signatures will have actions like tcp reset but if you sort from the action column in the IDM you can easily find these and remove the action and rather just produce alert for it instead. This will allow you to tweak your IDS before applying it inline (IPS) if that is your goal.
Be aware also that the IDS will baseline your network and the Anomaly Detection module will act a little crazy if you don't let it monitor your network for 1-2 days of normal traffic.