01-26-2005 02:37 PM - edited 03-10-2019 01:14 AM
I have an IDSM-2 that is sending alarms, but it doesn't seem like it's sending enough.I'm comparing the network that I'm monitoring to another portion of this client's network and logically this sensor should be triggering a lot more alarms, but it's not.
The Logical setup is as follows:
Internet
|
PIX FWSM
|
IDSM-2 Sensor
|
MSFC-2
Physically all of the devices are in the same Cat 6513, which makes me think that perhaps the IDSM isn't capable of picking up all the traffic travelling between an FWSM vlan and the MSFC-2.
Config fragments are as follows:
IDS
-------------------
intrusion-detection module <x> management-port access-vlan yyy
intrusion-detection module <x> data-port 1 capture
intrusion-detection module <x> data-port 1 capture allowed-vlan <zzz>
vlan filter IDS-Internet-Traffic vlan-list <zzz>
vlan access-map IDS-Internet-Traffic 10
match ip address All-Traffic
action forward capture
vlan access-map IDS-Internet-Traffic 15
match ip address All-Traffic
action forward
!
Firewall
---------------------------
firewall module <a> vlan-group 1
firewall vlan-group 1 <aaa,zzz,bbb,ccc,ddd,eee>
Any suggestions? Is the IDSM capable of examining all traffic on this link?
01-27-2005 09:43 AM
The problem is in the interaction between the VACL Capture and the routing by the MSFC.
You are applying the VACL to
So if the MSFC is routing vlans 1-200 as well, then the IDSM-2 needs to monitor "allowed-vlan 1-200,
If your switch has WAN ports, then in addition it needs to monitor the vlans being used for the WAN ports. However, you won't know what those vlans are (the switch dynamically picks an unused vlan), so you need to monitor ALL vlans "allow-vlan 1-4094"
Marco
01-27-2005 11:51 AM
<
01-27-2005 11:51 AM
Thanks for the reply Marco.
I'm not sure I understand it tho. The only traffic that I wish to monitor is the traffic going out to the Internet (or coming in from the Internet). If I was to turn on capturing for all vlan traffic, thereby monitoring all the traffic going through the switch, the IDSM-2 would be quicly overwhelmed.
I'm not looking to monitor all traffic going through the switch, just the traffic travelling along the link to/from the Internet.
Denny
01-27-2005 11:58 AM
Or are you stating that the following line should change to:
intrusion-detection module
!But keep this line the same
vlan filter IDS-Internet-Traffic vlan-list
01-27-2005 02:17 PM
You've got it correct.
Here is another explanation for you.
By putting the capture VACL on vlan
You are correctly telling the switch to mark the matching packets flowing through vlan
This turns on the "capture bit" within the internal switch header for that packet.
That packet continues to be processed by the rest of the switch and MSFC.
In the case of processing by the MSFC it gets routed to another vlan
Now the packet gets sent on the switch backplane to the end port where it leaves the switch on vlan
All of the ports you configured as "capture" ports are monitoring all of these packets on the backplane that are going to other ports in the switch.
They are looking for packets with the "capture bit" set. Once it sees a packet with the "capture bit" it then checks it's vlan list to see whether or not to copy that packet to the attached sniffer (in your case the IDSM-2).
Now the tricky part.
If your IDSM-2 is only "allowed-vlan
BUT those packets got routed to vlan
So the capture port is actually seeing them as vlan
So your capture port will actually need to monitor both vlan
By monitoring
If the MSFC can route to multiple vlans, then each of these vlans needs to be in the allowed-vlan list. If the MSFC can route to WAN modules, then you pretty much have to put all vlans in the allowed-vlan list because the switch could choose any unused vlan to send the traffic internally to the WAN port.
07-13-2005 08:18 AM
Without monitoring
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide