02-22-2009 10:49 PM - edited 03-10-2019 04:31 AM
We are running a IDSM-2 module in a 6509 with vlan inline interface pairs.
Everything looks fine until we try to join a server to the 2003 domain.
I can't see the IPS dropping anything, but we get "network path not found" after entering the credentials for joining. If I set the IPS to bypass it works as it should. The software on the IPS is 6.2(1)E3 and all the servers are windows 2003. Greatful for any ideas of how to solve this.
02-23-2009 08:58 AM
This post from antonyabraham in another thread might help:
Replied by: antonyabraham - STATE FARM - Feb 12, 2009, 5:59pm PST
There could be some normalizer engine events which can drop/modify traffic without firing an alert. Some of them seem to be on by default. Could you try enabling "produce alerts" on the normalizer signatures with deny or modify actions?
Another way would be to put an event action filter for the source or target (or both) and filter out all deny actions. In that way, you are telling the sensor do not block any traffic from or to certain IP address (based on how the filter is formed). I would use this filter to cover all signatures and sub signatures for the source/target in question.
02-23-2009 10:42 PM
Thanks, I have enabled produce alerts and will see if that give me any clue to what is wrong.
03-09-2009 03:18 AM
Actually, some traffic passed the sensor twice. So changing from virtual sensor mode to interface and vlan mode fixed the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide