Maximum Limits and Questions

emusican · ‎12-15-2004

Im about to start a project which could take my total sensor count well over 100, over time, using CiscoWorks VMS 2.2 UNIX Unrestricted. I am guessing that a vast increase of sensors brings along with it some unique problems. I would like to ask those of you out there that manage 100 + IDS deployments for some useful advice in overall functioning and use of the IDSMC & SecMon in such an environment.

I just cant see security monitor handling 100 + sensors, with someone looking for a needle in a haystack. Granted it is better to spot things in 4.x then 3.x icons, but there is still a lot of info to go through. The only thing I could think of is to baseline the sensor to the point where barely anything minor-moderately serious shows up. Its going to be a monumental undertaking.

By the way, I know Cisco says that there is no limit of sensors you can add to the IDSMC & MC, but what is the practical limit? Has anyone reached it?

Any suggestions would be appreciated.

mchin345 · ‎12-21-2004

This is really a number of alerts per second question rather than number of sensors. A well tuned sensor should send only an alarm or two per second. So you are already on the right track.

Maximum Limits and Questions

Traceroute maximum hop limit??

Wireless at Events - Cases of maximum users at an Access point

BGP Maximum-prefix neighbor question

TACACS: Reached TACACS+ maximum client limit

Questions about the Cisco SX10 and SX20