12-29-2004 09:55 AM - edited 03-10-2019 01:12 AM
Dear list,
I have a Cisco IDS 4235 in a test lab, i am studying the CIDS course with the cisco materials ver. 4.0,
I am trying to use the Cisco Event Viewer, i successfully added the
sensor to the IEV list of devices, but i dont see any Alarms, i am sure the switch does the SPAN it needs, verified that with a sniffer,
and now i am port scanning and exploiting over the network, and i dont see any alarms at the IEV console
Although there should be, i looked at the tables from Tools > DB Administration, and they had the value of Zero, so there are no alarms sent to the IEV pc,
Even if they are genrated and stored on the IDS,
someone suggested that i should enable/activate the signatures from the CLI,
althrough at the course materials, i didnt see such command or slide, so i need your advice about it,
Your valuable help is highly appreciated,
Regards
12-29-2004 12:51 PM
Make sure that the Event filter is not set to false must be set to true at the EXCEPTION.
12-30-2004 02:35 AM
right out of the box, i only configured the sensors IP address and hostname, login, and clock.(nothing else)
i actually didnt understand well what the following commands does, so i skipped them, is any of them mandatory for the box to work fine.
sensor1(config)#int command-control
sensor1(config)#int group 0
sensor1(config)#int sensing 0
sensor1(config)#service virtual-sensor-configuration virtualsensor
sensor1(config)#service alarm-channel-configuration virtualalarm
sensor1(config)#service virtual-sensor-confioguration virtualsensor
sensor1(config-vsc)#tune-micro-engines
sensor1(config)#service alarm-channel-configuration virtualsensor
sensor1(config-acc)#tune-alarm channel
I mean, if i didnt configure anyof them, would the symptoms i am having makes sense ?
12-30-2004 05:19 AM
Can you give the following command on the sensor and see if the sensing interface is up
show int sensing
If it is down, then you need to bring the interface up
sensor(config)# int sensing int0
sensor(config-ifs)# no shut
In ver 4.1, the sensing interface is disabled by default. You need to enable it to allow Sensor to monitor traffic. In ver 4.0, the sensing interfaces are enabled by default.
This could be one of the possible reason.
12-30-2004 08:07 AM
If you are using the GUI you can enable the interface from here go to Configuration then Sensing Eng slect Interfaces there you can ena/dis the int this is for 4.1 on a 6509
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide