Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1059
Views
0
Helpful
4
Replies

no alarms at IEV

ahmedmaged
Level 1
Level 1

‎12-29-2004 09:55 AM - edited ‎03-10-2019 01:12 AM

Dear list,

I have a Cisco IDS 4235 in a test lab, i am studying the CIDS course with the cisco materials ver. 4.0,

I am trying to use the Cisco Event Viewer, i successfully added the

sensor to the IEV list of devices, but i dont see any Alarms, i am sure the switch does the SPAN it needs, verified that with a sniffer,

and now i am port scanning and exploiting over the network, and i dont see any alarms at the IEV console

Although there should be, i looked at the tables from Tools > DB Administration, and they had the value of Zero, so there are no alarms sent to the IEV pc,

Even if they are genrated and stored on the IDS,

someone suggested that i should enable/activate the signatures from the CLI,

althrough at the course materials, i didnt see such command or slide, so i need your advice about it,

Your valuable help is highly appreciated,

Regards

Labels:
0 Helpful
4 Replies 4

jlwomeld
Level 1
Level 1

‎12-29-2004 12:51 PM

Make sure that the Event filter is not set to false must be set to true at the EXCEPTION.

0 Helpful

ahmedmaged
Level 1
Level 1
In response to jlwomeld

‎12-30-2004 02:35 AM

right out of the box, i only configured the sensors IP address and hostname, login, and clock.(nothing else)

i actually didnt understand well what the following commands does, so i skipped them, is any of them mandatory for the box to work fine.

sensor1(config)#int command-control

sensor1(config)#int group 0

sensor1(config)#int sensing 0

sensor1(config)#service virtual-sensor-configuration virtualsensor

sensor1(config)#service alarm-channel-configuration virtualalarm

sensor1(config)#service virtual-sensor-confioguration virtualsensor

sensor1(config-vsc)#tune-micro-engines

sensor1(config)#service alarm-channel-configuration virtualsensor

sensor1(config-acc)#tune-alarm channel

I mean, if i didnt configure anyof them, would the symptoms i am having makes sense ?

0 Helpful

prasadrp
Level 1
Level 1
In response to ahmedmaged

‎12-30-2004 05:19 AM

Can you give the following command on the sensor and see if the sensing interface is up

show int sensing

If it is down, then you need to bring the interface up

sensor(config)# int sensing int0

sensor(config-ifs)# no shut

In ver 4.1, the sensing interface is disabled by default. You need to enable it to allow Sensor to monitor traffic. In ver 4.0, the sensing interfaces are enabled by default.

This could be one of the possible reason.

0 Helpful

jlwomeld
Level 1
Level 1
In response to prasadrp

‎12-30-2004 08:07 AM

If you are using the GUI you can enable the interface from here go to Configuration then Sensing Eng slect Interfaces there you can ena/dis the int this is for 4.1 on a 6509

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card