Re: VMS 2.2 + IDS 4.1(2) - delay of events displaying.

ilyapashkovsky1967 · ‎02-25-2006

Hi!

Our customer have IDS 4235 4.1(2) S147 and VMS 2.2 (security monitor 1.2.3).

We simulated attack to the remote host, but events appeared on the security monitor (events) with 10 – 20 minutes delay. And also, when we attempt enable all IDS signatures, IDS crash and stop responding.

Help, PLZ. Hi!

ovt · ‎02-25-2006

IDS 4.1 communication protocol (RDEP) uses pull model. This means that VMS security monitor should periodically download new events from the sensor. You should find parameter in the security monitor that is responsible for periodic downloading of events. Also, don't enable all signatures on the IDS sensor -- it may run out of memory. Check how much free memory is available with "show version" command.

Also, your sensor may not handle traffic load. There is a Sig 993 (if I remember correctly), which is disabled by default in 4.1, that can help you troubleshoot this.

Don't forget to rate all posts.

ilyapashkovsky1967 · ‎02-25-2006

Thank you for reply!

But we see security alerts from other devices in real-time (from routers, PIXs with enabled ip audit policy). Why IDS - no?

Enabling all signatures... I know so it's not recommended ;-) But absolutely similar situation around IPS version 5 and I want that Cisco have commented on this feature - why I can not enable all signatures in MY sensor.

ovt · ‎02-25-2006

On 4.1 run the following commands and post the output:

show int sensing clear

wait 1 minute and run again:

show int sensing

show stat host

Also, use other "show statistics" commands to check resources utilization. Then post output. Otherwise nobody will be able to tell you what is happening with your sensor.