Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
950
Views
10
Helpful
4
Replies

Where To Set IDS Span On Network

ryan.brennan
Level 1
Level 1

‎01-11-2005 06:37 AM - edited ‎03-10-2019 01:13 AM

I was curious as to where other administrators have their IDS devices on their network. Do you have the span set up to monitor a trunk link off a main closet?

The reason I'm asking is that I notice the memory utilization on our local device is constantly at 98%. I'm thinking this may result from where the actual device is strategically placed in our network. A Cisco engineer was on site here last year and told us to monitor the WAN port on our core router. Because this interface gets completely hammered with traffic I'm thinking this may be the cause of the over-utilization of the the memory, as well as the recent update pushes from the MC not going through.

We are using a 4235 sensor running 4.1(4). I'm thinking of taking down this current span and setting it up in a less congested trunk link to one of our larger satellite closets. Thoughts?

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎01-11-2005 11:13 AM

Memmory Usage on the sensor has often caused confusion.

The reported Memmory Usage is including both the memmory being used by the IDS processes as well as the memmory that the system has cached for faster file access.

The system tries to cache as much of the available memmory as possible. So memmory usage of 98% is not uncommon.

If the IDS processes need more memmory, then the system just removes that memmory from the cache and hands it over to the IDS processes.

If you think that your sensor is being stressed with the traffic, then their are 2 things to do:

Turn on the 993 alarm.

The 993 alarm monitors for oversubscription of the sensor (the sensor seeing more packets than it can monitor). The 993 is disabled by default and so will need to be enabled.

Keep an eye on the alarm logs during the busiest parts of the day to see if the 993 alarm is firing.

If the 993 alarm is not firing, then the sensor is likely able to handle what it is already monitoring.

Run top to monitor the cpu and memmory usage:

a) Create a service account

b) Login with the service account

c) Switch to user root (same password as service account)

d) Execute "top"

e) Monitor the over all cpu and memmory usage and specifically the usage by the sensorApp process (sensorApp is the process that does the monitoring).

ryan.brennan
Level 1
Level 1
In response to marcabal

‎01-11-2005 01:33 PM

Excellent suggestions. Thank you.

0 Helpful

ryan.brennan
Level 1
Level 1
In response to marcabal

‎01-11-2005 01:43 PM

One further question....how does one turn on the 993 alarm? Through the traditional Conf T menus?

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to ryan.brennan

‎01-11-2005 05:45 PM

Yes, it can be enabled and disabled like other alarms. It is in the engine "Other".

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card