06-03-2005 08:42 AM - edited 03-09-2019 11:28 AM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn with Cisco expert Nadeem Khawaja about troubleshooting Cisco Intrusion Detection Systems and Intrusion Prevention Systems. Nadeem supports security related products, including Cisco Secure PIX Firewall, Cisco IOS Firewall, Cisco Secure Access Control Server UNIX & Windows NT and Cisco Secure Intrusion Systems at the Technical Assistance Center (TAC). He is a double CCIE (# 9069) in Routing & Switching and in Security.
Remember to use the rating system to let Nadeem know if you have received an adequate response.
Nadeem might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 17. Visit this forum often to view responses to your questions and the questions of other community members.
06-16-2005 11:22 PM
Hi Nadeem,
As described in my earlier email, the build of the sensor is completely clean, i.e. no filters configured for anything, and the attacks i am launching are for signatures enabled. e.g. directory traversal attack such as http://www.xxxxx.com/../.. , or access to etc/shadows in a url. Both of which trigger events in my other 4215's which are built identically.
I can confirm that the attach reaches the sensor as interface counters increment when the attack is launched.
Any other thoughts ?
Regards
Phil
06-17-2005 10:19 AM
You need to provide more details now. e.g. show version output
show interface output
output of "show event past 23:00"
the signature id that you are trigering
the output of "show config | begin SIGIG
thanks
Nadeem
06-17-2005 04:52 AM
Hi,
Q1: I encountered the problem with the blocking using IDS 4240. The sensor works perfectly when it makes ACL on the MSFC 6500. When it makes ACL on the Cat5500 (RSM, IOS 11.3.9) it grabs the NVRAM, and doesn't even let to make "show running" on the RSM. On the sensor I can see the state of the block constantly changing from the inactive to initializing. How to fix this?
Q2: When will be additional fastethernet cards available to IDS4240?
06-17-2005 10:21 AM
what is your sensor version?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide