Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
2
Replies

Cisco NetRanger Version 2.2.1 Configuration

azrishah
Level 1
Level 1

‎12-19-2000 09:55 PM - edited ‎03-08-2019 07:53 PM

What is the best way in configuring the NetRanger? Is it based on the default configuration or custom configuration. My current configuration which using the default configuration is giving us a lot of severity level 6 notification.

And how to make the IDS very useful to the environment, so that I can detect any attempts to my network?

Labels:
0 Helpful
2 Replies 2

scothrel
Level 3
Level 3

‎01-10-2001 10:19 AM

The short answer is you need to tune it. The long answer follows:

NetRanger really needs to be tuned to your network. Out of the box, we default the configuration to a sane setup; however, the setup is pretty open in its interpretation of whats important. This generally results in a very "chatty" sensor...thus the number of Level 5 alarms you're seeing.

The general recommendation is to review the alarms being generated (consult the NSDB entries and other appropriate logs you may have) and if it is determined that the alarm is a false positive for your network, use one of the tuning parameters (RecordofExcludedXXXX options) to either mask the offensive (but known good) host or network. In some cases, you can disable signatures entirely if they make no sense in your network (for instance, Microsoft NetBios signatures in a Unix/Linux environment).

I also recommend the following TAC article:

http://www.cisco.com/warp/public/707/f_pos.html

Scott

0 Helpful

samdaramola
Level 1
Level 1

‎01-15-2001 10:35 AM

The ideal way of setting up the Netranger is a customised configuration. As most corporate environments and requirements differ so do the needs. Using a customised configuration you can set and alter alarm and severity levels to suit your circumstance. Place Sensors in strategic places in your network and use in conjunction with Access Control Lists (ACL) on Routers.

You realistically cannot and do not need to detect every inbound/outbound traffic packet or else you would burn out all resource.

Select what type of intrusion you can ignore and only deal with ones with high severity levels. i.e (DoS attacks, Pings of Death and Port Sweeps/Scans.

0 Helpful
Customers Also Viewed These Support Documents