how to shut down and activate sniffing interface on 4235

infinitingr2 · ‎06-11-2004

I recently installed 2 units if 4235 NetRangers. Problem is although the sniffing interface is connected to a hub the show interface command indicates that while the command interface is UP, the SNIFFING interface is DOWN. I have read anout how others on this forum had to shut down teh sniffing interface while doing signature upgrade. My Question is HOW DO I BRING THE SENSING INTERFACE DOWN AND JUST FOR ANOTHER DAY WHEN I MIGHT NEED TO SHUT DOWN THE SNIFFING INTERAFCE, HOW DO I DO JUST THAT AS WELL.

Thanks

pcomeaux · ‎06-12-2004

I found the answer to your question in this Chapter from the IDS 4.0 documentation:

Assigning and Enabling the Sensing Interface

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/hwchap9.htm#wp587816

Here's an excerpt from the doc:

Step 4 To enable or disable an interface, follow these steps:

a. Enter Sensing Interface Configuration mode for the interface:

sensor(config)# interface sensing name

Where name is the logical name of the sensing interface, such as int0.

b. Enable the interface:

sensor(config-ifs)# no shutdown

c. Verify the interface is enabled:

sensor(config-ifs)# show interface

d. Disable the interface:

sensor(config-ifs)# shutdown

e. Exit Sensing Interface Configuration mode:

sensor(config-ifs)# exit

--------------------------------------------------------------------------------

Note Enabling or disabling the interface group enables or disables all the sniffing interfaces contained in the group.

--------------------------------------------------------------------------------

Table 9-1 Sniffing Interfaces

IDS-4235

int0

IDS-4235-4FE

int0, int2, int3, int4, int5

Please let us know if you would like more information.

peter

infinitingr2 · ‎06-14-2004

Thanks you. It is staright to the point and was quite helpful. I do have one more question though. When I am about to update the sensor signature on the netRanger, should the sensing interface be up or down? Secondly, during the process of upgrading the signature on the sensor, should the command and control interface be shut down. I am afraid though that if you shut down the command and control interafce then you would NOT be able to do this remotely, because then the IP address on eth0 would be down.

Thanks for a prompt reponse.

ade

marcabal · ‎06-15-2004

The signature update installation itself will tell the sensor to stop sniffing on the sensing interfaces during the update process.

NOTE: When 4.0 was first released the sensor would continue sniffing during the signature update and this would lead to long update times, so in a later version (around 4.1) we changed the signature update process to force the sensor to stop sniffing while the signature update was being installed.

So you do not need to bring down the sniffing interface, the sensor will automatically stop sniffing for the time it takes to install the update.

As for the command and control interface, no you should not bring down the command and control interface. The command and control interface is needed for the sensor to pull down the update.

Besides the sensor does not really provide a means of shutting down the command and control interface in the configuration. If you try shutting down the command and control interface in the same way you shutdown the sensing interfaces, the sensor will either ignore the change or give you an error.