IDS Configuration Error

certcomtemp36 · ‎06-08-2004

Hello,

I have problem with IDS Configuration. I am receiving the error messege:

-----------------------------------------------

Alarm Status: Alarm feed inactive

Event: Alarm feed inactive

Severity: Critical: Configuration Error Detected

Zone:

Policy

Event ID: 2

Sub ID: 0

Information: Reconnect failed (Will try once every 60 seconds): Remote host closed connection during handshake

Vendor: Cisco Threat Response

Detected by: IDS-AWCC

Detected at: Jun 8, 2004 1:58:15 PM

Source: 172.16.3.24

Source Port: 0

Target: 172.16.20.2

Target Port: 0

Alarm ID: 5419

Priority: 1

Saved at: Jun 8, 2004 1:58:15 PM

Updated at: Jun 8, 2004 1:58:15 PM

------------------------------------------------

Alarm Status: Alarm feed inactive

Event: Alarm feed inactive

Severity: Critical: Configuration Error Detected

Zone:

Policy

Event ID: 2

Sub ID: 0

Information: Reconnect failed (Will try once every 60 seconds): Fatal Error in DbMon_ISS.init: Could not get a connection for the ISS_SQL_Alert class. (server=ads2/db=sa/user=sa)

Vendor: Cisco Threat Response

Detected by: ads2

Detected at: Jun 8, 2004 2:00:07 PM

Source: 172.16.20.2

Source Port: 0

Target: 172.16.20.2

Target Port: 0

Alarm ID: 5422

Priority: 1

Saved at: Jun 8, 2004 2:00:07 PM

Updated at: Jun 8, 2004 2:00:08 PM

------------------------------------------------

Existing Network Design:

IDS Sensor (172.16.3.24/24) is behind the PIX Firewall (172.16.3.1/24).

IDS Sensor is connected with a Catalyst Switch 2950-no VLAN, simple configuration. Other devices line Interanl Interface of PIX, Server etc are connected in the same switch.

Main Server's External Interface (172.16.3.11/24) is connected with the same switch. The interal interace is connected with 172.16.20.0/24 network.The server has W2K SP4 with MS ISA 2000 Server having OPEN TCP ports 45000, 443 and 1433.

Threat Response 2.0 is installed in a server (172.16.20.2). JDBC is also installed there.

Plz help me...............

Regards

Syed Mahsud Ali

mahsud2000@yahoo.com

a.arndt · ‎06-08-2004

I'm not running CTR myself, so I can only offer advice or suggestions based on the network info you provided.

I may be wrong but your problem may involve which interface on the server you have bound CTR to for the purposes of reporting.

Based on the info you provided, CTR will need to using the interface you referred to as "External" in order to see your IDS Sensor (which I assume is what the CTR is trying to communicate with - if I'm wrong, then you'll need to tell us what exactly the CTR and Sensor talk to and at what IP address), since these two IP addresses are in the same subnet/broadcast domain.

172.15.3.24/24 (IDS) vs. 172.16.3.11/24 (External) = same network (172.16.3.0/24)

Because you have CTR attempting to connect using the interface you labelled "Internal" on the server, it will never be able to communicate with the IDS because you have it using an IP in a different broadcast domain.

172.16.3.24/24 (IDS) vs. 172.16.20.2/24 (CTR on Internal) = different networks (172.16.3.0/24 vs. 172.16.20.0/24)

Of course, you other option is to move the IDS onto the same network as the interface for which CTR is configured, which might be desirable given the fact that you refer to it as "Internal".

BTW, you don’t need port 45000 open any more for Cisco IDS. UDP port 45000 was used by the 3.x and previous Cisco IDS code to communicate. Since 4.x was introduced, everything is done via either SSH (TCP port 22) or HTTPS/SSL (TCP port 443). As a result, you can close port 45000 on your ISA, unless of course you use the port for something else…

Hope this helps,

Alex Arndt