Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
4
Replies

IEV is not showing multiple alarms?

chaack
Level 1
Level 1

‎06-26-2002 09:26 AM - edited ‎03-08-2019 11:09 PM

I have the IDS with the IEV in a lab scenario for implementation. I have some NT machines on the monitored network and I have an NT machine on the remote network with multiple attacks on it. When I attack the machines on the monitored network with ICMP Bombs, NmapNT, TCP Sweeps, Port scans, etc. the only alarm that comes up on the IEV is "Net Flood UDP Any". I have been doing some research and from what I found, there should be multiple alarms on the IEV. I have all the signatures enabled and the IEV is talking to the Sensor and I get a route down and route up alarms, everything seems like it should be working. But the only alarm I get is the "Net Flood UDP Any".

Please Help.

Thanks,

Chris

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎06-26-2002 10:57 AM

Sounds like the sensor may be monitoring it's own command and control interface instead of it's monitoring interface.

Look in packetd.conf and see what the NameOfPacketDevice is set to:

The best method is to set NameOfPacketDevice to "auto"

IDS-4210:

iprb0 - monitoring

iprb1 - command and control

IDS-4220/30

spwr0 - monitoring

iprb0 - command and control (this is monitoring in the 4210 but not the 4230)

IDS-4235/50

e1000g0 - monitoring (TX)

e1000g2 - monitoring (SX)

e1000g1 - command and control

0 Helpful

chaack
Level 1
Level 1
In response to marcabal

‎06-26-2002 12:53 PM

I checked the packetd.conf file and everything looked right. I have an IDS-4210 and the NameOfPackeDevice is set to "auto". Is there anything else that I need to look for or change.

Chris

0 Helpful

danrodri
Cisco Employee
Cisco Employee
In response to chaack

‎06-26-2002 07:19 PM

Check the sensor log files in the /usr/nr/var directory. Execute the strings command on the log file to view its contents.

ex: $>strings /usr/nr/var/log*

If the sensor is capturing data and the sensor is configured to log, you should see data in the file.

Also, which IEV screen are you viewing? the aggregate view window, expanded details window, or alarm detail dialog. The Alarm detail dialog has the info you are looking for.

One more thing, check the errors.packetd file in the /usr/nr/var directory.

0 Helpful

s309973
Level 1
Level 1
In response to danrodri

‎07-01-2002 07:23 AM

The only time I've seen this "limited events" condition is when a sensor was connected to a switch whose port wasn't properly spanned.

0 Helpful
Customers Also Viewed These Support Documents