Re: Internal network setting for Security monitor

eckertb · ‎04-14-2004

I've setup my internal networks for each of my sensors but when viewing reports the events are still showing up as OUT (external) when they should be IN (internal). Anything else I need to do besides annotate the IPs in MC IDS? I've rebooted all the devices including the VMS server. My filters don't work at all if the internal networks aren't recognized.. I've tried using an IP range as well as a network w/mask. Thanks for the help.

sirpa_k · ‎04-20-2004

Any update on this ?

marcabal · ‎04-20-2004

First thing to verify is that the configuration you've entered through IDS MC is making it onto the sensor.

Login to the sensor CLI.

Execute:

configure terminal

service alarm-channel-configuration virtualAlarm

tune-alarm-channel

systemVariables

show settings

You should see the list of addresses in your show settings output.

If they don't show up, then check your IDS MC. Verify that the IDS MC pushed the configuration without any errors.

If the addresses do show up then exit back to the main CLI mode.

Then execute "show events alert".

Look at the events reported by the CLI to verify if the addresses are being properly marked in the CLI.

If they are being properly marked in the CLI then your configuration is correct. Reverify what is being seen in Security Monitor.

If they are being marked as OUT in the CLI then are you willing to paste examples in a response?

We would need the output from "show settings" and a copy of the alert from the "show events alert" output.

I can take a look to see if there may be a configuration error that is not being detected, or if we have a sensor bug.