07-05-2004 12:10 PM - edited 03-09-2019 07:57 AM
Strange problems with IDS-4235 and VMS 2.2
The IDS does not send the message about intrusions in the Security monitor VMS.
However connectivity between them exists. On boundary PIX entering connections on ports https, syslog, snmp trap are allowed. The SPAN port on the switch is customized correctly (I checked tcpdump).
07-06-2004 04:10 PM
What is the status of the sensor in Security Monitor on the Monitoring --> Connections tab?
If the status is connected in SecMon, then we may want to check the Permitted Hosts that is configured on the sensor next.
This will let us know what to troubleshoot next.
peter
07-07-2004 04:05 AM
Status "connected" in the SecMon.
To all hosts is permitted access to the sensor.
07-07-2004 07:44 AM
If your sensor is running 4.x code, you can see if the sensor is matching any of the traffic that it is seeing (you verified traffic with TCPDUMP) by using the "show events" command. As signatures are matched, you will see the events show up on the output. Use ctrl-c to end the display of events.
Let us know if you are seeing the events show up on the sensor locally.
thanks
peter
07-07-2004 11:02 AM
I do not see any events after usage of the command "show events".
truly yours
Alexander
07-07-2004 01:10 PM
Interesting. If you are seeing traffic spanned to the sensor, but you are not seeing any events on the sensor, one of 3 things could be occuring:
1 - The span session is not setup correctly
or
2 - None of the signatures are enabled
or
3 - None of the enabled signatures are being matched by your traffic
So, the most likely problem is #1. If you see traffic with TCPDUMP, you may be seeing only broadcasts. Unplugging the sensor and placing a PC with a sniffer will verify the traffic other than broadcasts are being spanned to the IDS port.
Let us know what you find.
thanks
peter
07-07-2004 09:25 PM
Very interesting problem.
1. SPAN port is tuned correctly. I don't see broadcasts traffic, but also traffic intended for other ports in the VLAN.
The sensing interface is up:
>sh int sensing
Sensing int0 is up
...
Link status=up
2. All signatures are enabled on default.
3. I scanned with use nmap, nessus, retina ;)
truly yours
Alexander
07-08-2004 06:05 AM
Couple of other questions for you:
1 - What hardware platform are you using?
2 - Which interface on the hardware in plugged into the spanned port?
3 - What traffic statistics are you seeing when you perform a "show int sensing"?
thanks
peter
07-09-2004 12:25 PM
1. I have two IDS-4235. All IDS of the 4 version and with last signatures.
IDS are connected in ports to switches 2924XL and 2950-12.
2. NIC1 - connected SPAN-port and NIC2 - manage.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/hwchap3.htm#131
3. Statistics of traffic following:
error 0
85% - UDP,TCP
5% - broadcast
10%- multicast
thanks
Alexander
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide