Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
8
Replies

Strange problems with IDS-4235 and VMS 2.2

avdmtr
Level 1
Level 1

‎07-05-2004 12:10 PM - edited ‎03-09-2019 07:57 AM

Strange problems with IDS-4235 and VMS 2.2

The IDS does not send the message about intrusions in the Security monitor VMS.

However connectivity between them exists. On boundary PIX entering connections on ports https, syslog, snmp trap are allowed. The SPAN port on the switch is customized correctly (I checked tcpdump).

Labels:
0 Helpful
8 Replies 8

pcomeaux
Cisco Employee
Cisco Employee

‎07-06-2004 04:10 PM

What is the status of the sensor in Security Monitor on the Monitoring --> Connections tab?

If the status is connected in SecMon, then we may want to check the Permitted Hosts that is configured on the sensor next.

This will let us know what to troubleshoot next.

peter

0 Helpful

avdmtr
Level 1
Level 1
In response to pcomeaux

‎07-07-2004 04:05 AM

Status "connected" in the SecMon.

To all hosts is permitted access to the sensor.

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee
In response to avdmtr

‎07-07-2004 07:44 AM

If your sensor is running 4.x code, you can see if the sensor is matching any of the traffic that it is seeing (you verified traffic with TCPDUMP) by using the "show events" command. As signatures are matched, you will see the events show up on the output. Use ctrl-c to end the display of events.

Let us know if you are seeing the events show up on the sensor locally.

thanks

peter

0 Helpful

avdmtr
Level 1
Level 1
In response to pcomeaux

‎07-07-2004 11:02 AM

I do not see any events after usage of the command "show events".

truly yours

Alexander

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee
In response to avdmtr

‎07-07-2004 01:10 PM

Interesting. If you are seeing traffic spanned to the sensor, but you are not seeing any events on the sensor, one of 3 things could be occuring:

1 - The span session is not setup correctly

or

2 - None of the signatures are enabled

or

3 - None of the enabled signatures are being matched by your traffic

So, the most likely problem is #1. If you see traffic with TCPDUMP, you may be seeing only broadcasts. Unplugging the sensor and placing a PC with a sniffer will verify the traffic other than broadcasts are being spanned to the IDS port.

Let us know what you find.

thanks

peter

0 Helpful

avdmtr
Level 1
Level 1
In response to pcomeaux

‎07-07-2004 09:25 PM

Very interesting problem.

1. SPAN port is tuned correctly. I don't see broadcasts traffic, but also traffic intended for other ports in the VLAN.

The sensing interface is up:

>sh int sensing

Sensing int0 is up

...

Link status=up

2. All signatures are enabled on default.

3. I scanned with use nmap, nessus, retina ;)

truly yours

Alexander

0 Helpful

pcomeaux
Cisco Employee
Cisco Employee
In response to avdmtr

‎07-08-2004 06:05 AM

Couple of other questions for you:

1 - What hardware platform are you using?

2 - Which interface on the hardware in plugged into the spanned port?

3 - What traffic statistics are you seeing when you perform a "show int sensing"?

thanks

peter

0 Helpful

avdmtr
Level 1
Level 1
In response to pcomeaux

‎07-09-2004 12:25 PM

1. I have two IDS-4235. All IDS of the 4 version and with last signatures.

IDS are connected in ports to switches 2924XL and 2950-12.

2. NIC1 - connected SPAN-port and NIC2 - manage.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/hwchap3.htm#131

3. Statistics of traffic following:

error 0

85% - UDP,TCP

5% - broadcast

10%- multicast

thanks

Alexander

0 Helpful
Customers Also Viewed These Support Documents