mhellman Wed, 08/01/2007 - 18:28

running "well" is a little vague, but

I would recommend using the "packet display" command on the CLI to verify that you are seeing traffic to/from all the subnets and hosts that you expect. Once you've done that, you can use a number of tools to verify that alarms are firing. Nessus and Metasploit are two noisy examples.

tareqrebhi Thu, 08/02/2007 - 01:51

Does this output means IPS is running well?

DEMOIPS# packet display gigabitEthernet0/0

Warning: This command will cause significant performance degradation

tcpdump: WARNING: ge0_0: no IPv4 address assigned

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on ge0_0, link-type EN10MB (Ethernet), capture size 65535 bytes

00:37:03.161306 802.1d config 8001.00:19:2f:ff:b0:00.8019 root 8001.00:19:2f:ff:

b0:00 pathcost 0 age 0 max 20 hello 2 fdelay 15

00:37:03.201843 arp who-has 55.55.67.190 tell 55.55.12.11

00:37:03.225008 arp who-has 55.55.76.195 tell 55.55.12.11

00:37:03.434188 arp who-has 55.55.78.65 tell 55.55.12.11

00:37:03.837970 arp who-has 55.55.66.123 tell 55.55.12.11

00:37:03.924237 arp who-has 55.55.75.68 tell 55.55.12.11

00:37:04.014200 arp who-has 55.55.66.26 tell 55.55.12.11

00:37:04.088586 arp who-has 55.55.69.135 tell 55.55.12.11

00:37:04.335508 arp who-has 55.55.78.28 tell 55.55.12.11

00:37:04.736894 arp who-has 55.55.76.240 tell 55.55.12.11

00:37:04.988410 arp who-has 55.55.71.82 tell 55.55.12.11

00:37:05.001289 arp who-has 55.55.64.5 tell 55.55.12.11

00:37:05.011773 arp who-has 55.55.71.209 tell 55.55.12.11

00:37:05.022357 00:19:2f:ff:b0:19 > 01:00:0c:cc:cc:cc snap ui/C len=35

00:37:05.022361 00:19:2f:ff:b0:19 > 01:00:0c:00:00:00 snap ui/C len=65

00:37:05.166336 802.1d config 8001.00:19:2f:ff:b0:00.8019 root 8001.00:19:2f:ff:

b0:00 pathcost 0 age 0 max 20 hello 2 fdelay 15

00:37:05.188002 arp who-has 55.55.74.102 tell 55.55.12.11

00:37:05.716794 arp who-has 55.55.73.25 tell 55.55.12.11

00:37:05.894223 CDPv2, ttl: 180s, Device-ID 'TARMAINSW-01', length 361

00:37:06.079139 arp who-has 55.55.76.195 tell 55.55.12.11

00:37:06.420616 arp who-has 55.55.75.36 tell 55.55.12.11

00:37:06.781265 arp who-has 55.55.66.123 tell 55.55.12.11

00:37:06.921349 arp who-has 55.55.69.135 tell 55.55.12.11

00:37:07.100875 arp who-has 55.55.76.93 tell 55.55.12.11

00:37:07.171567 802.1d config 8001.00:19:2f:ff:b0:00.8019 root 8001.00:19:2f:ff:

b0:00 pathcost 0 age 0 max 20 hello 2 fdelay 15

00:37:07.395024 arp who-has 55.55.71.211 tell 55.55.12.11

00:37:07.438958 arp who-has 55.55.78.28 tell 55.55.12.11

00:37:07.577544 arp who-has 55.55.77.1 tell 55.55.12.11

00:37:07.746687 arp who-has 55.55.79.138 tell 55.55.12.11

00:37:07.964253 arp who-has 55.55.71.82 tell 55.55.12.11

00:37:08.034345 arp who-has 55.55.71.209 tell 55.55.12.11

00:37:08.092955 00:19:2f:ff:b0:19 > 00:19:2f:ff:b0:19, ethertype Loopback (0x900

0), length 60:

0x0000: 0000 0100 0000 0000 0000 0000 0000 0000 ................

0x0010: 0000 0000 0000 0000 0000 0000 0000 0000 ................

0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............

00:37:08.121013 arp who-has 55.55.76.123 tell 55.55.12.11

00:37:08.498935 arp who-has 55.55.74.189 tell 55.55.12.11

00:37:08.754144 arp who-has 55.55.73.25 tell 55.55.12.11

00:37:09.011452 arp who-has 55.55.68.42 tell 55.55.12.11

00:37:09.176498 802.1d config 8001.00:19:2f:ff:b0:00.8019 root 8001.00:19:2f:ff:

b0:00 pathcost 0 age 0 max 20 hello 2 fdelay 15

00:37:09.196067 arp who-has 55.55.70.5 tell 55.55.12.11

00:37:09.474542 arp who-has 55.55.77.37 tell 55.55.12.11

00:37:09.961596 arp who-has 55.55.75.125 tell 55.55.12.11

00:37:10.113564 arp who-has 55.55.76.93 tell 55.55.12.11

00:37:10.188249 arp who-has 55.55.71.211 tell 55.55.12.11

00:37:10.347405 arp who-has 55.55.68.6 tell 55.55.12.11

00:37:10.545104 arp who-has 55.55.77.1 tell 55.55.12.11

00:37:10.617391 arp who-has 55.55.70.252 tell 55.55.12.11

00:37:10.661825 arp who-has 55.55.71.95 tell 55.55.12.11

00:37:10.812194 arp who-has 55.55.67.44 tell 55.55.12.11

00:37:11.183726 802.1d config 8001.00:19:2f:ff:b0:00.8019 root 8001.00:19:2f:ff:

b0:00 pathcost 0 age 0 max 20 hello 2 fdelay 15

00:37:11.253917 arp who-has 55.55.69.105 tell 55.55.12.11

00:37:11.361953 arp who-has 55.55.74.189 tell 55.55.12.11

mhellman Thu, 08/02/2007 - 05:07

Not really...it's all layer 2 and I don't see any unicast frames. Is there a way you can manually create traffic that you know the sensor should see? You can add an expression to the packet display command to narrow it down. For example, the following expression only shows TCP traffic to/from IP address 55.55.12.11 on port 80:

packet display gigabitEthernet0/0 expression tcp and host 55.55.12.11 and port 80

If you want to get really fancy, the following expression will only show TCP connections with the SYN bit set to the same host(i.e. initial connection requests):

packet display gigabitEthernet0/0 expression host 55.55.12.11 and tcp[13] &0x3f = 0x02

tareqrebhi Thu, 08/02/2007 - 08:43

dear,

i did the expresion i got from you and threr is no output the output just for arp....thank you.

mhellman Thu, 08/02/2007 - 09:04

You can't just plug the sensor monitoring interface into a switch and expect it to work...you know that right? How are you getting traffic to the sensor (i.e. hub, span port, VACL, etc)?

tareqrebhi Sat, 08/04/2007 - 07:01

hi MATTHEW,

yes i just plug the sensor to SW port .....do you mean i need to configure the sw to work fine with IPS?

tareqrebhi Thu, 08/02/2007 - 02:08

hi ...

i tried to find these Nessus and Metasploit but i couldn't find them alwayes i have the anti-virus for them...can you give me the links to find them.

thx.......

dpatkins Thu, 08/02/2007 - 08:06

Can you turn on ICMP signatures? I think in the old IDS, they used to be in the 2000 range. Turn on Echo request and echo reply. And then ping something inside from outside. That should trigger and event. Then you can just shut it off unless you planned on checking for ICMP.

Hope this helps.

D

wane

tareqrebhi Sun, 08/12/2007 - 08:39

dear,

when i use command:

monitor session 1 source interface Fa0/1 - 23

monitor session 1 destination interface Fa0/24

i lose the connection with IPS...what is the problem?

mhellman Sun, 08/12/2007 - 16:18

It sounds to me like you have the management interface on the sensor plugged into port 24 on the switch. Don't do that. There are at least two interfaces on the sensor, and sometimes more depending on model. The management interface is for managing the sensor only...no monitoring. You will always have at least 2 interfaces in use on the sensor, the management interface and the monitoring interface.

tareqrebhi Mon, 08/13/2007 - 07:24

Ok..thank u for help ,

but:

do you mean :

1. commands at SW are right?

monitor session 1 source interface Fa0/1 - 23

monitor session 1 destination interface Fa0/24

or not? please let me know any changes.

2.do you mean i should use 2 interfaces from sniffing's IPS interfaces (GE0,GE1...) GE0 for sniffing and GE1 monitoring.....for Monitoring interface will not share in Monitoring procees?.

3. still i need your recommendations about my IPS, if you have free time i will be thank.

thank you...

cmarsteller Fri, 08/17/2007 - 11:41

I would recommend using a exploit utility to determine if the system is actively blocking/alerting. I have used metasploit in the past using the realvnc buffer overflow to inject a paylod and the idsm-2 have stopped it. You verify that it was stopped in the IDSM's logs or if running MARS it will show it as a green event. If you need help let me know.

Actions

This Discussion