nm-cids and packet flow

Unanswered Question
Dec 4th, 2007


I have some questions regarding the ids module. A router is connected to the internet and is using the software firewall. There is also a NM-CIDS in the router.

1) What is the sequence when a packet arrives from the internet?

Is it internet -> firewall -> ids?

2) Does the command "ids-service module monitoring" imply that traffic is sent to the IDS inbound and outbound?

3) The event viewer in the IDM shows a lot of events. Does it mean that the firewall is not dropping the packets? Is the IDM the only place to monitor the events or can they be sent to a syslog server?

4) In case there is an event, what can the module do to block the attack since it is not in line?

Thank you,

Best regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jbayuka Wed, 12/12/2007 - 06:59

That depends on how you configured the IDS/IPS to work on. If it is promicious mode means, internet --> firewall (a copy of packet is sent to IDS for scanning of vulnerability in it) or if it is inline mode, internet --> IPS --> firewall, packet scanned by IPS will be send it to firewall for further processing.

marcabal Wed, 12/12/2007 - 12:03

1) If there is no encryption then the packet is copied to the NM-CIDS after all router features (including firewall as well as NAT/PAT) have been done. I am about 90% sure on this. There is the possibility of a few features being done after the copy that I may not know about.

If NAT has been done then the packet itself will have the translated ips, however, the packet has an additional headers that tells the NM-CIDS wha the untranslated IPs are, and the analysis and alerting is done with the untranslated ips from the additional header.

When there is encryption involved, then incoming decryption is done with all other router features before copying to the NM-CIDS. But the outgoing encryption is the one feature done on the packet After it is copied to the NM-CIDS. This way the NM-CIDS always gets copies of unencrypted packets.

2) The command on an interface implies that all traffic coming in as well as traffic going out will be copied to the Nm-CIDS.

3) If IDM shows alerts, then I am pretty sure this means that they are making it through the firewall features (not being dropped) and making it to the other network.

I recommend using IEV for monitoring the alerts if you have a small number of sensors.

If you have a large number of sensors then I would recommend CS-MARS for monitoring.

IEV files:


NOTE: There is not a User Guide specifically for the latest version. To get a basic understanding look at the User Guide for the older version 4.x IEV:


NOTE: Syslog is not supported for IPS events.

4) The NM-CIDS does support the Blocking feature. With the Blocking features the NM-CIDS is able to telnet back into the router and create an ACL. The ACL can then deny the IP Address of the attacker.

It can not deny the actual packet that triggered the signature, but the ACL can deny additional packets coming from that attacker/source address.

To read more on the Blocking feature:



This Discussion