Tuning of IDS

Answered Question
Jul 14th, 2008
User Badges:

Hi All,

I need some suggestion from all the forum experts,

I am configuring the 2 sensors (4215):

external sensor -- deployed before the firewall of my network.

internal sensor -- deployed after the firewall

My problem is:

1)what are all the signature (Most probable),i need to tune or consider for tuning w.r.t external or internal sensor.

2)The 2 sensor are in promiscus mode,if i bring them into inline --what parameteres to be considered to avoid network outage.

3)I had tuned some of the signature but i am not seeing the alerts in IEV.where shall i look into troubleshoot.

4)From 5.1(8)E2 image to 6.1E2 does 4215 support.

5)Does IME Support IDS.

6)After upgradation does the newly updated signatures was enabled automatically or we have to enable them manually.

Could somebody ,please suggest me for the above points.

Thanks in advance,


Correct Answer by Farrukh Haroon about 9 years 1 week ago

IME does not support IDS (4.x and earlier code). It is a replacement (with enhancements) for the old IEV.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
rhermes Tue, 07/15/2008 - 08:04
User Badges:
  • Gold, 750 points or more

1) You'll have to figure which signatures you want to see events for based on event analysis. Your goal is to eliminate false positives so you can concentrate on real, actionable events.

2) Putting two 4215 sensors inline will certainly be a contributing factor to network outages. If you MUST put and IPS inline use the one inside the firewall.

3) Tuneing signatures can mean a lot of different things, disabling it (it doesn;t report), retireing it (removes it from processing, a CPU saver) or reducing the severity (this one will still let you see the event).

4) The 4215 does NOT support 6.1, the highest you can go is 6.0, but there have been plenty of memory issues on the 4215 with 6.0, so you might be better with 5.x

5)Not sure

6)Upgrades should perserve your previous signature settings.

Correct Answer
Farrukh Haroon Tue, 07/15/2008 - 08:52
User Badges:
  • Red, 2250 points or more

IME does not support IDS (4.x and earlier code). It is a replacement (with enhancements) for the old IEV.



navin_rk3 Wed, 07/16/2008 - 18:33
User Badges:


I appreciate your response.

So,IME will not support IDS 5.1 image.

What are the things i should consider or look after,when IDS is not throwing alerts.

when i upgrade my service pack,the newly added signatures will automatically enabled or not.

Could somebody clarify my above points.



Farrukh Haroon Thu, 07/17/2008 - 01:34
User Badges:
  • Red, 2250 points or more

Do the following:

1) If you are using SPAN, check the SPAN configuration. If possible, connect a laptop running a packet sniffer on IDS/IPS port to see if packets are really making through.

2) IEV by default does not display 'Informational' alerts, hope you have enabled that.

3) Check the 'show statistics ...' (virtual-sensor) command on the CLI to make sure packets are reaching the IPS.

Some signatures are enabled by default, some are disabled. To test you can enable Sig 2004 (ICMP...)



navin_rk3 Thu, 07/17/2008 - 09:55
User Badges:

Thanks a lot Farrukh for your valuable input.

I did checked the SPAN by ethreal,yes SPAN is working.

IEV displaying the informational alerts.

I had configured sig 2004,yes i am getting alerts.

Could you please suggest more sig for testing purpose.

And my second request is what are all the sig must or minimum sig should be enabled for external or internally placed sensor.

Is it IDS 4215,can withold the through put of 79 Mbps.

Thank u


rhermes Thu, 07/17/2008 - 12:02
User Badges:
  • Gold, 750 points or more

I wouldn't bet on your 4215 running anywhere NEAR 79 Mb/s without missing packets. In real live networks we see the appliance sensors typically perform at about 1/3 of Cisco's rated capicity before missing packets and running the CPU to 100%.

Farrukh Haroon Fri, 07/18/2008 - 04:33
User Badges:
  • Red, 2250 points or more

80 mbps should be no problem.

The signatures you enable/disable depends on your security policy. These security devices just serve to 'enforce' that policy. I'm sorry for such a vague answer, but this is how it goes.




This Discussion