07-14-2008 09:40 PM - edited 03-10-2019 04:11 AM
Hi All,
I need some suggestion from all the forum experts,
I am configuring the 2 sensors (4215):
external sensor -- deployed before the firewall of my network.
internal sensor -- deployed after the firewall
My problem is:
1)what are all the signature (Most probable),i need to tune or consider for tuning w.r.t external or internal sensor.
2)The 2 sensor are in promiscus mode,if i bring them into inline --what parameteres to be considered to avoid network outage.
3)I had tuned some of the signature but i am not seeing the alerts in IEV.where shall i look into troubleshoot.
4)From 5.1(8)E2 image to 6.1E2 does 4215 support.
5)Does IME Support IDS.
6)After upgradation does the newly updated signatures was enabled automatically or we have to enable them manually.
Could somebody ,please suggest me for the above points.
Thanks in advance,
Navin
Solved! Go to Solution.
07-15-2008 08:52 AM
IME does not support IDS (4.x and earlier code). It is a replacement (with enhancements) for the old IEV.
Regards
Farrukh
07-15-2008 08:04 AM
1) You'll have to figure which signatures you want to see events for based on event analysis. Your goal is to eliminate false positives so you can concentrate on real, actionable events.
2) Putting two 4215 sensors inline will certainly be a contributing factor to network outages. If you MUST put and IPS inline use the one inside the firewall.
3) Tuneing signatures can mean a lot of different things, disabling it (it doesn;t report), retireing it (removes it from processing, a CPU saver) or reducing the severity (this one will still let you see the event).
4) The 4215 does NOT support 6.1, the highest you can go is 6.0, but there have been plenty of memory issues on the 4215 with 6.0, so you might be better with 5.x
5)Not sure
6)Upgrades should perserve your previous signature settings.
07-15-2008 08:52 AM
IME does not support IDS (4.x and earlier code). It is a replacement (with enhancements) for the old IEV.
Regards
Farrukh
07-16-2008 06:33 PM
Hi,
I appreciate your response.
So,IME will not support IDS 5.1 image.
What are the things i should consider or look after,when IDS is not throwing alerts.
when i upgrade my service pack,the newly added signatures will automatically enabled or not.
Could somebody clarify my above points.
Thanks,
Navin
07-17-2008 01:34 AM
Do the following:
1) If you are using SPAN, check the SPAN configuration. If possible, connect a laptop running a packet sniffer on IDS/IPS port to see if packets are really making through.
2) IEV by default does not display 'Informational' alerts, hope you have enabled that.
3) Check the 'show statistics ...' (virtual-sensor) command on the CLI to make sure packets are reaching the IPS.
Some signatures are enabled by default, some are disabled. To test you can enable Sig 2004 (ICMP...)
Regards
Farrukh
07-17-2008 09:55 AM
Thanks a lot Farrukh for your valuable input.
I did checked the SPAN by ethreal,yes SPAN is working.
IEV displaying the informational alerts.
I had configured sig 2004,yes i am getting alerts.
Could you please suggest more sig for testing purpose.
And my second request is what are all the sig must or minimum sig should be enabled for external or internally placed sensor.
Is it IDS 4215,can withold the through put of 79 Mbps.
Thank u
Navin
07-17-2008 12:02 PM
I wouldn't bet on your 4215 running anywhere NEAR 79 Mb/s without missing packets. In real live networks we see the appliance sensors typically perform at about 1/3 of Cisco's rated capicity before missing packets and running the CPU to 100%.
07-18-2008 04:33 AM
80 mbps should be no problem.
The signatures you enable/disable depends on your security policy. These security devices just serve to 'enforce' that policy. I'm sorry for such a vague answer, but this is how it goes.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide