IDSM-2, inline and Passive mode in same Module?

Unanswered Question
Mar 13th, 2009

Hi,i have a question that it can be strange.in our network we have implemented idsm-2 module in our 6513 Switch in inline mode.without any discution about network design suppose that our network is going beyond IDSM-2 Throughput and then we want to use IDSM-2 for some traffic in Passive mode insted of inline to reduce drop probability in inline mode.i mean before this state we were using idsm-2 data port 1(in vlan pair mode),now can we use data port 2 for this purpus(capturing some traffic on data port 2 for passive operation)? in other word idsm-2 can operate in this way?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
blackhat2020 Sat, 03/14/2009 - 01:15

i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

marcabal Thu, 03/19/2009 - 14:29

Yes, you can place the inline vlan pairs from data-port 1 into a separate virtual sensor for the promiscuous data-port 2. And have different signature configurations in each of the virtual sensors.


If you keep the data-port 1 inline vlan pairs and the promiscuous data-port 2 in the same virtual sensor, then this will still work OK. Any time a signature fires for promiscuous traffic where a Deny would have happened you will get aline in the alert that says somehting like Deny Requested but Not Performed. This lets you know the signatures was configured for deny (or a deny was added by an overrides), but the deny couldn't be done because it was a Promiscuous packet.


Actions

This Discussion