IDSM-2 disable tcp reset and RiskRating

Unanswered Question
Jan 14th, 2010

Hi all, i have a IDSM-2 and it's not ywet in production because I need to set the IDSM-2 to just monitor the connection and do not take any action...

The module is in the default signatures configuration and some of the active signatures have the TCP reset option marked.... and some signatures have RiskRating set to 100. It's a problem because the Event action rule will drop the signatures with a risk rating of 100.

Is there any way to have the IDS just in monitoring state?

How can I do it?

The IDSM-2 is in promiscuous mode... and I have about 50 vlans going trough the module with a SPAN configuration

Thanks in advance.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrey.dugin Mon, 01/18/2010 - 01:47

Yes, you may use IDSM2 in promiscuous mode to monitor SPAN-session. It is the best way in your case because the module will not affect the traffic.

But also you can disable the event-action for high-risk rating signatures. I think it will be useful because you have 50 vlans and this amount of traffic may cause high CPU load.


This Discussion

Related Content