Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
0
Helpful
1
Replies

IDSM-2 disable tcp reset and RiskRating

fabiossilva
Level 1
Level 1

‎01-14-2010 08:56 AM - edited ‎03-10-2019 04:51 AM

Hi all, i have a IDSM-2 and it's not ywet in production because I need to set the IDSM-2 to just monitor the connection and do not take any action...

The module is in the default signatures configuration and some of the active signatures have the TCP reset option marked.... and some signatures have RiskRating set to 100. It's a problem because the Event action rule will drop the signatures with a risk rating of 100.

Is there any way to have the IDS just in monitoring state?

How can I do it?

The IDSM-2 is in promiscuous mode... and I have about 50 vlans going trough the module with a SPAN configuration

Thanks in advance.

Fabio

Labels:
0 Helpful
1 Reply 1

andrey.dugin
Level 1
Level 1

‎01-18-2010 01:47 AM

Yes, you may use IDSM2 in promiscuous mode to monitor SPAN-session. It is the best way in your case because the module will not affect the traffic.

But also you can disable the event-action for high-risk rating signatures. I think it will be useful because you have 50 vlans and this amount of traffic may cause high CPU load.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card