09-06-2010 06:46 AM - edited 03-10-2019 05:07 AM
Hi everyone.
My name is wan tae kim in korea.
I have the question to idsm problem.
Is using idsm by ips mode in our customer.
Cpu1 will be continued in 100% state but does not know cause.
Is used by Inline mode but need Configuration verification.
I want to receive steers of many persons.
I ask counsel whether take Configuration.
IDSM Configuration:
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Enabled
risk-rating-range 90-100
exit
general
global-overrides-status Enabled
exit
exit
! ------------------------------
service host
network-settings
host-ip x.x.x.x/25,x.x.x.x.
host-name R_Core2_IDSM
telnet-option enabled
access-list x.x.x.0/24
access-list x.x.x.0/24
access-list x.x.x.0/24
access-list x.x.x.x/32
exit
time-zone-settings
offset 540
standard-time-zone-name GMT+09:00
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
signatures 2152 0
engine flood-host
rate 100
exit
exit
signatures 5684 2
alert-severity medium
exit
signatures 13003 0
engine traffic-anomaly
event-action produce-alert
exit
exit
signatures 13003 1
engine traffic-anomaly
event-action produce-alert
exit
exit
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0
description default virtual sensor
physical-interface GigabitEthernet0/7
physical-interface GigabitEthernet0/8
exit
switch Configuration:
monitor session 3 source vlan 305
monitor session 3 destination intrusion-detection-module 9 data-port 1
Thank you.
09-08-2010 07:42 AM
Hi Wan Tae Kim,
The 100% CPU utilization is actually expected behavior and should not be cause for concern. To confirm the actual load on the sensor you can use the command:
show stat virt
and check the line "Processing Load Percentage ="
Additionally, you can check the output of:
show int
and verify that the number of "Receive FIFO Overruns" is low/zero, indicating that the sensor is able to keep up with the rate of traffic being sent to it via your SPAN session.
Here are examples of both outputs with the important lines in bold
sensor# show stat virt
Virtual Sensor Statistics
Statistics for Virtual Sensor vs0
Name of current Signature-Defintion instance = sig0
Name of current Event-Action-Rules instance = rules0
List of interfaces monitored by this virtual sensor = InterfacePair0 subinterface 0,GigabitEthernet0/3 subinterface 0
General Statistics for this Virtual Sensor
Number of seconds since a reset of the statistics = 1627117
MemoryAlloPercent = 31
MemoryUsedPercent = 31
MemoryMaxCapacity = 1800000
MemoryMaxHighUsed = 634880
MemoryCurrentAllo = 566529
MemoryCurrentUsed = 561597
Processing Load Percentage = 1
Total packets processed since reset = 7875642
Total IP packets processed since reset = 3782287
Total IPv4 packets processed since reset = 3755319
Total IPv6 packets processed since reset = 26968
Total IPv6 AH packets processed since reset = 0
Total IPv6 ESP packets processed since reset = 0
Total IPv6 Fragment packets processed since reset = 0
Total IPv6 Routing Header packets processed since reset = 0
Total IPv6 ICMP packets processed since reset = 94
Total packets that were not IP processed since reset = 4093355
Total TCP packets processed since reset = 204508
Total UDP packets processed since reset = 2252490
Total ICMP packets processed since reset = 14688
Total packets that were not TCP, UDP, or ICMP processed since reset = 1310601
Total ARP packets processed since reset = 2923053
Total ISL encapsulated packets processed since reset = 0
Total 802.1q encapsulated packets processed since reset = 0
Total packets with bad IP checksums processed since reset = 0
Total packets with bad layer 4 checksums processed since reset = 268
Total number of bytes processed since reset = 1029553988
The rate of packets per second since reset = 4
The rate of bytes per second since reset = 632
The average bytes per packet since reset = 130
Denied Address Information
Number of Active Denied Attackers = 0
Number of Denied Attackers Inserted = 0
Number of Denied Attacker Victim Pairs Inserted = 0
Number of Denied Attacker Service Pairs Inserted = 0
Number of Denied Attackers Total Hits = 0
Number of times max-denied-attackers limited creation of new entry = 0
Number of exec Clear commands during uptime = 0
Denied Attackers and hit count for each.
Denied Attackers with percent denied and hit count for each.
sensor# show int
Interface Statistics
Total Packets Received = 29934896
Total Bytes Received = 4010927826
Missed Packet Percentage = 0
Current Bypass Mode = Auto_off
MAC statistics from interface GigabitEthernet0/0
Interface function = Sensing interface
Description = Connected to Attacker Switch
Media Type = TX
Default Vlan = 0
Inline Mode = Paired with interface GigabitEthernet0/1
Pair Status = Up
Hardware Bypass Capable = No
Hardware Bypass Paired = N/A
Link Status = Up
Admin Enabled Status = Enabled
Link Speed = Auto_100
Link Duplex = Auto_Full
Missed Packet Percentage = 0
Total Packets Received = 4095925
Total Bytes Received = 298897396
Total Multicast Packets Received = 3431616
Total Broadcast Packets Received = 0
Total Jumbo Packets Received = 0
Total Undersize Packets Received = 0
Total Receive Errors = 0
Total Receive FIFO Overruns = 0
Total Packets Transmitted = 664379
Total Bytes Transmitted = 42520256
Total Multicast Packets Transmitted = 0
Total Broadcast Packets Transmitted = 0
Total Jumbo Packets Transmitted = 0
Total Undersize Packets Transmitted = 0
Total Transmit Errors = 0
Best Regards,
Justin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide