Re: IDS-4210 picks up what IPS-4240 misses, strange duplex/inter

rungemach · ‎01-05-2006

I just installed a IPS-4240 inline on our primary internet inbound connection. I decided to leave the 4210 in place for a week or two while I tuned the signatures. It is receiving a span of the same traffic that the 4240 is receiving.

I noticed today that the 4210 is picking up sig 3250 and the 4240 is no. The first thing I checked to make sure that the 4240 has this signature enabled, and it is. Anyone have any thoughts? BTW, All sensors are on the same version 5.1.1 and running s211 and managed through VMS.

I would also like to mention that I had issues on the 4240 and its interfaces. Management only runs at half duplex and the interfaces that connect to our PIX. I ended up having to put a switch between the 4240 and the Pix 515e to solve the duplex issues.

Anyone have any thoughts on this part

mleviton · ‎01-06-2006

I had the same duplex problem with my 4240 sensor connecting to my PIX. The only way I could get it to work without errors is to set both the sensor and the PIX interfaces to auto/auto. I worked with Cisco on this problem. No resolution, just the workaround. As far as sig 3250, IPS and IDS signatures may be a little different. I assume you span from the inside and run your in-line outside your firewall? If this is the case, then the 4240 sensor may see different traffic than the 4210.

rungemach · ‎01-06-2006

The 4210 is still outside the firewall and being fed by a span of the same traffic as the 4240. I just hadn't had the opportunity to move it to its new location inside the firewall. I just thought it was strange, sometimes things are only seen when they go into production.

As far as the duple issue, I am glad I am not crazy I was really beginning to think it was me. Thanks for the feedback.

IDS-4210 picks up what IPS-4240 misses, strange duplex/interface problems