I have a WS-SVC-IDSM-2 that I have been tasked to setup. Currently the focus is around our pair of ASA’s that are used for internet access but the scope could increase. I am getting some conflicting information on how to setup the packet capture to the IDS module. I am leaning towards VACLS but I keep wondering if I do that will I miss traffic somewhere? As an example if I setup the VACL to capture TCP port 80,443, and 25 I am afraid I may miss some type of traffic on that VLAN. How do I determine what traffic I should send to the IDS module?
In addition to Panos' recommendations on methods for determining traffic to inspect with the IDSM-2, also keep in mind that the IDSM-2 is rated to inspect ~500 Mbps of traffic. If the traffic you will be sending to the IDSM-2 exceeds that amount, it will most likely not be inspected.
That you mention having ASAs in your environment, have you considered deploying Cisco's AIP-SSM within the ASA? There are multiple models for different traffic requirements, and they can inspect traffic that is flowing through the ASA. You can find out more about the AIP-SSM here:
When using a VACL to capture traffic on a 6500 I want to capture several types of traffic on my internal LAN. I have the VACL to do this. I also want to make sure I capture everything destined for and sourced from my ASA. Can I use a MAC ACL to capture the traffic? If I capture the traffic with a MAC ACL and apply that to the VACL will the IPS device process it?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...