Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDS traffic

Hi!

In one hour IDS generates 95 MB of HTTPS traffic to my IP!! (I have Cisco Event Viewer installed). Is it normal even if Event Viewer isn't working? What is the reason?

I have another question: is there the possibility of excluding an IP address (a target address) from the RESET, even if the rule is matched?

Thanks in advance

Francesco

6 REPLIES
Cisco Employee

Re: IDS traffic

Can't really say for sure if 95MB is reasonable for your situation. It would depend on how many signatures you have enabled and alarming and they type of alarms you have generated.

For the second part, look for "Never Shun" settings.

Scott

New Member

Re: IDS traffic

Do you mean the "Never Block Adresses"?

I have tried this setting but it's only to exclude an IP from the shun connection or shun host action.

Francesco

Cisco Employee

Re: IDS traffic

Indeed, I was thinking Never Block...and you're right, that won't do what you want.

Cisco Employee

Re: IDS traffic

As for removing the RESET.

The answer is somewhat dependant on software version.

In version 4.x sensors the filtering system would only allow filtering of all actions. This included generation of TCP Resets and producing the actual alert. So in 4.x you coudl filter the event, but it would prevent the alert creation as well as the tcp resets (as well as any other action configured).

In version 5.x sensors the filtering system is more advanced and does allow the filtering of separate actions on an event. So a filter can created to remove just the TCP Reset action and still leave the produce alert action. So the alert will still be generated, without sending the tcp resets to shut down the connection.

New Member

Re: IDS traffic

What is the sensor version? As regarding to IEV not working, were you not getting any alerts in Cisco IDS Event Viewer? In CLI, did you see alerts coming when you do "show events"? If so, make sure the sensor has been added into IEV's device list. Also IEV host can connect to the sensor successfully. You can verify the connetion by double clicking that sensor device name in IEV and see if IDM can be successfully launched in the browser.

New Member

Re: IDS traffic

My software version is 4.x on an ISD 4235.

How can I update to 5.x version?

Regarding IEV is all ok! In my previus post i would like to intend "not running", instead of "not working"..i'm sorry. Is it normal to have traffic even if IEV isn't running and my PC not connected to IDS?

Francesco

125
Views
0
Helpful
6
Replies