11-14-2005 12:45 AM - edited 03-10-2019 01:45 AM
Hi!
In one hour IDS generates 95 MB of HTTPS traffic to my IP!! (I have Cisco Event Viewer installed). Is it normal even if Event Viewer isn't working? What is the reason?
I have another question: is there the possibility of excluding an IP address (a target address) from the RESET, even if the rule is matched?
Thanks in advance
Francesco
11-14-2005 07:47 AM
Can't really say for sure if 95MB is reasonable for your situation. It would depend on how many signatures you have enabled and alarming and they type of alarms you have generated.
For the second part, look for "Never Shun" settings.
Scott
11-14-2005 09:00 AM
Do you mean the "Never Block Adresses"?
I have tried this setting but it's only to exclude an IP from the shun connection or shun host action.
Francesco
11-14-2005 11:49 AM
Indeed, I was thinking Never Block...and you're right, that won't do what you want.
11-14-2005 02:03 PM
As for removing the RESET.
The answer is somewhat dependant on software version.
In version 4.x sensors the filtering system would only allow filtering of all actions. This included generation of TCP Resets and producing the actual alert. So in 4.x you coudl filter the event, but it would prevent the alert creation as well as the tcp resets (as well as any other action configured).
In version 5.x sensors the filtering system is more advanced and does allow the filtering of separate actions on an event. So a filter can created to remove just the TCP Reset action and still leave the produce alert action. So the alert will still be generated, without sending the tcp resets to shut down the connection.
11-14-2005 08:44 PM
What is the sensor version? As regarding to IEV not working, were you not getting any alerts in Cisco IDS Event Viewer? In CLI, did you see alerts coming when you do "show events"? If so, make sure the sensor has been added into IEV's device list. Also IEV host can connect to the sensor successfully. You can verify the connetion by double clicking that sensor device name in IEV and see if IDM can be successfully launched in the browser.
11-15-2005 01:21 AM
My software version is 4.x on an ISD 4235.
How can I update to 5.x version?
Regarding IEV is all ok! In my previus post i would like to intend "not running", instead of "not working"..i'm sorry. Is it normal to have traffic even if IEV isn't running and my PC not connected to IDS?
Francesco
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: