Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
6
Replies

IDS traffic

tasksrl7808
Level 1
Level 1

‎11-14-2005 12:45 AM - edited ‎03-10-2019 01:45 AM

Hi!

In one hour IDS generates 95 MB of HTTPS traffic to my IP!! (I have Cisco Event Viewer installed). Is it normal even if Event Viewer isn't working? What is the reason?

I have another question: is there the possibility of excluding an IP address (a target address) from the RESET, even if the rule is matched?

Thanks in advance

Francesco

Labels:
0 Helpful
6 Replies 6

scothrel
Level 3
Level 3

‎11-14-2005 07:47 AM

Can't really say for sure if 95MB is reasonable for your situation. It would depend on how many signatures you have enabled and alarming and they type of alarms you have generated.

For the second part, look for "Never Shun" settings.

Scott

0 Helpful

tasksrl7808
Level 1
Level 1
In response to scothrel

‎11-14-2005 09:00 AM

Do you mean the "Never Block Adresses"?

I have tried this setting but it's only to exclude an IP from the shun connection or shun host action.

Francesco

0 Helpful

scothrel
Level 3
Level 3
In response to tasksrl7808

‎11-14-2005 11:49 AM

Indeed, I was thinking Never Block...and you're right, that won't do what you want.

0 Helpful

marcabal
Cisco Employee
Cisco Employee

‎11-14-2005 02:03 PM

As for removing the RESET.

The answer is somewhat dependant on software version.

In version 4.x sensors the filtering system would only allow filtering of all actions. This included generation of TCP Resets and producing the actual alert. So in 4.x you coudl filter the event, but it would prevent the alert creation as well as the tcp resets (as well as any other action configured).

In version 5.x sensors the filtering system is more advanced and does allow the filtering of separate actions on an event. So a filter can created to remove just the TCP Reset action and still leave the produce alert action. So the alert will still be generated, without sending the tcp resets to shut down the connection.

0 Helpful

jlin1
Level 1
Level 1

‎11-14-2005 08:44 PM

What is the sensor version? As regarding to IEV not working, were you not getting any alerts in Cisco IDS Event Viewer? In CLI, did you see alerts coming when you do "show events"? If so, make sure the sensor has been added into IEV's device list. Also IEV host can connect to the sensor successfully. You can verify the connetion by double clicking that sensor device name in IEV and see if IDM can be successfully launched in the browser.

0 Helpful

tasksrl7808
Level 1
Level 1
In response to jlin1

‎11-15-2005 01:21 AM

My software version is 4.x on an ISD 4235.

How can I update to 5.x version?

Regarding IEV is all ok! In my previus post i would like to intend "not running", instead of "not working"..i'm sorry. Is it normal to have traffic even if IEV isn't running and my PC not connected to IDS?

Francesco

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card