Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tuning of IDS

Hi All,

I need some suggestion from all the forum experts,

I am configuring the 2 sensors (4215):

external sensor -- deployed before the firewall of my network.

internal sensor -- deployed after the firewall

My problem is:

1)what are all the signature (Most probable),i need to tune or consider for tuning w.r.t external or internal sensor.

2)The 2 sensor are in promiscus mode,if i bring them into inline --what parameteres to be considered to avoid network outage.

3)I had tuned some of the signature but i am not seeing the alerts in IEV.where shall i look into troubleshoot.

4)From 5.1(8)E2 image to 6.1E2 does 4215 support.

5)Does IME Support IDS.

6)After upgradation does the newly updated signatures was enabled automatically or we have to enable them manually.

Could somebody ,please suggest me for the above points.

Thanks in advance,

Navin

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Tuning of IDS

IME does not support IDS (4.x and earlier code). It is a replacement (with enhancements) for the old IEV.

Regards

Farrukh

7 REPLIES
Gold

Re: Tuning of IDS

1) You'll have to figure which signatures you want to see events for based on event analysis. Your goal is to eliminate false positives so you can concentrate on real, actionable events.

2) Putting two 4215 sensors inline will certainly be a contributing factor to network outages. If you MUST put and IPS inline use the one inside the firewall.

3) Tuneing signatures can mean a lot of different things, disabling it (it doesn;t report), retireing it (removes it from processing, a CPU saver) or reducing the severity (this one will still let you see the event).

4) The 4215 does NOT support 6.1, the highest you can go is 6.0, but there have been plenty of memory issues on the 4215 with 6.0, so you might be better with 5.x

5)Not sure

6)Upgrades should perserve your previous signature settings.

Re: Tuning of IDS

IME does not support IDS (4.x and earlier code). It is a replacement (with enhancements) for the old IEV.

Regards

Farrukh

New Member

Re: Tuning of IDS

Hi,

I appreciate your response.

So,IME will not support IDS 5.1 image.

What are the things i should consider or look after,when IDS is not throwing alerts.

when i upgrade my service pack,the newly added signatures will automatically enabled or not.

Could somebody clarify my above points.

Thanks,

Navin

Re: Tuning of IDS

Do the following:

1) If you are using SPAN, check the SPAN configuration. If possible, connect a laptop running a packet sniffer on IDS/IPS port to see if packets are really making through.

2) IEV by default does not display 'Informational' alerts, hope you have enabled that.

3) Check the 'show statistics ...' (virtual-sensor) command on the CLI to make sure packets are reaching the IPS.

Some signatures are enabled by default, some are disabled. To test you can enable Sig 2004 (ICMP...)

Regards

Farrukh

New Member

Re: Tuning of IDS

Thanks a lot Farrukh for your valuable input.

I did checked the SPAN by ethreal,yes SPAN is working.

IEV displaying the informational alerts.

I had configured sig 2004,yes i am getting alerts.

Could you please suggest more sig for testing purpose.

And my second request is what are all the sig must or minimum sig should be enabled for external or internally placed sensor.

Is it IDS 4215,can withold the through put of 79 Mbps.

Thank u

Navin

Gold

Re: Tuning of IDS

I wouldn't bet on your 4215 running anywhere NEAR 79 Mb/s without missing packets. In real live networks we see the appliance sensors typically perform at about 1/3 of Cisco's rated capicity before missing packets and running the CPU to 100%.

Re: Tuning of IDS

80 mbps should be no problem.

The signatures you enable/disable depends on your security policy. These security devices just serve to 'enforce' that policy. I'm sorry for such a vague answer, but this is how it goes.

Regards

Farrukh

187
Views
8
Helpful
7
Replies