Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco NetRanger Version 2.2.1 Configuration

What is the best way in configuring the NetRanger? Is it based on the default configuration or custom configuration. My current configuration which using the default configuration is giving us a lot of severity level 6 notification.

And how to make the IDS very useful to the environment, so that I can detect any attempts to my network?

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: Cisco NetRanger Version 2.2.1 Configuration

The short answer is you need to tune it. The long answer follows:

NetRanger really needs to be tuned to your network. Out of the box, we default the configuration to a sane setup; however, the setup is pretty open in its interpretation of whats important. This generally results in a very "chatty" sensor...thus the number of Level 5 alarms you're seeing.

The general recommendation is to review the alarms being generated (consult the NSDB entries and other appropriate logs you may have) and if it is determined that the alarm is a false positive for your network, use one of the tuning parameters (RecordofExcludedXXXX options) to either mask the offensive (but known good) host or network. In some cases, you can disable signatures entirely if they make no sense in your network (for instance, Microsoft NetBios signatures in a Unix/Linux environment).

I also recommend the following TAC article:

http://www.cisco.com/warp/public/707/f_pos.html

Scott

New Member

Re: Cisco NetRanger Version 2.2.1 Configuration

The ideal way of setting up the Netranger is a customised configuration. As most corporate environments and requirements differ so do the needs. Using a customised configuration you can set and alter alarm and severity levels to suit your circumstance. Place Sensors in strategic places in your network and use in conjunction with Access Control Lists (ACL) on Routers.

You realistically cannot and do not need to detect every inbound/outbound traffic packet or else you would burn out all resource.

Select what type of intrusion you can ignore and only deal with ones with high severity levels. i.e (DoS attacks, Pings of Death and Port Sweeps/Scans.

151
Views
0
Helpful
2
Replies
This widget could not be displayed.