Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Does IDS Sensor Drop attack packet?

I had deploy 3 IDS Sensor (4235) in my network. I have some question that I am doubt with:

a) did the IDS sensor drop any packet that it detected as an attack?

b) when I log into the IDS Sensor's web-base administration page, I saw something like "Signature Objects: 1058 -- Deleted: 2644239" under sensing interface statistics. what does this means?

c) how do I set blocking thru router ACL? Any guideline available on the net?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Does IDS Sensor Drop attack packet?

Hi,

a) The IDS does not drop any packets. On detection of an attack packet (signature), it can initiate the ACTION that has been configured for that signature. e.g. block, reset, log. In case of block or reset, the IDS will configure an ACL on the blocking device so as to stop these packets from the host.

But in all this, the IDS is not dropping any packets. It still keep looking/sniffing all packets.

b) This means that since the system has been active it has deleted (expired

or completed inspection on) 2644239 objects and that there are currently 1058

active signature objects in the database. Doesn't really mean much to you

and really helps the development engineers determine realtive load on the

sensors.

c) What management platform are you using and what is the IDS version?

If you are using VMS for management;

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/idsmc11/ug/ch05.htm

If IDM/IEV4.0, then goto the below url

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/idmiev/swchap3.htm#593299

If IDM/IEV 3.x then the below;

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid49

Thanks,

yatin

2 REPLIES
Cisco Employee

Re: Does IDS Sensor Drop attack packet?

Hi,

a) The IDS does not drop any packets. On detection of an attack packet (signature), it can initiate the ACTION that has been configured for that signature. e.g. block, reset, log. In case of block or reset, the IDS will configure an ACL on the blocking device so as to stop these packets from the host.

But in all this, the IDS is not dropping any packets. It still keep looking/sniffing all packets.

b) This means that since the system has been active it has deleted (expired

or completed inspection on) 2644239 objects and that there are currently 1058

active signature objects in the database. Doesn't really mean much to you

and really helps the development engineers determine realtive load on the

sensors.

c) What management platform are you using and what is the IDS version?

If you are using VMS for management;

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/idsmc11/ug/ch05.htm

If IDM/IEV4.0, then goto the below url

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids9/idmiev/swchap3.htm#593299

If IDM/IEV 3.x then the below;

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid49

Thanks,

yatin

New Member

Re: Does IDS Sensor Drop attack packet?

your info are really helpful! thank you very very much!

283
Views
0
Helpful
2
Replies