Cisco Support Community
Community Member

Handful of questions relating to Signatures, IDM, and IEV

I have a couple questions:

1. If I go into IDM | Configuration | Sensing Engine | Filtered Signatures, and I want to filter out a whole class C network of destination IP addresses, should I just make an entry like: for the whole network, or should I use Or some other form?

2. When viewing the alarm information details, it says the SRC and DST are both OUT. I went into IDM | Configuration | Sensing Engine | Internal Networks and defined all of the internal networks a few days ago. I entered the class C networks in the format of: Is it similar to the problem above, do I need a or a subnet mask to get it to correctly identify the internal networks and correctly label the source/destination as in/out?

3. I would like the IDS to capture all the packets in the sequence that triggered a high severity alarm. How do I configure this? Is there an easy way to get IEV to use Ethereal to open the captured packets that correspond to the alert?

4. We use the CiscoWorks user tracking feature, which queries the switches for this information via SNMP every 4 hours. Whenever CiscoWorks does this, it sets off Signature 4502, SNMP Community Name Brute Force Attempt. Any idea why (is it because it contacts the switches within seconds of each other)? I went to IDM, Signature Groups but the signature is not editable. To get rid of this alarm, should I just go under the IDM Filtered signatures and filter that signature only when coming from the CiscoWorks server, or is there a better way?

5. Signature 3992 : BackOrifice BO2K TCP Stealth 2 - seems to sound a lot of alarms when it sees Gnutella based P2P traffic on ports 6346/tcp and 6347/tcp. Has anyone else noticed this? In general, what is the recommended procedure for tuning the IDS when you notice misclassification? Are you modifying signatures (if so, is there a good reference for doing this) or turning them off? What would you recommend in this case?


Re: Handful of questions relating to Signatures, IDM, and IEV

Here are a couple of links that will help.

1) CSIDS Frequently Asked Questions

2) Cisco Secure IDS - Excluding False Positive Alarms

CreatePlease to create content