Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS Events

Monitoring my IDS through the IDS Event Viewer doesn't show everything. I turned every possible signature on and am picking up things like DHCP and other information traffic. I'll run port sweeps and DoS and nothing shows up in IDS Event Viewer.

Also, under Configuration>Sensing Engine>Alarm Channel Configuration>System Variables, I'm tring to configure the Out/In/DMZ addresses. Out is a default that cannot be changed. Am I putting the addresses in correctly?

Internal Address is 10.10.10.0/24

DMZ is 172.17.1.0/24

I set it up as follows:

In 10.10.10,1-254

DMZ 172.17.1,1-254

thanks,

biz

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: IDS Events

IS your IDS sensor in the same subnet as the device you are port sweeping and DOS? You will not see ICMP echo replys and most DOS if sensor is not in same subnet.

If your sensor worked recently and you made changes to its updates try reinstalling the latest update.

Cisco Employee

Re: IDS Events

Your configuration is incorrect for your Internal Address and DMZ.

Here are some configurations that the sensor should accept:

IP ADDRESS RANGES:

In 10.10.10.1-10.10.10.254

DMZ 172.17.1.1-172.17.1.254

NETMASKS:

In 10.10.10.0/24

DMZ 172.17.1.0/24

PARTIAL DOT NOTATION:

In 10.10.10.

DMZ 172.17.1.

Just to let you know how the sensor was interpretting you configuration:

In 10.10.10,1-254 was being interpreted as:

In 10.10.10.0/24,1.0.0.0-254.0.0.0

10.10.10 can be used as PARTIAL DOT NOTATION for 10.10.10.0/24.

1 when interpreted with partial dot notation would mean 1.0.0.0.

So 1-254 was telling the sensor all of the networks between 1.0.0.0 and 254.0.0.0.

--------------------------

As for not seeing alarms. Is your sensor's sniffing interface connected to a switch? If so then have you set up that port on the switch to be a span port?

5 REPLIES
New Member

Re: IDS Events

IS your IDS sensor in the same subnet as the device you are port sweeping and DOS? You will not see ICMP echo replys and most DOS if sensor is not in same subnet.

If your sensor worked recently and you made changes to its updates try reinstalling the latest update.

New Member

Re: IDS Events

The IDS Sensor interface is on the same subnet as the one I'm running port scans and DoS. The management interface is on a different subnet.

Cisco Employee

Re: IDS Events

Your configuration is incorrect for your Internal Address and DMZ.

Here are some configurations that the sensor should accept:

IP ADDRESS RANGES:

In 10.10.10.1-10.10.10.254

DMZ 172.17.1.1-172.17.1.254

NETMASKS:

In 10.10.10.0/24

DMZ 172.17.1.0/24

PARTIAL DOT NOTATION:

In 10.10.10.

DMZ 172.17.1.

Just to let you know how the sensor was interpretting you configuration:

In 10.10.10,1-254 was being interpreted as:

In 10.10.10.0/24,1.0.0.0-254.0.0.0

10.10.10 can be used as PARTIAL DOT NOTATION for 10.10.10.0/24.

1 when interpreted with partial dot notation would mean 1.0.0.0.

So 1-254 was telling the sensor all of the networks between 1.0.0.0 and 254.0.0.0.

--------------------------

As for not seeing alarms. Is your sensor's sniffing interface connected to a switch? If so then have you set up that port on the switch to be a span port?

New Member

Re: IDS Events

Awesome feedback... Span port! Ugh! Can you run span port on a 2900xl? Documentation to it?

thanks,

biz

New Member

Re: IDS Events

144
Views
0
Helpful
5
Replies
CreatePlease login to create content