Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

IDS Testing

Hi,

I have currently deployed a IDS 4230 with CSPM2.3i. The IDS is monitoring

one port of a switch & the other is connected to a management VLAN.

I have done all the configuration needed for the IDS and CSPM. I am now on

the testing stage to finalised and close the project.

By using Retina(a port scanning software) to test the IDS, I try to use the

event viewer(Tools->View Sensor Events->database), but I could not see any

intrusion events by this port scanning host.

I have different DMZ on my networks. Network A(10.1.1.0/24) is where my port

scanning host is. Network B(10.1.2.0/24) is my CSPM. and network

C(10.1.3.0/24) is configured as the monitored network at the

IDS(Sensor->Properties panel->Internal Network)

If there any settings that I miss out?

Pls advice. If possible, I would be helpful if you can send me a guide on

how to test the IDS to ensure that it is working.

Thank you.

4 REPLIES
New Member

Re: IDS Testing

There is several things that could be wrong.

First I would check to make sure the sensor is seeing the traffic you are sending it. The easiest way is to use snoop on the sensor:

(as root) snoop -d spwr0

Run your tool and see if you see the traffic you are sending.

If you are seeing the traffic check the sensor's logs to see if the alarms are firing:

cat /usr/nr/var/log.*

check for you alarms in that output.

If you see the alarms then you know the problem is in the CSPM/Sensor communication. If you don't see alarms and you know that the sensor is seeing the traffic, then to problem lies with the tool. I'm not familiar with how Retina works so I'd start with something a little more simple.

Issue an HTTP request (you can use you browser) with a /phf? at the end of it. This should trigger an alarm. Use snoop to verify the sensor saw the traffic

Let me know how this goes.

New Member

Re: IDS Testing

Hi,

Thanks for your prompt reply.

I am able to see traffic by using the snoop command.

I am also able to see the logs... by the way, what do mean by alarm?

I tried the phf?.... and it really trigger a log in the event viewer.

If we initiate the attack from the protected network of the IDS, will it be detected by the IDS?

Lastly, is it ok if you recommend some test or the software that we can use to test the IDS. We need do a User acceptance Test for the IDS.

For your assistance. Thank you.

Regards.

New Member

Re: IDS Testing

Nessus works great to light up an IDS. It's fairly easy to install, free, and is a great tool to have in your inventory.

http://www.nessus.org

New Member

Re: IDS Testing

Nessus is a good tool, but there are some drawbacks when testing an IDS. Cisco IDS, for example, has signatures written in such a way that some test cases won't fire unless they are actually exploits. Nessus' test cases aren't always expoits due to Denial of Service conditions that they could cause.

I'm not trying to bad-mouthing Nessus in any way, I'm only trying to highlight a reason why Cisco IDS might not fire on all of Nessus' test cases.

233
Views
0
Helpful
4
Replies
CreatePlease to create content