Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MC1.1 + IDS4.0 + Security Monitor1.1

Hi,

my environment is a MC for IDS v1.1 installed on a w2k machine with security monitor1.1, and my IDS4.0 installed on a linux box.

On my sensor, I have configured telnet enabled, access-list to enable the whole /24 subnet, for example, 100.18.3.0, 255.255.255.0 for allowed hosts. And did TLS generate-key.

Using MC for IDS1.1, I am able to add the sensor, but I am quite lost about the actual deployment of the sensor. Sometimes I have to save it, sometimes, to deploy.

When I do some changes, I have to save it to database, so I have to go to pending and then save it.

However, when do I do a generate, approving and deploying?

Cause after doing an immediate deploying, and naming the job 'test', and going to history, I see it not deployed, and there are errors.

May someone enlighten me on the proper steps to do?

For Security Monitor (SM),

Using Cisco guide Chpt3, Configuring devices to monitor,I am able to add the RDEP sensor (since IDS is 4.0), and under Monitor>Connections, I am able to see that the sensor is connected via TLS. Cause I believe that this SM is suppose to retrieve the logs from the sensor, so how do I confirm this?

Thanks!

Looking forward to your swift reply.

2 REPLIES
Cisco Employee

Re: MC1.1 + IDS4.0 + Security Monitor1.1

You are doing it right. Don't see where are you stuck. After doing changes, save it to the db by going to Pending and save. Then, go under deployment for doing the Generate, then Approve (Approving might not be turned on), if that's the case, then move onto Deploy and conduct an immediate deploy.

What errors do you encounter?

Please follow the steps on the below url;

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/idsmc11/ug/ch06.htm

As for the SM, the status of "connected TLS" is good. You may need to tune a particular signature e.g.icmp echo reply (2004) and set it to High Severity and generate the icmp traffic on that segment where the sniffing interface is connected. This will generate the events into the SM.

Hope this helps,

yatin

New Member

Re: MC1.1 + IDS4.0 + Security Monitor1.1

Hi All,

I realised that i got the "connected TLS" when I did not plug in the sniffing link, when I do that, it show not connected.

When I did a diagnotic on the sensor, IDM, strangely, I see two sensing interface, int0 & int1 under group0. I thought, it should be int0 sniffing, and int1 control? How do I configure them? Cause in 4.0, I can't see the feature of sensing interface unlike 4.1.

Now, I created the sensor under a group, and I realise that under the group, there are more options to configure, then if I were to configure individual sensors. Can I take it that for group, it is global, and for sensors, it is more individual?

And I realise from a colleague, that in order for the sensor reporting back to IDS MC, to pipe events to Security monitor, I need to install a MC integrator, is that true?

Thanks!

229
Views
0
Helpful
2
Replies
CreatePlease login to create content