I have a 4230, 4210 and CSPM. If I telnet to either sensor, and issue a "ifconfig -a", I do not see the monitoring nic. I think this causes the second issue I have, no signature events logged in database, only "route up/down".(From upgrading/updating sensors). I have checked the SPAN ports the nics are on and it does see traffic. I was told in a recent TAC case that you will never see the promiscuous nic, is this true? CSPM v2.3i, IDS v2.5(1)S3
True, you should never see the sniffing interface when using the "ifconfig -a" command.
To see if the interface is seeing packets try executing the following commands:
On the 4210 as user root: "snoop -d iprb0"
On the 4230 as user root: "snoop -d spwr0"
You may also want to check the NameOfPacketDevice configuration in the /usr/nr/etc/packetd.conf file on the sensors:
On the 4210 in packetd.conf: "NameOfPacketDevice /dev/iprb0"
On the 4230 in packetd.conf: "NameOfPacketDevice /dev/spwr0"
If these interface names are incorrect they can be corrected in CSPM, and have the new configuration pushed to the sensor. Check to ensure that the configuration is now correct on the sensors. You may need to execute "nrstop" and "nrstart" to ensure that all of the IDS programs are started. Also run "nrvers" to ensure that all the IDS programs are responding to the query for the version information.
Once you have ensured that all of the programs are running, the correct configuration is being used, packets are being seen by the snoop command, then you should see any alarms being gernerated by the sensors.
I would recommend generating a specific alarm to see if it is being seen. Generally poeple create a custom signature to do this type of verification such as the string "Test Sensor" on a telnet connection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...