Hello all, as part of normal IDS alert investigations we're looking for a sniffer to complement the Netranger. I realize that this is a little bit off-topic so if anyone wants to respond privately that is fine (twigles at yahoo dt com). Basically someone said that the 6500 NAM module would be able be a tcpdump-type piece of hardware (we are ordering the NR module and would like to cut down the number of devices). However the NAM docs that I've found suggest that it can't do raw packet sniffing and is more of a call center management tool.
I guess the real question is what can I use to sniff traffic throughout the infra when we get an alert? Is anyone using the NAM?
Depending on how welll your IDS (level of false positives) is defined but why not using the logging capabilities of a conversation right on the IDS ? It will snif the whole conversation that fired the alarm. Then you have to download it from you IDS and analyse it with ethereal ?
the NAM card is an RMON card with a sniffer capabilities. So the card is intended more for statitics gathering
We have the NAM and IDSM in the same 6500 chassis and they both work fine. I am a little disappointed with the IDSM and would prefer snort. The IDSM is not capable of communicating with the NAM. IDSM actions do not include signalling the NAM to sniff traffic. The NAM does do tcpdump style sniffing. In the right environment the NAM is a good product, but basically it is just an overpriced sniffer that has a lot of buttons and flashing lights. Do not purchase the NAM if you want it to work inconjunction with the IDSM. If you just want a sniffer get tcpdump on a laptop and learn to use the Catalyst VACL feature (much better than span).
As to your real question, snort seems to be one of the best options for sniffing traffic that triggers an alert.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :