Netranger + NAM = IDS/troubleshooting?

twiggles · ‎12-03-2002

Hello all, as part of normal IDS alert investigations we're looking for a sniffer to complement the Netranger. I realize that this is a little bit off-topic so if anyone wants to respond privately that is fine (twigles at yahoo dt com). Basically someone said that the 6500 NAM module would be able be a tcpdump-type piece of hardware (we are ordering the NR module and would like to cut down the number of devices). However the NAM docs that I've found suggest that it can't do raw packet sniffing and is more of a call center management tool.

I guess the real question is what can I use to sniff traffic throughout the infra when we get an alert? Is anyone using the NAM?

duchesne_ced · ‎12-05-2002

Depending on how welll your IDS (level of false positives) is defined but why not using the logging capabilities of a conversation right on the IDS ? It will snif the whole conversation that fired the alarm. Then you have to download it from you IDS and analyse it with ethereal ?

the NAM card is an RMON card with a sniffer capabilities. So the card is intended more for statitics gathering

Report Inappropriate Content · ‎12-05-2002

We have the NAM and IDSM in the same 6500 chassis and they both work fine. I am a little disappointed with the IDSM and would prefer snort. The IDSM is not capable of communicating with the NAM. IDSM actions do not include signalling the NAM to sniff traffic. The NAM does do tcpdump style sniffing. In the right environment the NAM is a good product, but basically it is just an overpriced sniffer that has a lot of buttons and flashing lights. Do not purchase the NAM if you want it to work inconjunction with the IDSM. If you just want a sniffer get tcpdump on a laptop and learn to use the Catalyst VACL feature (much better than span).

As to your real question, snort seems to be one of the best options for sniffing traffic that triggers an alert.