Re: Using the 4235 to sniff individual VLANs

dpatkins · ‎02-05-2004

I have a Cisco 4235 IDS sensor that I normally use for testing. Currently, we are still experiencing some issues with MyDoom. I have the administrative port on one vlan and the sniffing port on the other. Aside from getting an event that says DGRAM to long (which I cannot figure out why), I am not receiving traffic. Does this seem like a logical and proper setup? Thanks for the advice.

ishah · ‎02-10-2004

You can configure to Sensor to a trunk connection on the switch and see more than one VLAN. I presume you are using a workgroup switch.

On Catalyst 6500 etc. you can span multiple VLANs or use VACLs if you have the PFC.

Both IDSM and the appliance sensors can monitior 802.1q traffic and, hence, are VLAN aware.

marcabal · ‎02-10-2004

Since you are talking about vlans I assume that your sensor is connected to a switch.

When the sensor is connected to a switch for monitoring, there is additional configuration that must be done on the switch itself.

By design the switch will not send any traffic to the monitoring interface of the sensoe with the default switch configuration.

You will need to configure either SPAN (port mirroring or port monitoring) or VACL Capture (per packet copying) to get the switch to send copies of the packets to the IDS monitoring port.

You need to read through your switches documentation to see if supports SPAN and to determine what the necessary commands are. (Only the Cat 6500 and 7600 Routers support VACL Capture).

dpatkins · ‎02-10-2004

Yes, my sensor is connected to a switch. I see what you are saying as far as the spanning. I appreciate the help. I was just hoping to be able to set the sniffing port to that particular VLAN and capture broadcast traffic moving in that VLAN.

Thanks

Dwane

marcabal · ‎02-10-2004

If all you are looking for is broadcast traffic then you won't need span.

The default config on most switches will send the Multi-Cast, and Broad-Cast traffic to the sensor for the vlan to which it is connected.

In addition some Uni-Cast traffic will also be seen, but rarely.

This is where Span is needed to force the copying of these Uni-Cast packets to the sensor for monitoring.

NOTE: Because we are talking about a switch, the Multi-Cast, Broad-Cast, and Uni-Cast above refer specifically to the MAC Addresses of the packets and NOT the IP Addresses of the packets.

In some situations you will have a Broad-Cast IP Packet being sent with a Uni-Cast MAC Address. So be sure to look at the MAC Address and not the IP Address when trying to determine what the switch should do with the packets.

Also understand that very few attacks are ever seen in Multi-Cast, and Broad-Cast traffic. The majority of attacks are in Uni-Cast traffic. So if all the sensor is seeing are the Multi-Cast and Broad-Cast traffic, then don't expect to receive any alarms.

To see if the sensor is seeing any packets you won't be able to look at the alarms being generated (mostly likely all the traffic is OK and will never generate an alarm.) Instead if this is a version 4.x sensor, then execute "show interface" and see if the packet counts on the sensing interface are increasing.