Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
388
Views
0
Helpful
3
Replies

IDSM not receiveing all packets

costin.vilcu
Level 1
Level 1

‎12-11-2008 01:18 AM

Hello everyone,

i have an expert problem:

on a 7600 there is an IDSM2 blade. On two gigabit ports from the 7600, configured as L3 ports (no switchport) there are ip addreses configured and there is OSPF runnig with 2 other equipents.

The sniffing is configured with span on the two GIgabit ports.

The problem is that when the ospf equipments send the multicast traffic to 224.0.0.5 not all these packets arrive to the IDSM thus triggering the following two signatures:

- IP Fragment Missing Initial Fragment id=1204;

- description=IP Fragment Incomplete Datagram id=1208;

There is no missing packets on the OSPF protocol and no retransmission so the only problem that i see is that the SPAN does not send all the packets to the IDSM.

Sniffing with the VLAN filtering is not posible because those are Gigabit Interfaces and the VLAN filtering works only with vlans or with pos, atm or serial interfaces.

i attached the events from the IDSM.

If anyone has any ideea why this is happenig please tell me. I don't need an workaround but a reason.

Thanks in advanced.

Labels:
Preview file
4 KB
0 Helpful
3 Replies 3

amritpatek
Level 6
Level 6

‎12-17-2008 09:40 AM

In promiscuous mode, IDSM-2 passively monitors network traffic copied to its data ports by the Catalyst switch. The data ports operate as 802.1q trunks and you can configure the two data ports to trunk the same or different VLANs. The Catalyst switch uses either SPAN or VACL capture to copy specific traffic to the data ports. You can send the same or different traffic to the two data ports. Because IDSM-2 is passive in this mode, it cannot drop packets to block a network intrusion attempt, but you can configure it to send TCP resets to both sides of the network connection to try to break the connection.

0 Helpful

costin.vilcu
Level 1
Level 1
In response to amritpatek

‎12-17-2008 03:52 PM

Thanks amripatek, but no offense: that, i knew.

My problem is that configured as promiscuous and monitoring 2 "no switchport" ports with SPAN, the IDSM does not "see" the first packet in an OSPF routing update (224.0.0.5) thus triggering the signatures 1204 and 1208.

i don't understand how your resolution will help. Can you be more specific?

Thank you,

costin

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to costin.vilcu

‎12-17-2008 10:47 PM

Well as a temporary workaround you could disable these two signatures for this particular traffic flow (IP Addess etc.) You can use event action filters to do this.

I would also check the Bug Toolkit for any bugs related to your IDS/Router.

Have a look at this link also:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#topic6-1

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents