Cisco IDS 4.1 probes in HA? monitor package drops?

Similar Questions

• Deployment device 42xx Cisco IDS network taps

  Hi all

  Someone at - he experiences of deployment of IDS 42xx (4235 and 4215) appliances with network taps (e.g. Finisar UTP IT Tap/1)? I have several of the device IDS deployed a few months back using the taps of Finisar, and thought that it worked fine, until I discovered that I have am capture only one side of the circulation, due to the nature of the taps! It seems that I need to put in another card network on the device IDS (a Cisco 4235), but is - it possible? Is there a way I can turn the power of 4235 on channel binding or Etherchannel?

  The last option, I think if the ideas above are not possible is to put in another switch and reflect the two ports from the tap water, but that doesn't look good for the final cost...

  Suggestions are most welcomed!

  Thank you

  Kian Wei

  Monitoring network taps with a Cisco IDS device is not officially supported by Cisco.

  That said, howewever, several customers have successfully deployed with taps.

  Faucets, as you've seen have 2 outputs.

  If tap is placed on the connection between computers A and B, one of the outputs will be for traffic from A to B, and the other will be for traffic from B to A.

  To analyze the tap water, the sensor will need to see the two outputs.

  You could do this by connecting the taps to a switch and then extending over 2 ports to the IDS sensor monitoring port.

  Or you may be able to use a second interface on the sensor itself.

  The IDS-4235 4250 IDS and IDS-4215 are able to be upgraded with a 4 ports 10/100 card, for a total of 5 ports to sniff.

  If the connection you type is a 10Mb or 100 MB connection, then purchase 4 port 10/100 for the sensor and the 2 tap on 2 of the ports of the NETWORK adapter card.

  NOTE: The sensor combine incoming packets on all interfaces and treat them as if they are part of the same network.

  You just need to place all interfaces in 'Group 0' and select 'non-stop' each sniffing interface.

  Here is the part number for the 4 ports 10/100 cards:

  ID-4FE-INT =

  Refer to the installation guide for more information on how to install the card and to configure the sensor:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids10/hwguide/index.htm

  Now if you type is a 1 Gig copper or fiber optic connection then you will need to buy a switch to combine 2 outputs from the taps and extend towards the sensor sniffing port.

  Cisco currently offers no additional copper Gig cards.

  Cisco offers a map of fiber unique Gig for the IDS 4250 SX port but can't stand not place these cards in the sensor 2.

  Cisco also offers a dual port fiber Gig, known as the XL card. The XL card has hardware acceleration for the monitoring of the faster speeds. However, the XL card does not currently work with taps.

  So if followed by a 10/100 connection then try the 4 ports 10/100 card, but if touching a Gig connection, then you will need a switch to aggregate outputs 2.

  What some users have also done is to use the switch and do not worry with the faucet.

  They connect computer A to machine B to the switch and the switch. Then cover the traffic to the port of the sensor.

• Ontario Regulation the upgrade of Version 4.0 of Cisco IDS to 5.0

  Dear Happs / marcabal

  I have one of the IDS 4215 4.1 (1) Version with the details attached. I want the same thing to 5.0 and 6.0. So I install the 5.0 (1e) S149 major to upgrade to 5.0 first release

  The following is written in the read me file for the package of service IPS-K9-maj-5.0-1e-S149.rpm.pkg

  "For ID-4215, you must also make sure that you have upgraded the BIOS to the version.

  5.1.7 and the ROMMON version 1.4 "

  So I downloaded the upgrade utility mentioned above; However, I need to know following

  (1) how to check the current BIOS and the ROMMON Version in ID

  2) to upgrade the BIOS and ROMMON Version, can I do my dekstop (Windows XP) as a server TFTP we manage remote (LINE of LEASE), customer IDS, or do I need to have a local instead of customers himself (in the cisco IDS network beach only) which can be made as TFTP server

  (3) also please let me know how do I know the IDS 4.0 license and if no license is available then, can still update us to version 5.0?

  There is no version 4.x license, licenses began only in version 5.0.

  You can improve your 4215 to version 5.1 or 6.0 unlicensed.

  The minimum versions of BIOS update and forms are easily searched on CCO.

• Cisco IDS 4215 signatures update

  Hello people,
  We have a few Cisco IDS 4215 and would like to know if the upgrade of signatures, we can remove those released previously or whether precedents should not be eliminated.

  Information system of these devices.

  ***

  TAC-contact information
  URL: http://www.cisco.com/public/support/tac/home.shtml/
  Phone: 1 (800) 553-2447

  Sensor time is 110 days.
  Platform: IDS-4215-4FE-K9
  Boot partition: application

  Partition: application
  Build version: 6.0 (6) E3
  Host:
  Domain keys key1.0
  Definition of signature:
  Update of the signature S439.0 2009-09-30
  Virus update V1.4 2007-03-02
  OS version: 2.4.30 - IDS-smp-bigphys
  Applications
  MainApp
  N NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15 T 01: 15:08 - 0500 ipsbuild
  The executing State: running
  AnalysisEngine
  N NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15 T 01: 15:08 - 0500 ipsbuild
  The executing State: running
  Updates installed
  Update name: IPS - K9 - 6.0 - 6 - E3
  Once installed: July 15, 2009 18.48.06
  Update name: IPS-GIS-S439-req - E3.pkg
  Installed time: 6 October 2009 13.07.55
  Next lower upgrade:
  Partition: recovery
  Build version: 1.1 - 6, 0000 E3

  PEP Udi chassis
  Description sensor unit IPS 4215
  PID ID-4215-4FE-K9
  vid V01
  SN 88808513168

  Memory usage
  usedBytes = 377655296
  freeBytes = 132685824
  totalBytes = 510341120

  Use of the disk
  the application data uses 33.2 M off 166,8 M bytes of disk space available (21% of use)
  start using 37.6 M off 68.6 M bytes of disk space available (58% of use)
  Application log using 529,5 M off bytes of 2.8 G of disk space available (20% of use)

  ***

  Many thanks in advance,

  Luca

  Luca;

  Signature updates are cumulative, so you can simply ask the S493 update.  A caveat, however, if you need to make a big move in the signature release (say S470 to S493) it is usually more effective to make small updates (especially on a platform of low memory as the IDS-4215).

  Scott

• General questions Cisco IDS

  We are evaluating deploying a Cisco NIDS on our network. Someone told me that the Cisco IDS solution is based on NT (?). Say it isn't so!

  Also, the module NESTS or IDS can detect common IIS attacks like buffer overflow, cross-cutting to code red/blue/etc directory. ? The ID in the PIX firewall detect these attacks?

  Thanks for your time.

  With the code ID 4.0, all sensors that support this code run Linux, including autonomous sensors and the new JOINT-2.

  In the old code 3.0, stand-alone devices ran Unix, while the blade of sensor for the 6500 has Windows.

  Here is a link to the chapter on the engines of the 4.0 code signing:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids9/idmiev/swappa.htm

  This will give you an excellent overview to the power of signature IDS 4.0 engines and the list of signatures, which includes most of the signatures you mention above.

  hope this helps,

  Peter

• Cisco IDS Vs Websense

  I have a n race pix firewall and I m trying to install hardware cisco IDS.

  I want to know if cisco ids and/or pix can help me to have as much control over the access to the internet as websense.

  I know that websense has 29 categories of content at the base that can be used to block outgoing traffic and pix and ID basically area limitation of incoming traffic and classification actions as attacks respectively.

  I have to justify if we need or don't need with cisco ids websense and websense and would appreciate your comments.

  You're talking about two different animals here. Websense looks at the URL used by the user to access the sites. Based on the strategies defined at Websense, the URL is allowed or denied. The PIX sends the URL of the Websense server before allowing the connection to the server. The ID decodes packets and does not care what the URL. You will need two systems for better protection.

  I don't recommend Websense. I carried out an audit of a websense server and it blocks all the URLS and I saw problems with the reportng function. A better product is Vericept.

• How to monitor a Cisco IDS 4215 (version 6.0)?

  Hello

  I am new to this IDS and need an inexpensive or open source to collect and store the logs of this device.  It seems that the unit can only store a day or two of his own newspapers and I need to collect 1 year.  I have Red Hat linux machines at my disposal, but can use Windows devices or other forms of Linux if necessary.  It would be great if I could just have this thing log to a file on a Linux server on the local network. I can then configure scripts to view and create reports on the balls.

  I installed the IDM on my Windows desktop and can connect to the IDS, but don't see a way to collect newspapers, to trigger alerts by e-mail or create reports.  Is there something Cisco offers (without additional purchase) for this?

  Thank you

  Paul

  For email alerts, you can use IPS Manager Express http://www.cisco.com/en/US/products/ps9610/index.html I think that he will succeed up to 10 IPS sensors.

• Changes in prices for the contracts of Support for Cisco IDS/IPS

  Nice day

  My boss asked me if there is no value added regarding Cisco's recent move to charge separately for hardware and software support for IDS/IPS product line.

  Other than what is obvious (need software support for updates of signature, need of material support in case something breaks), I'm having a hard time to provide a response.

  Can anyone suggest what is the increased value, other than annual recurrent costs more we get as a result of this change of license?

  Also, was there any release press or other notice to the client about this change?

  I am at a loss...

  Alex Arndt

  Alex,

  Cut through the spin and the hype... the software support allows us to finance a development team dedicated to signature, which has improved our signature rejection rates and response times. In addition, it is allowing us to expand our coverage to keep IDS 4.1 to get the support of the signature. It is contrary to our previous policy which would have seen 4.1 updates to signature cut shortly after 5.0 released.

  A side effect of this is that our development team is now free to focus on the development of the feature, and you will see more updates, more often.

  Can't comment on press releases and others, they make your head spin my ;)

  Scott

• License on Cisco IDS 4215 box

  I have IDS 4215 (version 4) works fine for 2 years. All of a sudden I could not access the IDS4215 via the console or telnet last month. I rebooted it, but there is no change.

  Then we get the ROMMON prompt via CTRL-R. We performed procedures "Installation image of the system IDS-4215. We have installed version 5. So, we lost the old license for IDS 4215 ver 4. How can I get old license?

  We want to make the 4215 IDS to work with version 5 and the latest signatures. What should we do in this regard?

  It wasn't a license file in ver 4.

  Licenses were introduced in ver 5.

  Licenses are included as part of your Cisco Service for IPS maintenance contract.

  To see if you have a contract to day just go in the license of IDM configuration page and click on the button to say IDM to check cisco.com for a license.

  If she comes back with a license while your contract is up to date and everything is good.

  If she does not return with a license, then probably you don't have a Service Cisco IPS service contract for your sensor.

  Your Cisco or an authorized Cisco reseller sales Reprentative contract and request a quote for Service Cisco IPS contract for your sensor.

  Don't forget to give them the serial number of your sensor when you buy the contract so it is followed correctly in the database of contract of Cisco.

• The upgrade of Cisco IDS 4235

  Currently, we are conducting 5.1.3 GIS 257. I know I'm behind and want to also include DST updates. If I switch to 5.1.4 or 5.1.5 What is the version that I will need to upgrade to these Service Packs? 5.1.3's 257 enough?

  Thank you

  Dwane

  You can go to 5.1. (5) .. minimum required for this upgrade is 5.0 (1) for users of CLI and IDM. This Service Pack includes the update of the Signature S272. With regard to the IDS/IPS devices, its always preferable to run on the latest versions.

  Kind regards

  Maryse.

• Options for managing Cisco IDS, please help

  I need to deploy two probes of network CSIDS now with a possibility to add up to 20 more. I don't want to start with building a central management of the CSIDS system. I'd rather go with just probes the network for the moment and managing them using web interfaces. When I add more network probes, can I build the central management of the CSIDS and get all the sensors report to the central system? If so, what are my options? There are aspects I need to know right now? Help, please. Thank you.

  It is very easy to add virtual machines to the installation. You do not have to re-create the image or the re - install the sensors. On the side of the sensor, it involves only set up sensors to forward events to the VMS box. On the side of the virtual machines, it is to put to the top of the box of VMS to receive events of and manage sensors.

  If your Vjiewer event ID box is the same as your VMS box, then you will not need to make any changes on your sensors - in other words, assuming that the IP address and host name is the same for both boxes.

• How to monitor connections dropped and rejected on the PIX Firewall / ASA?

  I need to monitor the SNMP OID of the connections dropped and rejected on the PIX and ASA firewalls. Is this possible?

  If this is the case, what SNMP OID should I monitor?

  Syslogs and Netflow (introduced in version 8.2) are your options.

  No MIB can give you the numbers of conn.

  PK

• Profile of Cisco 42 '' question marking QoS DCSP for signage package

  Hello

  We have 42 profile Cisco with below specifiction.

  Software version: TCNC4.2.1.265253 product: TANDBERG profile 42 C20

  All the call made by Gatekeeper (VCS 7.1)

  DiffServ QoS is configured on the device.

  During the sip call or SIP registration, regardless of the package comes from video endpoint. I see the value DSCP is 0x00

  But any package from VCS, I see the DCSP value is AF31 0x1a.

  But we have configured singnaling (value 26) QoS on Cisco profile 42 end point. Screenshot is attached.

  Also, we have configured VCS Diffserv QoS and value 26.

  In this case, why we are not able to see any marking signs of Cisco profile 42?

  I have attached the screenshot of output wiresark. Also, I downloaded wireshark message output.

  For the RTP stream, we can see package is marked as being configured IE AF41.

  There is no other device does not change the marking.

  Please suggest.

  Rgds

  Rajesh

  Thanks teak: it's mactching DDT allright!

  If moving to TCNC5.1.6 or even TCNC6.0.0 (just released) should solve the problem.

• IOS monitoring packages

  Hi ARSHAD,.

  Posted by: albertobrivio - May 19, 2006, 8:11 am PST

  I would like to know if in IOS environment command like "show conn" or "capture" normally available in the firewall PIX, so take a look at the passage of package source/destination address/port interface.

  Concerning

  Alberto Brivio

  Alberto,

  If you have IOS Firewall context, then you can get the output as

  See IP inspect session details (if you have a firewall IOS configured and applied on the interface).

  If you want to monitor all packets go out from the interface, you must check the technology "netflow".

  Activate "penetration of ip stream" on the specific interface and then 'show ip cache flow' you will be able to see the flow of traffic.

  If you are interested in some features like 'tcpdump' ability to sniff in IOS let me know as well.

  Thanks and greetings

  Arshad

• Cisco MC IDS work license has expired.

  We cannot have the MC ID in our Cisco Works to work environment. We installed the software suite:

  -Cisco works Common Services V2.2

  -CLC Foundation V2.2

  -Management Center for Cisco 4.0 security officers

  -IDS MC V1.2

  -Security Monitor 1.2

  We have a valid license of VMS for 20 aircraft, which has been upgraded to the latest versions. This license has been accepted by the works of Cisco.

  However, when we want to open the Device Manager in the IDS MC, we get the above error:

  "ID MC license has expired". If we are not able to add and see one of our IDS devices (4210 V4.1).

  We have installed all the packages on a Windows 2000 Terminal Server (this service has been disabled, because we know that it is not supported).

  However, we checked the status of the process and we have seen that the following processes are not listed:

  -daframework

  -fms

  -lm

  But we have no error during installation.

  Any suggestions?

  Thanks in advance!

  Johan Derycke.

  We are working on a patch 1.2 to allow non-English versions of Windows. Check the ORC in a few weeks for the availability of this fix.