Cisco IDS Vs Websense

Similar Questions

• Ontario Regulation the upgrade of Version 4.0 of Cisco IDS to 5.0

  Dear Happs / marcabal

  I have one of the IDS 4215 4.1 (1) Version with the details attached. I want the same thing to 5.0 and 6.0. So I install the 5.0 (1e) S149 major to upgrade to 5.0 first release

  The following is written in the read me file for the package of service IPS-K9-maj-5.0-1e-S149.rpm.pkg

  "For ID-4215, you must also make sure that you have upgraded the BIOS to the version.

  5.1.7 and the ROMMON version 1.4 "

  So I downloaded the upgrade utility mentioned above; However, I need to know following

  (1) how to check the current BIOS and the ROMMON Version in ID

  2) to upgrade the BIOS and ROMMON Version, can I do my dekstop (Windows XP) as a server TFTP we manage remote (LINE of LEASE), customer IDS, or do I need to have a local instead of customers himself (in the cisco IDS network beach only) which can be made as TFTP server

  (3) also please let me know how do I know the IDS 4.0 license and if no license is available then, can still update us to version 5.0?

  There is no version 4.x license, licenses began only in version 5.0.

  You can improve your 4215 to version 5.1 or 6.0 unlicensed.

  The minimum versions of BIOS update and forms are easily searched on CCO.

• Cisco IDS 4215 signatures update

  Hello people,
  We have a few Cisco IDS 4215 and would like to know if the upgrade of signatures, we can remove those released previously or whether precedents should not be eliminated.

  Information system of these devices.

  ***

  TAC-contact information
  URL: http://www.cisco.com/public/support/tac/home.shtml/
  Phone: 1 (800) 553-2447

  Sensor time is 110 days.
  Platform: IDS-4215-4FE-K9
  Boot partition: application

  Partition: application
  Build version: 6.0 (6) E3
  Host:
  Domain keys key1.0
  Definition of signature:
  Update of the signature S439.0 2009-09-30
  Virus update V1.4 2007-03-02
  OS version: 2.4.30 - IDS-smp-bigphys
  Applications
  MainApp
  N NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15 T 01: 15:08 - 0500 ipsbuild
  The executing State: running
  AnalysisEngine
  N NUBRA_2009_JUL_15_01_10_6_0_5_57 2009-07-15 T 01: 15:08 - 0500 ipsbuild
  The executing State: running
  Updates installed
  Update name: IPS - K9 - 6.0 - 6 - E3
  Once installed: July 15, 2009 18.48.06
  Update name: IPS-GIS-S439-req - E3.pkg
  Installed time: 6 October 2009 13.07.55
  Next lower upgrade:
  Partition: recovery
  Build version: 1.1 - 6, 0000 E3

  PEP Udi chassis
  Description sensor unit IPS 4215
  PID ID-4215-4FE-K9
  vid V01
  SN 88808513168

  Memory usage
  usedBytes = 377655296
  freeBytes = 132685824
  totalBytes = 510341120

  Use of the disk
  the application data uses 33.2 M off 166,8 M bytes of disk space available (21% of use)
  start using 37.6 M off 68.6 M bytes of disk space available (58% of use)
  Application log using 529,5 M off bytes of 2.8 G of disk space available (20% of use)

  ***

  Many thanks in advance,

  Luca

  Luca;

  Signature updates are cumulative, so you can simply ask the S493 update.  A caveat, however, if you need to make a big move in the signature release (say S470 to S493) it is usually more effective to make small updates (especially on a platform of low memory as the IDS-4215).

  Scott

• Deployment device 42xx Cisco IDS network taps

  Hi all

  Someone at - he experiences of deployment of IDS 42xx (4235 and 4215) appliances with network taps (e.g. Finisar UTP IT Tap/1)? I have several of the device IDS deployed a few months back using the taps of Finisar, and thought that it worked fine, until I discovered that I have am capture only one side of the circulation, due to the nature of the taps! It seems that I need to put in another card network on the device IDS (a Cisco 4235), but is - it possible? Is there a way I can turn the power of 4235 on channel binding or Etherchannel?

  The last option, I think if the ideas above are not possible is to put in another switch and reflect the two ports from the tap water, but that doesn't look good for the final cost...

  Suggestions are most welcomed!

  Thank you

  Kian Wei

  Monitoring network taps with a Cisco IDS device is not officially supported by Cisco.

  That said, howewever, several customers have successfully deployed with taps.

  Faucets, as you've seen have 2 outputs.

  If tap is placed on the connection between computers A and B, one of the outputs will be for traffic from A to B, and the other will be for traffic from B to A.

  To analyze the tap water, the sensor will need to see the two outputs.

  You could do this by connecting the taps to a switch and then extending over 2 ports to the IDS sensor monitoring port.

  Or you may be able to use a second interface on the sensor itself.

  The IDS-4235 4250 IDS and IDS-4215 are able to be upgraded with a 4 ports 10/100 card, for a total of 5 ports to sniff.

  If the connection you type is a 10Mb or 100 MB connection, then purchase 4 port 10/100 for the sensor and the 2 tap on 2 of the ports of the NETWORK adapter card.

  NOTE: The sensor combine incoming packets on all interfaces and treat them as if they are part of the same network.

  You just need to place all interfaces in 'Group 0' and select 'non-stop' each sniffing interface.

  Here is the part number for the 4 ports 10/100 cards:

  ID-4FE-INT =

  Refer to the installation guide for more information on how to install the card and to configure the sensor:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids10/hwguide/index.htm

  Now if you type is a 1 Gig copper or fiber optic connection then you will need to buy a switch to combine 2 outputs from the taps and extend towards the sensor sniffing port.

  Cisco currently offers no additional copper Gig cards.

  Cisco offers a map of fiber unique Gig for the IDS 4250 SX port but can't stand not place these cards in the sensor 2.

  Cisco also offers a dual port fiber Gig, known as the XL card. The XL card has hardware acceleration for the monitoring of the faster speeds. However, the XL card does not currently work with taps.

  So if followed by a 10/100 connection then try the 4 ports 10/100 card, but if touching a Gig connection, then you will need a switch to aggregate outputs 2.

  What some users have also done is to use the switch and do not worry with the faucet.

  They connect computer A to machine B to the switch and the switch. Then cover the traffic to the port of the sensor.

• Cisco IDS 4.1 probes in HA? monitor package drops?

  Hello

  can someone tell me if Cisco IDS sensors provide high availability or failover capabilities? If so, how and where to fix?

  Is there a form any notification drop package when sensor starts a fall of packages under full load?

  Hello

  IDS sensors do not provide high availability or failover capability.

  Under a high load of the sensor can be configured to alert of hamid question the 993 which States "package dropout rate exceeded the threshold. This threshold is set by default to 5% (Total dropped packets / Total packets received in a time interval). You must enable this GIS as it is disabled by default.

  Hope this helps

  Thank you

  Madhu

• General questions Cisco IDS

  We are evaluating deploying a Cisco NIDS on our network. Someone told me that the Cisco IDS solution is based on NT (?). Say it isn't so!

  Also, the module NESTS or IDS can detect common IIS attacks like buffer overflow, cross-cutting to code red/blue/etc directory. ? The ID in the PIX firewall detect these attacks?

  Thanks for your time.

  With the code ID 4.0, all sensors that support this code run Linux, including autonomous sensors and the new JOINT-2.

  In the old code 3.0, stand-alone devices ran Unix, while the blade of sensor for the 6500 has Windows.

  Here is a link to the chapter on the engines of the 4.0 code signing:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids9/idmiev/swappa.htm

  This will give you an excellent overview to the power of signature IDS 4.0 engines and the list of signatures, which includes most of the signatures you mention above.

  hope this helps,

  Peter

• Changes in prices for the contracts of Support for Cisco IDS/IPS

  Nice day

  My boss asked me if there is no value added regarding Cisco's recent move to charge separately for hardware and software support for IDS/IPS product line.

  Other than what is obvious (need software support for updates of signature, need of material support in case something breaks), I'm having a hard time to provide a response.

  Can anyone suggest what is the increased value, other than annual recurrent costs more we get as a result of this change of license?

  Also, was there any release press or other notice to the client about this change?

  I am at a loss...

  Alex Arndt

  Alex,

  Cut through the spin and the hype... the software support allows us to finance a development team dedicated to signature, which has improved our signature rejection rates and response times. In addition, it is allowing us to expand our coverage to keep IDS 4.1 to get the support of the signature. It is contrary to our previous policy which would have seen 4.1 updates to signature cut shortly after 5.0 released.

  A side effect of this is that our development team is now free to focus on the development of the feature, and you will see more updates, more often.

  Can't comment on press releases and others, they make your head spin my ;)

  Scott

• License on Cisco IDS 4215 box

  I have IDS 4215 (version 4) works fine for 2 years. All of a sudden I could not access the IDS4215 via the console or telnet last month. I rebooted it, but there is no change.

  Then we get the ROMMON prompt via CTRL-R. We performed procedures "Installation image of the system IDS-4215. We have installed version 5. So, we lost the old license for IDS 4215 ver 4. How can I get old license?

  We want to make the 4215 IDS to work with version 5 and the latest signatures. What should we do in this regard?

  It wasn't a license file in ver 4.

  Licenses were introduced in ver 5.

  Licenses are included as part of your Cisco Service for IPS maintenance contract.

  To see if you have a contract to day just go in the license of IDM configuration page and click on the button to say IDM to check cisco.com for a license.

  If she comes back with a license while your contract is up to date and everything is good.

  If she does not return with a license, then probably you don't have a Service Cisco IPS service contract for your sensor.

  Your Cisco or an authorized Cisco reseller sales Reprentative contract and request a quote for Service Cisco IPS contract for your sensor.

  Don't forget to give them the serial number of your sensor when you buy the contract so it is followed correctly in the database of contract of Cisco.

• How to monitor a Cisco IDS 4215 (version 6.0)?

  Hello

  I am new to this IDS and need an inexpensive or open source to collect and store the logs of this device.  It seems that the unit can only store a day or two of his own newspapers and I need to collect 1 year.  I have Red Hat linux machines at my disposal, but can use Windows devices or other forms of Linux if necessary.  It would be great if I could just have this thing log to a file on a Linux server on the local network. I can then configure scripts to view and create reports on the balls.

  I installed the IDM on my Windows desktop and can connect to the IDS, but don't see a way to collect newspapers, to trigger alerts by e-mail or create reports.  Is there something Cisco offers (without additional purchase) for this?

  Thank you

  Paul

  For email alerts, you can use IPS Manager Express http://www.cisco.com/en/US/products/ps9610/index.html I think that he will succeed up to 10 IPS sensors.

• The upgrade of Cisco IDS 4235

  Currently, we are conducting 5.1.3 GIS 257. I know I'm behind and want to also include DST updates. If I switch to 5.1.4 or 5.1.5 What is the version that I will need to upgrade to these Service Packs? 5.1.3's 257 enough?

  Thank you

  Dwane

  You can go to 5.1. (5) .. minimum required for this upgrade is 5.0 (1) for users of CLI and IDM. This Service Pack includes the update of the Signature S272. With regard to the IDS/IPS devices, its always preferable to run on the latest versions.

  Kind regards

  Maryse.

• Options for managing Cisco IDS, please help

  I need to deploy two probes of network CSIDS now with a possibility to add up to 20 more. I don't want to start with building a central management of the CSIDS system. I'd rather go with just probes the network for the moment and managing them using web interfaces. When I add more network probes, can I build the central management of the CSIDS and get all the sensors report to the central system? If so, what are my options? There are aspects I need to know right now? Help, please. Thank you.

  It is very easy to add virtual machines to the installation. You do not have to re-create the image or the re - install the sensors. On the side of the sensor, it involves only set up sensors to forward events to the VMS box. On the side of the virtual machines, it is to put to the top of the box of VMS to receive events of and manage sensors.

  If your Vjiewer event ID box is the same as your VMS box, then you will not need to make any changes on your sensors - in other words, assuming that the IP address and host name is the same for both boxes.

• Detection of injections SQL with IDS/IPS on cisco ASA?

  Hello

  Is it possible to detect or prevent attacks by injecting SQL using Cisco IDS / IPS on ASA or with regular expressions?

  Is any signature available in IDS/IPS for this? And what is effective, is in terms of the generation of correct alarms?

  Thanks in advance

  Deepak,

  We have several signatures to detect generic SQL injection attacks in the family x-5930 of signatures.

• Software v4.1 IDS will work on IPS-4200 appliances?

  I understand that the software Cisco IPS 5.0 will run on devices of series IDS-4200 (e.g. - IDS-4235).

  Is the reverse true? I can't Cisco IDS 4.1 to run on an IPS-4240 or an IPS-4255?

  Just curious, since I was maybe having to answer the question in house soon...

  Thanks in advance,

  Alex Arndt

  Yes, the 4.1 software runs the 4240/4255.

• Network IDS Sensor/system and retrieval of Images

  Ok.. on this page:

  http://www.Cisco.com/Kobayashi/SW-Center/ciscosecure/IDs/crypto/

  Objective: I want to burn an image from the Images "system and recovering" rather than order a CD from recovery for IDS.

  Issues related to the:

  1 is it possible or not that you must order the recovery CD?

  2. I see that the files under 'System and recovery Images' are in the format tar.pkg. Is this based on Linux or Solaris? Can I use Red Hat Linux to extract this file and then burn it to a CD?

  3. If so, is - anyone know how to extract the file?

  -TKS.

  Answers:

  (1) No, you must order the recovery CD.

  (2) there are 2 types of files: System and recovery.

  The system Images (- sys-) are used only for the installation of sensors that support ROMMON (like the 4215 IDS, IPS-4240 and IPS-4255). The sensors supporting ROMMON have no CDROM drives, and so the image must be tftpd to the sensor through ROMMON.

  System Images are used for recovery after disaster where the compactflash/hard disk from the sensor has been severely damaged or a new white compactflash/hard disk was placed in the sensor.

  Recovery (r) - Inages updated only the probe recovery Partition. They must be installed from a running Application Partition. The .pkg is a special Cisco IDS application-specific extension. There are special methods for unpacking and installation of the unerlying files.

  In ordinary situations the user will constantly update their software to sensor by the normal process of upgrade using large updates (- shift-), minor updates (- min-), Service Pack (sp) - or Signature updates (-- GIS).

  It isn't that where the effective Partition becomes corrupt that a user must always start on the recovery Partition and load a new Partition of Application.

  Most of the users will never update their recovery Partition. Thus, users who have purchased the IDS-4235 for example with the 4.0 software (1) will be a 4.0 (1) recovery Image. If they later upgraded to 4.1 (1) and the experience of corruption then they can always start the recovery Partition and reload 4.0 (1). If they do not want to return to 4.0 (1) provide us a recovery Image to update the Partition recovery to 4.1 (1).

  The only time wherever a recovery CD is really necessary is when the user goes from 3.x, 4.x, because of the drastic change between the 2 versions, or if the recovery Partition has also been damaged, or if you use a blank hard drive.

  3.

  I don't think the recovery or System Images contains the files needed to create a recovery CD. If I just remember additional files have been added to the recovery CD to make it bootable, which were not necessary on the system image or recovery since they were based on a sensor that was already underway.

• Module IDS network

  -What can someone tell me if the Cisco IDS (NM-CIDS) network module can capture virtual local network traffic, or it can only capture the traffic passing through it. If it is possible, how can I do?

  Hi Biao,

  The NMCIDS module gets traffic on its interface sniff of the router in which it is located. The detection interface is not connected to switch to use the extended configuration.

  You need to activate the interfaces you want (including the subinterfaces) on the router to the package tracking. You can select any number of interfaces or subinterfaces to monitor. The packets sent and received on these interfaces are passed to the NM-CIDS for inspection. Activation and deactivation of the interfaces is configured through the CLI (Cisco IOS) router. So there is no way capture you the switch VLAN traffic.