New at IDS 4235.

Similar Questions

• Memory and the use of the disc on my IDS 4235 sensor & 4250.

  My ID sensor memory usage shows a use of 99%, and the hard drive is already 5 of the 15 Gig. Here is the log of "seeing the worm."

  With the help of 398913536 of 1980493824 memory available bytes (99% of use)

  With the help of 5 of the 15 bytes of disk space available (66% of use)

  -only the signature of med and high seriousness is enabled. Why the sensor used this memory?

  -Is this the sensor has IDS to a database that stores the logs which causes the hard drive used space? (considering that she has the management of the IDM)

  - Or any other reason why the hard drive used whereas the large drive space is new and operating time is 2 months?

  -Update of the signature file is adults who took over this large space on the HARD drive?

  Hope - could someone give me an idea why is it so.

  As I said earlier, there is not a problem with the use of disk space. Memory usage bug is fixed in the 5.X product not 4.X. However, there are some good bug fixes in the patch of engineering 4.1(4g).

  The number of real memory usage can be determined from the service account by entering the following command:

  Bash-2, $05 free

  total used free shared buffers cached

  MEM: 1934076 1424896 509180 0 18284 1214536

  -/ + buffers/cache: 192076 1742000

  Swap: 522072 0 522072

  The "Mem:" line and the column 'pre-owned' is the amount of memory (in kilobytes) that

  the command reports "show version". However, this total includes the

  amount 'caching '.

  So in the example above, the actual memory used is (1424896-1214536), or

  210360 KB. It is (210360 / 1934076 * 100), or 10.9% of total memory.

• The upgrade IDSM2 and IDS 4235

  I have 12 IDSM2 and 4 ID 4235 managed through VMS, I configured the automatic download of updates of signature but I noticed that S189 was missed.

  Is it possible to apply the latest Service Pack 4.1.5 virtual machines? If so should I just upload the file to the correct directory and apply it as a normal signature update or what method should I use? I need to centrally manage the update process because my IDS systems are all landlocked.

  Thanks for your help,

  Chiara

  VMS has the ability to push updates to the sensor. Updates include service packs, minor versions and updates of the signature. You're right in that VMS uses .zip files to update the sensors. If you use the .pkg file VMS will be error on it towards the sensor.

  Thank you

• Requirements Server IDS 4235

  I have a total of four units of IDS of power on a Cisco Works server. The software documentation recommends a minimum of 1 gig mememory and 1 gig processor build. What would be the required hardware configuration preferred for this set to the top.

  Thank you

  It is not too heavy a requirement with devices that little. A current class desktop system should suit you. An area of server class gets you a redundancy which is nice and newer systems are not too expensive. My installation is running on a Dell Precision 340 and that's fine.

  A model 1.x or 2.x g current processor with 1 GB and enough disk space to hold the VMS and logging (maybe 20 GB free space?).

  It can be quite cpu and intensive disk you are working. You can consider an application good overview or a mirror for DR purposes, simply because of all the configurations you need to rebuild the virtual machines.

• New connection IDS MC

  I configured the new 4235 and try to access it through a web browser, but get the "Cannot display Page" error Any suggestions?

  I had the same problem on my IDS4235. Make sure that the network mask last last byte is the PC you want to access to the ID.

  IE 192.x.x.101 255.255.255.101

• The upgrade of Cisco IDS 4235

  Currently, we are conducting 5.1.3 GIS 257. I know I'm behind and want to also include DST updates. If I switch to 5.1.4 or 5.1.5 What is the version that I will need to upgrade to these Service Packs? 5.1.3's 257 enough?

  Thank you

  Dwane

  You can go to 5.1. (5) .. minimum required for this upgrade is 5.0 (1) for users of CLI and IDM. This Service Pack includes the update of the Signature S272. With regard to the IDS/IPS devices, its always preferable to run on the latest versions.

  Kind regards

  Maryse.

• What version of IDS 4235 does not correspond with the event viewer

  Hello

  I have an ID with S37 3.1 (3) and the Event Viewer 3.1 ID (1) S37.

  I upgraded to version 3.1 S39 IDS (3) but, after downloading the IDS EV and respective signatures, EV IDS kept the latest version 1.0000 S37. I didn't sign up for the latest version of signatures S39 (3.1 (1) S39).

  Can someone help explain this.

  The S39 has been updated for emergency. In order to get out as quickly as possible the VEI update was not included.

  This will be fixed with the update of the S40.

• Models and new CSS IDs

  I am relatively new to web design, so it can be very simple, but I'm having a lot of trouble.
  
  I'm creating a Web site for a magazine. I made a model with a container, header, navbar, body and footer using CSS layouts, and then I did the content of the div to the body of the combo box. My understanding is that the < head > section is editable by default, but I can't make new css (for example #container #body p) rules, and I can't change the title (so each page displays "maintemplate" unless I have change in the model itself, after which he will always be the same for all pages). What I have to do something to make the head one area editable, or should I set all my possible CSS rules in the model?
  
  Any help is greatly appreciated.

  It is the sign of a bad model.

  This do-

  Create a new page (basic HTML).
  Use the FILE | Save as template...
  Look at the code in the head region of the page, in particular the editable
  the region around the

• Network IDS Sensor/system and retrieval of Images

  Ok.. on this page:

  http://www.Cisco.com/Kobayashi/SW-Center/ciscosecure/IDs/crypto/

  Objective: I want to burn an image from the Images "system and recovering" rather than order a CD from recovery for IDS.

  Issues related to the:

  1 is it possible or not that you must order the recovery CD?

  2. I see that the files under 'System and recovery Images' are in the format tar.pkg. Is this based on Linux or Solaris? Can I use Red Hat Linux to extract this file and then burn it to a CD?

  3. If so, is - anyone know how to extract the file?

  -TKS.

  Answers:

  (1) No, you must order the recovery CD.

  (2) there are 2 types of files: System and recovery.

  The system Images (- sys-) are used only for the installation of sensors that support ROMMON (like the 4215 IDS, IPS-4240 and IPS-4255). The sensors supporting ROMMON have no CDROM drives, and so the image must be tftpd to the sensor through ROMMON.

  System Images are used for recovery after disaster where the compactflash/hard disk from the sensor has been severely damaged or a new white compactflash/hard disk was placed in the sensor.

  Recovery (r) - Inages updated only the probe recovery Partition. They must be installed from a running Application Partition. The .pkg is a special Cisco IDS application-specific extension. There are special methods for unpacking and installation of the unerlying files.

  In ordinary situations the user will constantly update their software to sensor by the normal process of upgrade using large updates (- shift-), minor updates (- min-), Service Pack (sp) - or Signature updates (-- GIS).

  It isn't that where the effective Partition becomes corrupt that a user must always start on the recovery Partition and load a new Partition of Application.

  Most of the users will never update their recovery Partition. Thus, users who have purchased the IDS-4235 for example with the 4.0 software (1) will be a 4.0 (1) recovery Image. If they later upgraded to 4.1 (1) and the experience of corruption then they can always start the recovery Partition and reload 4.0 (1). If they do not want to return to 4.0 (1) provide us a recovery Image to update the Partition recovery to 4.1 (1).

  The only time wherever a recovery CD is really necessary is when the user goes from 3.x, 4.x, because of the drastic change between the 2 versions, or if the recovery Partition has also been damaged, or if you use a blank hard drive.

  3.

  I don't think the recovery or System Images contains the files needed to create a recovery CD. If I just remember additional files have been added to the recovery CD to make it bootable, which were not necessary on the system image or recovery since they were based on a sensor that was already underway.

• Installation of IDS OS on hard disc

  I have an IDS 4230 FE and downloaded the software following cisco IDS-42XX-K9-r-1.2-a-4.1-1-S47.tar.pkg, but I am unable to install this on my IDS sensor. Does anyone know how?

  This package will not install on a blank hard drive. It can be used only to convert existing recovery partition a race application partition.

  You will need a recovery CD and will have to start from the CD.

  To get a CD you would need an active Service Cisco for IPS contract of maintenance on the sensor, and then you can order the CD from recovery of $0.

  Understand that the IDS-4230 is not supported with version 5.0 and higher versions of IPS. It is supported only in respect of the IDS 4.1. And is no longer supported for new updates of Signature IDS 4.1.

  I'm not sure it's worth spending your time to get a picture of version 4.1 ID running on your sensor IDS-4230.

  Just make sure it is an IDS-4230 and not an IDS-4235. The IDS-4235 is a more recent and updated signing day always cared for and received.

  You would still, however, need a Cisco Service to date for the maintenance contract of IPS for the sensor to obtain the latest updates for the sensor.

• Adding extension to Interface to 4235 4FE - requirements, warnings?

  I'm under version 4.1 (1) S48 on 4235 sensor.

  I want to monitor two separate subnets in the DMZ with a sensor. 4.1 supports several interfaces of promiscuity, it seems that the addition of the 4FE interface card support this well. Bandwidth is not really a concern, these connections are not heavily used T - 1 connections.

  My questions are related to the impact on the sensor. Will there be additional requirements of memory/CPU by adding more surveillance interfaces? I noticed that it also seem to be a new plug-in memory available for sensors, I was wondering if this is related?

  From a point of view of configuration, I assumed that, for the moment, the same signature settings will be applied to all virtual devices (virtual sensor is equivalent to a physical interface of remote sensing)? It is very good for the current application, but I wonder if it is will be supported for different signature by virtual sensor parameters in the future?

  Any reserves, traps, etc. that you can share on the displacement of several interfaces of remote sensing would be appreciated.

  Thank you

  Chad

  Traps to keep in mind:

  4FE card is attached to four 10/100 ports. The standard onboard sniffing port is a 10/100/1000. So be aware of the limit of 100 Mbps on FE 4 10/100 ports.

  Since you are dealing with only T1 lines that won't be a problem for you.

  The performance of the IDS-4235 is based on the total bandwidth of all interfaces combined.

  If I remember correctly the IDS-4235 performance rating is about 250 Mbps.

  So let's say that you plug in 3 interfaces of the 4FE, then 3 interfaces could send up to 300 Mbps of traffic and overwhelm the sensor performance.

  It could be worse if we consider the 1000 Mbps card on board. So, theoretically with all 4 plugged FEs and the edge sniffing plugged as well, you could theoretically send 1.4 Gbps of traffic to this sensor years 250Mbps seriously overwhelm.

  In you case to connect only 2 ports currency limit you the total maximum rate 200 Mbps (still more low whereas you have T1 connections) so it will not be a problem for you, with performances of the 4235 250 Mbit/s.

  With regard to the other CPU/memmory. There is no additional CPU or available for the 4235 memmory. The additional memmory was only for old models of 4210 and 4220.

  You do not need anyway. 250 Mbit/s performance is based on the provided memmory and cpu regardless of the number of interaces since it's overall performance and not by the performance of the interface.

  When version 4.1 is loaded with the 4FE each of the interfaces is usually attributed to "interface group 0" and default is off (stop). You should make sure that the interface you are using are indeed assigned to the "interface group 0" and then activate the interfaces that you want to use (no downtime).

  You are right to assume that version 4.1 supports a single virtual sensor (single set of configurations of signature) which is applied to all interfaces.

  Indeed the virtual sensor is applied to "interface group 0" and all interfaces are placed in group 0. The only group 0 is currently supported for a single virtual sensor is currently supported.

  Support for multiple virtual devices / groups is planned for a future release (could not begin to speculate when that can happen).

  Since a single virtual sensor is used, it is sometimes confusing determine on what interface things occurred.

  Each event lists on which interface the packet that triggered the alert has been detected. SO for example with a sweep of ping host first 4 pings can be seen on an interface but the 5th ping that triggers the alert can be seen on the second interface; This translates into the second interface in the alert.

  Marco

• Software v4.1 IDS will work on IPS-4200 appliances?

  I understand that the software Cisco IPS 5.0 will run on devices of series IDS-4200 (e.g. - IDS-4235).

  Is the reverse true? I can't Cisco IDS 4.1 to run on an IPS-4240 or an IPS-4255?

  Just curious, since I was maybe having to answer the question in house soon...

  Thanks in advance,

  Alex Arndt

  Yes, the 4.1 software runs the 4240/4255.

• Deployment device 42xx Cisco IDS network taps

  Hi all

  Someone at - he experiences of deployment of IDS 42xx (4235 and 4215) appliances with network taps (e.g. Finisar UTP IT Tap/1)? I have several of the device IDS deployed a few months back using the taps of Finisar, and thought that it worked fine, until I discovered that I have am capture only one side of the circulation, due to the nature of the taps! It seems that I need to put in another card network on the device IDS (a Cisco 4235), but is - it possible? Is there a way I can turn the power of 4235 on channel binding or Etherchannel?

  The last option, I think if the ideas above are not possible is to put in another switch and reflect the two ports from the tap water, but that doesn't look good for the final cost...

  Suggestions are most welcomed!

  Thank you

  Kian Wei

  Monitoring network taps with a Cisco IDS device is not officially supported by Cisco.

  That said, howewever, several customers have successfully deployed with taps.

  Faucets, as you've seen have 2 outputs.

  If tap is placed on the connection between computers A and B, one of the outputs will be for traffic from A to B, and the other will be for traffic from B to A.

  To analyze the tap water, the sensor will need to see the two outputs.

  You could do this by connecting the taps to a switch and then extending over 2 ports to the IDS sensor monitoring port.

  Or you may be able to use a second interface on the sensor itself.

  The IDS-4235 4250 IDS and IDS-4215 are able to be upgraded with a 4 ports 10/100 card, for a total of 5 ports to sniff.

  If the connection you type is a 10Mb or 100 MB connection, then purchase 4 port 10/100 for the sensor and the 2 tap on 2 of the ports of the NETWORK adapter card.

  NOTE: The sensor combine incoming packets on all interfaces and treat them as if they are part of the same network.

  You just need to place all interfaces in 'Group 0' and select 'non-stop' each sniffing interface.

  Here is the part number for the 4 ports 10/100 cards:

  ID-4FE-INT =

  Refer to the installation guide for more information on how to install the card and to configure the sensor:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids10/hwguide/index.htm

  Now if you type is a 1 Gig copper or fiber optic connection then you will need to buy a switch to combine 2 outputs from the taps and extend towards the sensor sniffing port.

  Cisco currently offers no additional copper Gig cards.

  Cisco offers a map of fiber unique Gig for the IDS 4250 SX port but can't stand not place these cards in the sensor 2.

  Cisco also offers a dual port fiber Gig, known as the XL card. The XL card has hardware acceleration for the monitoring of the faster speeds. However, the XL card does not currently work with taps.

  So if followed by a 10/100 connection then try the 4 ports 10/100 card, but if touching a Gig connection, then you will need a switch to aggregate outputs 2.

  What some users have also done is to use the switch and do not worry with the faucet.

  They connect computer A to machine B to the switch and the switch. Then cover the traffic to the port of the sensor.

• Drop sensor IDS attack package?

  I deploy 3 sensor IDS (4235) in my network. I have a question that I doubt with:

  (a) not the IDS sensor drops any package that it detected as an attack?

  (b) when I connect to the web-based administration of the probe IDS page, I saw something like ' items Signature: 1058 - deleted: 2644239 ' under statistics interface detection. What this means?

  (c) how to configure blocking via router ACL? A directive is available on the net?

  Hello

  (a) the ID down not all packages. On detection of a package of attack (signature), it can initiate the ACTION that has been configured for this signature. for example, block, reset, log. In case of block or reset, the ID will configure an ACL on locking in order to stop these packets from the host.

  But in all this, the ID is not drop all packets. He always keep looking / sniffing all the packages.

  (b) this means that as the system was active, it was deleted (expired

  or completed the inspection on) 2644239 objects and there are currently 1058

  signature objects active in the database. Does not really mean much to you

  and really helps the development engineers determine little support on the

  sensors.

  (c) what management platform are automatically using and what version IDS?

  If you are using VMS for management;

  http://www.Cisco.com/univercd/CC/TD/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/idsmc11/UG/CH05.htm

  If IDM/IEV4.0, then goto the below url

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids9/idmiev/swchap3.htm#593299

  If IDM/VEI 3.x and then the below;

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid49

  Thank you

  Christophe

• Adding new storage SAN to ESX 4.1 - same LUN ID is.

  I got 6 new Hitachi SAN LUNS to 500 GB a piece to add to my ESX 4.1 cluster.  The new LUNS have LUN ID that already exists in the cluster.  In other words, the new LUN IDS are 0, 1, 2, 3, 4, 5. I already have these LUN ID in the cluster.  They range from LUN0 to LUN48.  Is it OK to add those LUNS with the same ID?  Or is it the 49-54 LUNS?

  Thank you.

  In your case, his eyes already exist LUNS and LUN newly mapped are different table.

  Should not be any problem because naa id would be different, but its good to have different since we usually draw the vmhba C0:T0:L0 lun.