ibmas4002
asked on
IDS configuration
Dear All
I need some help in configuring my IDS 4215 ver 4.0, i have PIX in my network and cisco switch, i want to be able capture all the traffic and worms in my network, can some one help me by giving me the steps and commands to configure it.
Many thanks
I need some help in configuring my IDS 4215 ver 4.0, i have PIX in my network and cisco switch, i want to be able capture all the traffic and worms in my network, can some one help me by giving me the steps and commands to configure it.
Many thanks
ASKER
Thanks
but it can not find this command in my cisco switch 2950
???
Thanks
but it can not find this command in my cisco switch 2950
???
Thanks
Have tried going into the 'interface' configuration of the port connected to your IDS and looking for the 'port monitor' command?
ASKER
Yes , but I dont know hy i can not see this command.
ASKER
Dear crazynoodle
if i will not configure this command, do i will be able to see the attacks
Thanks
if i will not configure this command, do i will be able to see the attacks
Thanks
You need to have the traffic from the vlan or port that you wish to be monitored configured to be sent to the port that connects to the IDS.. I guess you could always plug a hub in between the Switch and the firewall and give that a shot.. But then you can only watch that one segment.. Do a 'show version' and a show config on your switch and post here.. that will help alot.
Good luck
Regards,
~CN~
Good luck
Regards,
~CN~
ASKER
Hello crazynoodle
I got it Im sorry i was trying the monitor command from other directory ..
now i have the sesning connected to port 15 and i want to monitor all other ports 1-14 16-18
can you tell me the command for this?
Thank you
I got it Im sorry i was trying the monitor command from other directory ..
now i have the sesning connected to port 15 and i want to monitor all other ports 1-14 16-18
can you tell me the command for this?
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In any case the gist of it is that you want to connect the promiscuous port of the IDS to a port on the switch. You then need to specify the source port of the network you wish to monitor. For example say you have the inside interface of the Pix in Vlan 5 - this would be your source and the destination would be the port you connected the IDS to... Here is a cut and paste from something I found that will probably does a better job explaining the differences.
Directions
In CatOS, use the following syntax to establish a SPAN session:
set span (source port|source vlan) (destination port) (rx|tx|both)
For example:
set span 3/1 3/2 both
will mirror all traffic from 3/1 to 3/2.
Older workgroup switches follow this syntax:
interface fastethernet 1/5
port monitor 1/2 both
to mirror traffic from 1/2 to 1/5.
Newer IOS on workgroup switches use the monitor session command:
interface fastethernet 1/5
monitor session 1 source interface 1/2 both
or
monitor session 1 source vlan 100 both
Hope this helps a bit..
Regards,
~CN~