Solved

IDS configuration

Posted on 2004-08-21
8
472 Views
Last Modified: 2006-11-17
Dear All

I need some help in configuring my IDS 4215 ver 4.0, i have PIX in my network and cisco switch, i want to be able capture all the traffic and worms in my network, can some one help me by giving me the steps and commands to configure it.


Many thanks
0
Comment
Question by:ibmas4002
  • 4
  • 4
8 Comments
 
LVL 1

Expert Comment

by:crazynoodle
ID: 11865308
What kind of switch and what is it running IOS or Catalyst OS?  It is either going to be a span command in Cat OS or Monitor command in IOS.

In any case the gist of it is that you want to connect the promiscuous port of the IDS to a port on the switch.  You then need to specify the source port of the network you wish to monitor.  For example say you have the inside interface of the Pix in Vlan 5 - this would be your source and the destination would be the port you connected the IDS to...  Here is a cut and paste from something I found that will probably does a better job explaining the differences.

Directions
In CatOS, use the following syntax to establish a SPAN session:

set span (source port|source vlan) (destination port) (rx|tx|both)

For example:

set span 3/1 3/2 both
will mirror all traffic from 3/1 to 3/2.

Older workgroup switches follow this syntax:
interface fastethernet 1/5
port monitor 1/2 both
to mirror traffic from 1/2 to 1/5.

Newer IOS on workgroup switches use the monitor session command:
interface fastethernet 1/5
monitor session 1 source interface 1/2 both
or
monitor session 1 source vlan 100 both

Hope this helps a bit..

Regards,

~CN~


0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11865489
Thanks
but it can not find this command in my cisco switch 2950


???

Thanks
0
 
LVL 1

Expert Comment

by:crazynoodle
ID: 11865655
Have tried going into the 'interface' configuration of the port connected to your IDS and looking for the 'port monitor' command?
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11870150
Yes , but I dont know hy i can not see this command.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 2

Author Comment

by:ibmas4002
ID: 11873219
Dear  crazynoodle

if i will not configure this command, do i will be able to see the attacks

Thanks
0
 
LVL 1

Expert Comment

by:crazynoodle
ID: 11876317
You need to have the traffic from the vlan or port that you wish to be monitored configured to be sent to the port that connects to the IDS..   I guess you could always plug a hub in between the Switch and the firewall and give that a shot..   But then you can only watch that one segment..   Do a 'show version'  and a show config  on your switch and post here.. that will help alot.

Good luck

Regards,
~CN~
0
 
LVL 2

Author Comment

by:ibmas4002
ID: 11883802
Hello  crazynoodle

I got it Im sorry i was trying the monitor command from other directory ..

now i have the sesning connected to port 15 and i want to monitor all other ports 1-14 16-18

can you tell me the command for this?

Thank you


0
 
LVL 1

Accepted Solution

by:
crazynoodle earned 250 total points
ID: 11888937
Hello..

Do you have vlans set up on this switch.. and if you do are ports 1-14 in a Vlan?   It would make sense to configure the source as a vlan that encompasses a group of ports..  

Try this link to the configuration commands
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swspan.htm#1036816

again if you post the configuration ( and mark out any real ip addresses) we can nail this down..  this may work

Switch(config)# monitor session 1 source interface FastEthernet 0/1 - 14, FastEthernet 0/16 - 18

Switch(config)# monitor session 1 destination interface FastEthernet 0/15

You need to read up about oversubscribing a destination port and regarding the direction to monitor. By not specifying a direction tx or rx - the default is both.

Good luck
~CN~

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now