Configuring IDSM-2 Promiscuous Mode with MLS IP IDS

Similar Messages

• Configuring IDSM in promiscuous mode?

  Hello,
  I have two switch catalyst 6500 in VSS each with a IDSM module, I want monitor four VLANs three of them are vlans of users and one of servers, I am planning use VACLs to capture the traffic.
  My first quetion is how to configure the data ports of IDSM in promiscuous mode, if in the configuration guide say that by default the data ports are in promiscuous mode, so that means that I don't have to make any configuration in the data ports of IDSM?
  Second, if I have two switches 6500 in vss each with a IDSM module, I have to consider other configurations for this situation?
  The configuration of VACL that I will put is:
  ip access-list extended ACL_IPS
    permit ip any any
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward
  vlan filter VACL_IPS vlan-list 30 , 40 , 50 , 100
  intrusion-detection switch 1 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 1 module 4 data-port 1 capture
  intrusion-detection switch 1 module 4 data-port 1 autostate include
  intrusion-detection switch 2 module 4 data-port 1 capture allowed-vlan 30,40,50,100
  intrusion-detection switch 2 module 4 data-port 1 capture
  intrusion-detection switch 2 module 4 data-port 1 autostate include
  Thanks for the help.

  The IDSM doesn;t need any special commands to inspect traffic in Promiscious mode.
  You'll want to put your IDSM management interfaces on a VLAN to talk with them:
  intrusion-detection module 4 management-port access-vlan 99
  Use the "forward capture" switch:
  vlan access-map VACL_IPS 10
    match ip address ACL_IPS
    action forward capture
  Get rid of the spaces between your VLAN numbers
  vlan filter VACL_IPS vlan-list 30,40,50,100
  If you put two IDSMs in teh same chassis you'll need to decide how to split traffic between them. You can assign different VLANs to each IDSM.
  - Bob

• IDSM-2 - Promiscuous Mode

  I would like my IDSM-2 to run in a Promiscuous Mode ( and not INLINE mode)
  How can i configure it so that it works on the - " Block Nothing,Monitor Everything" principle.
  I need the blade to "Never" block the upstream devices like routers and Firewalls.
  By the way,how will the IDSM running in Promiscuous Mode even "know" of upstream routers and other network devices.
  Thanks !!!

  Hi,
  You can find how to configure IDSM-2 to run promiscuous mode here.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030752
  From there, you can find IOS vs. CatOS configuration as well as SPAN vs. VACL.
  Once that is done, you can find configuration guide here regarding IPS software. I will list both CLI and IDM in case you prefer one over the other...
  CLI -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1033699
  IDM -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf4c2.html#wp1031960
  In promiscuous mode, unless you configure blocking with blocking device, it will never block anything by default. Even with blocking, you can configure never-block addresses.
  CLI -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df77.html#wp1031471
  IDM -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804d1374.html#wp1037905
  IDSM will not know about which is what (upstream routers and other network devices) unless you specify them in 'never block' or 'blocking devices'
  Thank you.
  Edward

• How to best use IDSM in promiscuous mode?

  Hi folks
  I need some input and ideas how to best set up my IDSM2 module.
  Today I have the module set up to capture traffic from the 6513 using SPAN in both directions and two different firewalled VLANs as sources. The destination is data-port 1 on the IDSM. This setup is working fine but I'm curious as how to best use the second data-port. Our 6513 runs IOS 12.2(18)SXF3 and has a limit of only one SPAN session set up to capture an entire VLAN in both directions.
  My idea was to use the second data-port as SPAN destination for our external/non-firewalled VLAN, but this isn't allowed.
  Does anyone have or had a similar problem? Would using a VLAN access list with data-port 2 as destination be an option or are the dual IDSM interfaces mainly used for inline mode?
  Regards
  Fredrik Hofgren

  Fredrik,
  I am using VACLs in the switch that has the IDSM. This will preserve your SPAN sessions.
  You can specify which vlans go to which port on the IDSM.
  We actually have our external vlan set up as an inline vlan pair on data port 2.

• How to configure AS5400 for signaling mode with PGW2200

  we are currently using PGW2200 in call mode that is sip call are handled by
  PGW2200 & AS5400 is connected to PSTN via E1 i need to know can i directly terminate H.323 csll on gatways as PGW2200 will be connectes to PSTN using ss7 . what config need to be done,
  regards

  The Cisco PGW 2200 is designed to provide maximum support for different IP network architectures. This flexibility helps enable the Cisco PGW 2200 to provide an SS7 interconnect for H.323- or SIP-based networks where the call control resides in the Cisco AS5000 Voice Gateways (signaling mode), or it can provide intelligent call control and routing functions for MGCP-based voice gateways (call control mode) while concurrently providing an H.323 or SIP interface for maximum flexibility and interoperability.
  The following PSTN gateway applications are enabled by the Cisco PGW 2200:
  Voice-over-IP (VoIP) transit
  Primary Rate Interface (PRI) Grooming and Time-Division Multiplexing (TDM) Offload
  SIP PSTN gateway
  H.323 PSTN gateway
  Enterprise Services (Hosted Voice and Call Center)

• Configuring 4255 sensor in promiscuous mode

  I have a 4255 with 3 interfaces that connect to a 6500 series switch. The IPS interfaces are set to promiscuous mode with a defualt vlan specified.
  On the switch side, I would like to send the traffic from more than one vlan to the sensor GE interfaces. What is the best way to do this?
  Do I set up a monitor session on the switch with a source of multiple vlans, then set the destination as one of the sensor ports?
  I also see the option to do a switchport capture.
  Any advice would be great

  You want to do a VACL capture on the 6500:
  http://www.cisco.com/c/en/us/support/docs/lan-switching/vlan-access-lists-vacls/89962-vacl-capture.html
  monitor session 50 source vlan 100 , 200
  monitor session 50 destination interface Fa3/30

• ASA 5510 context base configuration in HA Mode with two different subnet

  Hi
  Please someone help me to configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
  IP Details are below.....:
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 10.10.10.2 255.255.255.0 standby 10.10.10.3
  interface Ethernet0/1
  no nameif
  security-level 0
  no ip address
  interface Ethernet0/1.101
  description INSIDE1
  vlan 101
  nameif INSIDE1
  security-level 90
  ip address 172.22.0.2 255.255.255.0 standby 172.22.0.3
  interface Ethernet0/1.102
  description INSIDE2
  vlan 102
  nameif INSIDE2
  security-level 80
  ip address 172.22.1.2 255.255.255.0 standby 172.22.1.3
  interface Ethernet0/3
  description LAN Failover Interface
  failover
  failover lan unit primary
  failover lan interface FAILOVER Ethernet0/3
  failover replication http
  failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2
  route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

  Hi Sanjeev,
  If it is a context based configuration  that you are doing then, you would need to configure context on the ASA first, you can refer to this document for it:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Basic configuration IDSM-2

  Hello,
  I have some experience with sensors but this is my first time configuring a C6500 with IDSM-2, and I have some design questions. The first question is this: can I mix the use of VACL and SPAN to capture traffic in the same configuration?
  Customer is actually using VACL to capture traffic from some machines, but he now wants to monitor all the traffic that comes from and external partner through a VPN concentrator, so I assume for this case I should use SPAN to monitor the VPN's port: am I right?
  The config that the customer has is more or less the following:
  intrusion-detection module 1 data-port 1 capture intrusion-detection module 1 data-port 1 capture allowed-vlan 1 intrusion-detection module 1 data-port 2 capture allowed-vlan 1
  vlan access-map ids 10
  match ip address in
  action forward capture
  vlan access-map ids 20
  match ip address out
  action forward
  vlan filter ids vlan-list 1
  ip access-list extended in
  permit ip any host 192.168.1.1
  permit ip host 192.168.1.1 any
  ip access-list extended out
  permit ip any any
  If I want to use SPAN, which is the limitation in the number of source ports I can put in the "monitor session" command?
  Should I send this "span" traffic to the sensing interface 8 (data-port 2) or can I still sending it to the data-port 1 (sensing interface 7)?
  Why there are two sensing interfaces?
  Thanks in advance...
  Ruben

  Does it mean that I can only monitor completely (both directions)one port per monitoring session?
  Correct.
  Also, if I'm using data port 1 with VACL and data port 2 as destination for "monitor session 1", I suppose I cannot also use data port 2 as destination for "monitor session 2".
  An IDSM-2 Data Port can be the destination port for only a single monitor session.
  If this is true, this means that I can only monitor simultaneously rx and tx in a source port per catalyst box running this image.: am I right?
  Correct
  Does it makes sense to monitor only rx direction for ports connecting with FWs, VPNs and WAN routers or we should monitor both ways?
  If you are going to use port span, then you really need to monitor both tx+rx. The promiscuous sensor can be configured to work when monitoring just a single direction (like just rx), but the sensor will be prone to false positives and false negatives. The sensor really needs to see both directions of TCP connections in order to properly monitor them. To monitor single direction you configure the TCP Reassembly mode to be "asym" which is short for asymmetric. It is generally only used when the sensor is deployed in a network with asymmetric routes.
  I have noticed that in this case we cannot do what customers wants unless we upgrade customer's IOS to 12.2(18)SXE or later... With these new IOS is possible to have 128 tx or both sources!
  I haven't read the Span notes on the latest IOS releases. I am glad to hear that the number of both sources has been increased per session.
  Alternatives:
  The alternative to using "both" span on a port basis is to use an "rx" vlan span.
  But you have to be very carefull with "rx" spans.
  If the vlan is strictly layer 2 (no ip address assigned to the switch for that vlan), then an "rx" span for the vlan will work well. All traffic coming IN from a firewall will be seen as "rx" packets on the firewall port. All traffic going OUT to the firewall will be seen as "rx" packets from the other switch port where they are entering the vlan. So all packets IN and OUT of the firewall would be seen.
  BUT if the switch itself Does have an IP Address on that vlan, and the switch routes between that vlan and other vlans, then this is no longer true.
  The span works well on physical ports, but the switches IP Address is on a Virtual Interface in the vlan. This Virtual Interface does not play well with span in my past experience. The switch has a feature known as MLS (Multi-Layer Switching), The first packets for a TCP connection (the SYN and SYN ACK) are sent through the Virtual Interface for routing. An "rx" vlan span DOES catch these first packets coming from a Virtual Interface. BUT additional packets are affected by MLS. Instead of routing the packets through the Virtual Interface, the MLS kicks in and the packets are Switched in Hardware to the other vlan, and the packet never actually goes through the Virtual Interface. So the packet will NOT be seen by the "rx" span of the vlan.
  Most users DO use the switch for routing, and so my recommendation is generally to use both tx+rx with Port Span to get the traffic. BUT if you are NOT routing, then the alternative "rx" span on the Vlan will work as well.

• Does the apple thunderbolt to ethernet dongle support promiscuous mode ?

  Does the apple thunderbolt to ethernet dongle support promiscuous mode ?
  I need to use the new Retina MBP as a professional laptop for work, and I need to use Etherreal. Etherreal needs the Ethernet card/dongle/chip to run in Promiscuous mode. I have heard that unblivably the thunderbolt Ethernet dongle does not support this, if so then the laptop will not pick all the packets on the wire... is this true ?
  Regs Mark.

  Hi Clinton,
  Thanks for your reply, However the promiscuous mode function that I am after is a function of the Ethernet NIC hardware and driver not just the OS.
  Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic.
  Anyone out there actually used/tested the thunderbolt Ethernet adapter to sniff traffic with wireshark (Ethereal), can you please  if it can run in promiscuous mode ?
  Thanks.

• Running in 64 bit mode with the 32 bit Oracle client installed

  I have seen many postings on this issue but none of the suggested solutions have helped me.
  I am running visual studio 2010 professional with SP1 on windows 7 64 bit machine. When I try to run a web service locally and call it with SoapUI, I get the following error message during OracleConnection.Open().
  Attempt to load Oracle client libraries threw BadImageFormatException. This problem will occur when running in 64 bit mode with the 32 bit Oracle client components installed.
  I have tried setting up the build configuration and the project settings to target 32 bit but that has not helped. I have also tried removing the reference to System.Data.OracleClient that shows being under Program Files (x86) and add a new reference to the dll under GAC_64. That too did not work.
  I only have the 64 bit client installed on my machine.
  Any help will be appreciated.
  Thank you

  1. Visual Studio any version is 32 bit ONLY irrespective of hardware or OS bits.  So to DEVELOP with Oracle Client you MUST install 32 bit Oracle ODAC components. Task manager will show devenv.exe *32 (to confirm 32 bit Visual Studio application).
  2. You can run your web application inside IIS/IIS Express in your PC which independently can be either 32bit or 64bit.  If it is 64 bit, you MUST also install 64 bit Oracle ODAC components which means you'll have to install both 32bit and 64bit in your 64 bit Win7 running on 64bit hardware.
  3. In Visual Studio if you compile with "AnyCPU" as target, the resultant binaries (Web/NonWeb) can be both 32bit or 64bit.  So if target PC is "AnyCPU" or "x64", you MUST install Oracle ODAC 64 bit in the target OS if that target OS is 64bit.  You don't have to install 32bit ODAC in the target PC.
  4. One more catch to above scenario is the target OS could be 64bit simulated OS on a 32bit hardware. In such case you MUST install both 32bit and 64bit ODAC components.
  So while you ask your network team to download ODP.NET/ODAC Components make sure you ask them to download both 32bit and 64bit. Total nearly 600MB.
  Hope this helps many people out there.

• Slow file browsing in MED-V / XP Mode with NAT and DFS

  Note, for the purposes of this question, this issue is with the Windows Virtual PC / XP Mode integration portion of MED-V so is not MED-V specific.
  We are in the process of deploying hundreds of MED-V instances to Windows 7 PCs to support legacy applications until they are replaced with versions that are compatible with Windows 7.  Due to security concerns and our network infrastructure configuration,
  we are required to use "Shared Networking (NAT)" mode for the Windows XP virtual machines.  Our network drives are mapped to DFS shares.  Depending on the site and drive mappings of a user, when opening or saving a file in an application,
  it can take several minutes to browse to the target directory, even if it's not on a DFS share.  Occasionally, it takes so long that the RemoteApp window hangs and disappears, even though the application is still running in the Windows XP VM.
  Running network traces in the VM, I can see that Windows XP tries to "ping" all of the DFS targets whenever the network drives are enumerated, such as when clicking on My Computer.  It waits for responses, then eventually times out. 
  From what I understand, this is the way that Windows XP determines which DFS target link is the fastest.  Unfortunately, since vpc.exe does not run with admin rights in Windows 7, ICMP (ping sends ICMP ECHO REQUESTS) is blocked by the NAT
  between the VM and the Windows 7 host.  (This is why you cannot ping other PCs on the network from within the Windows XP VM when using NAT.)  Therefore, the long wait times happen while XP waits for the replies that never come.
  To verify that this is indeed the problem, I started vpc.exe with admin rights, then started the MED-V Workspace.  I could ping other computers now from within XP and browsing took seconds instead of minutes.  However, our users will not have admin
  rights in Windows 7 so this is not an option for them.  I also tested in bridged mode instead of Shared Networking mode with the same positive results.  However, this is also not an option in our environment.
  Any solutions or recommendations will be greatly appreciated.
  Thank you in advance,
  Victor S.
  Victor S. - Sogeti USA

  Hi,
  I would do some research on this issue.
  And I would update as soon as possible.
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Booting into 64bit mode with Mac Pro 2009

  I am trying to boot into 64bit mode with a 2009 Mac Pro 2.93 Quad core machine. I tried holding down 6 and 4 when restarting but no luck, it staill says no in the profiler. Any ideas why?

  If you'd like your Mac to always start up in 64 bit mode without having to hold down any keys, do this:
  Here's the configuration file approach for always booting into 64-bit. This is the best way to make your Mac always start up 64 bit as the only thing necessary is to alter one line of a configuration file. You can do that by opening the Terminal and entering:
  sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.Boot 'Kernel Flags' 'arch=x86_64'
  To return to 32 bit mode, you would repeat the command but enter an empty string, which would just be the single quotes (where arch=x86_64 is) with nothing in between.
  sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.Boot 'Kernel Flags' ''
  These commands are all one line, they're just wrapping here.
  If at any point you find you need to start up in 32 bit mode for a single use, just as you held down the 6 and 4 keys for 64 bit, you can hold down the 3 and 2 keys for a temporary change. No need to keep changing the config file over and over.

• Does the Intel 82579LM NIC on the Portege R830 support Promiscuous mode?

  Hi,
  I've got a work laptop (Portege R830), which doesn't want to sniff packets. I've got it connected to a Netgear Hub (DS104), along with an older notebook, and then uplink to ADSL.
  Running a continuous ping to the default gateway and Wireshark on both devices and the other computer can see the pings from the Toshiba, but not vice-versa.
  The Toshiba is running as an Administrator account, has the Windows Firewall disabled, and my Symantec End Point Encryption disabled. I don't have any other AV to my knowledge.
  Does anyone have any ideas of services I should disable/enable, or knowledge of the features of this NIC?
  According to the Intel site "Yes, all currently marketed Intel PRO/100, Intel PRO/1000, Intel Gigabit, Intel PRO/10 Gigabit, and Intel 10 Gigabit adapters support Promiscuous mode. " But the Intel 82579 Gigabit Ethernet Controller is not in the list that follows on; http://www.intel.com/support/network/sb/CS-004185.htm?wapkw=%28promiscuous%29
  Thanks for your time.

  Usually the firewall or Internet Security software blocks pings so perhaps try uninstalling Symantec completely. Just disabling it may not disable everything.
  Another thing to try is use a Static IP Address instead of DHCP. Disabling IPv6 or installing a newer LAN driver from the Intel website may also help.

• GDM going into fallback mode with fglrx

  I've installed Arch linux a couple of times to have a play around with it, and I've really enjoyed it so yesterday I installed Arch linux again, this time with the intention of using it as my main OS. During the installation I configured pacman to use the [xorg111] and [catalyst] repos and subsequently installed X.org 1.11 with the latest Catalyst drivers which unfortunately don't yet support X.org 1.12. I then tested X.org using xdm and ran fglrxinfo in one of the xterms. This showed that the drivers were working correctly, so I installed gnome and the full gnome-extra which includes gdm, and configured gdm to launch automatically in inittab. I rebooted my computer and gdm started in fall-back mode with no option of switching to anything else. I logged in to gnome and ran fglrxinfo again which showed that the drivers weren't working in gdm/gnome. It must have been using the mesa drivers or something because everything was very choppy.
  I tried recompiling fglrx for my kernel and checked that everything in rc.conf and inittab was configured correctly, but I couldn't solve the issue so I uninstalled gnome and thought I'd give KDE a go just to see if the issue was gnome-related or system-wide. I'm using KDE now and it's working great with the Catalyst drivers. No extra configuration was required beyond changing the default login manager to kdm in inittab. However, I do like some aspects of the new Gnome 3.4 and so I'd still like to give it a go; I haven't yet decided on which DE I'll be using full time.
  Does anybody have a clue about what the conflict might be between fglrx and gdm? If I can't sort that out then I can't consider using gnome as my DE.
  I'm open to the idea of installing gnome alongside KDE so I can try them both on the same installation but I'm concerned about the menus in each of the DEs becoming cluttered with applications from the other DE. Is there any way in which I could sort this out, perhaps automatically?
  Thanks in advance for any help.
  und
  Last edited by Und (2012-05-06 14:27:35)

  Mr_ED-horsey wrote:
  The last I heard, the Gnome Shell doesn't play well with VMware due to the shell's 3D accelerated graphics requirement, but I've heard it has better results with VirtualBox. I don't really know though. I've never tried to run Gnome 3 in a virtual environment, but here's some links if they help:
  http://forums.fedoraforum.org/showthread.php?t=260107
  http://www.sysprobs.com/get-working-fed … virtualbox
  Thanks, I'll give it a look.
  I've been hearing Virtualbox a lot, so I might try that instead.

• UCCX on VMWare needs ethernet promiscuous mode?

  Hello all,
  Just noticed something in the vmware host logs:
  2013-06-08T16:29:52.001Z cpu20:14694)etherswitch: L2Sec_EnforcePortCompliance:153: client ccx.eth0 requested promiscuous mode on port 0x4000024, disallowed by vswitch policy                
  And that's expected, because the default configuration of the vswitch denies ethernet promiscuous mode.
  Now the question is - does the virtual UCCX need promiscuous mode at all? I would expect to see it as a specific note in the documentation if it would. The docwici for UC on UCS is quite detailed and it get's bigger and bigger every day.
  I suppose the promiscuous mode is related somehow to call monitoring and recording, but is it really a requirement? I am using Desktop Based monitoring and recording. UCCX version 9.0.2.10000-71

  Hi,
  Please check your recording options.
  If it set not to spanless recording,you'll have allow promiscuous mode and rspan vlans.