Configuring IDSM in promiscuous mode?

Similar Messages

• Configuring IDSM-2 Promiscuous Mode with MLS IP IDS

  I am having a problem configuring promiscuous mode with an IDSM-2 running 5.0(3)S181.0 in a 6509 with Sup 720 running IOS 12.2(18)SXD4. I am running router interfaces without VLANs so I have created an extended access list with a 'permit ip any any' and configured this on my interfaces with 'mls ip ids access-list-name'. I configured 'intrusion-detection module x data-port 1 capture' and 'intrusion-detection module x data-port 2 capture', and because of the caution note on page 14-12 of 78-16127-01 I also configured 'intrusion-detection module x data-port 1 capture allowed-vlan 1-4094' and 'intrusion-detection module x data-port 2 capture allowed-vlan 1-4094'. After that I can see the output counters rising in 'show 'intrusion-detection module x data-port 1 traffic' and 'show 'intrusion-detection module x data-port 2 traffic'. I can configure the IDSM-2 using the VMS management center, and I added my sensor to security monitor and set the level down to informational, but I don't even see any events or even the start-up informational message. Anyone have any idea what I missed?

  Here is a document on Configuring the Catalyst Series 6500 Switch for IDSM-2 in Promiscuous Mode.
  http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_guide_chapter09186a0080459221.html#wp1030752

• IDSM-2 - Promiscuous Mode

  I would like my IDSM-2 to run in a Promiscuous Mode ( and not INLINE mode)
  How can i configure it so that it works on the - " Block Nothing,Monitor Everything" principle.
  I need the blade to "Never" block the upstream devices like routers and Firewalls.
  By the way,how will the IDSM running in Promiscuous Mode even "know" of upstream routers and other network devices.
  Thanks !!!

  Hi,
  You can find how to configure IDSM-2 to run promiscuous mode here.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1030752
  From there, you can find IOS vs. CatOS configuration as well as SPAN vs. VACL.
  Once that is done, you can find configuration guide here regarding IPS software. I will list both CLI and IDM in case you prefer one over the other...
  CLI -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1033699
  IDM -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf4c2.html#wp1031960
  In promiscuous mode, unless you configure blocking with blocking device, it will never block anything by default. Even with blocking, you can configure never-block addresses.
  CLI -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df77.html#wp1031471
  IDM -
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804d1374.html#wp1037905
  IDSM will not know about which is what (upstream routers and other network devices) unless you specify them in 'never block' or 'blocking devices'
  Thank you.
  Edward

• How to best use IDSM in promiscuous mode?

  Hi folks
  I need some input and ideas how to best set up my IDSM2 module.
  Today I have the module set up to capture traffic from the 6513 using SPAN in both directions and two different firewalled VLANs as sources. The destination is data-port 1 on the IDSM. This setup is working fine but I'm curious as how to best use the second data-port. Our 6513 runs IOS 12.2(18)SXF3 and has a limit of only one SPAN session set up to capture an entire VLAN in both directions.
  My idea was to use the second data-port as SPAN destination for our external/non-firewalled VLAN, but this isn't allowed.
  Does anyone have or had a similar problem? Would using a VLAN access list with data-port 2 as destination be an option or are the dual IDSM interfaces mainly used for inline mode?
  Regards
  Fredrik Hofgren

  Fredrik,
  I am using VACLs in the switch that has the IDSM. This will preserve your SPAN sessions.
  You can specify which vlans go to which port on the IDSM.
  We actually have our external vlan set up as an inline vlan pair on data port 2.

• Configuring 4255 sensor in promiscuous mode

  I have a 4255 with 3 interfaces that connect to a 6500 series switch. The IPS interfaces are set to promiscuous mode with a defualt vlan specified.
  On the switch side, I would like to send the traffic from more than one vlan to the sensor GE interfaces. What is the best way to do this?
  Do I set up a monitor session on the switch with a source of multiple vlans, then set the destination as one of the sensor ports?
  I also see the option to do a switchport capture.
  Any advice would be great

  You want to do a VACL capture on the 6500:
  http://www.cisco.com/c/en/us/support/docs/lan-switching/vlan-access-lists-vacls/89962-vacl-capture.html
  monitor session 50 source vlan 100 , 200
  monitor session 50 destination interface Fa3/30

• Basic configuration IDSM-2

  Hello,
  I have some experience with sensors but this is my first time configuring a C6500 with IDSM-2, and I have some design questions. The first question is this: can I mix the use of VACL and SPAN to capture traffic in the same configuration?
  Customer is actually using VACL to capture traffic from some machines, but he now wants to monitor all the traffic that comes from and external partner through a VPN concentrator, so I assume for this case I should use SPAN to monitor the VPN's port: am I right?
  The config that the customer has is more or less the following:
  intrusion-detection module 1 data-port 1 capture intrusion-detection module 1 data-port 1 capture allowed-vlan 1 intrusion-detection module 1 data-port 2 capture allowed-vlan 1
  vlan access-map ids 10
  match ip address in
  action forward capture
  vlan access-map ids 20
  match ip address out
  action forward
  vlan filter ids vlan-list 1
  ip access-list extended in
  permit ip any host 192.168.1.1
  permit ip host 192.168.1.1 any
  ip access-list extended out
  permit ip any any
  If I want to use SPAN, which is the limitation in the number of source ports I can put in the "monitor session" command?
  Should I send this "span" traffic to the sensing interface 8 (data-port 2) or can I still sending it to the data-port 1 (sensing interface 7)?
  Why there are two sensing interfaces?
  Thanks in advance...
  Ruben

  Does it mean that I can only monitor completely (both directions)one port per monitoring session?
  Correct.
  Also, if I'm using data port 1 with VACL and data port 2 as destination for "monitor session 1", I suppose I cannot also use data port 2 as destination for "monitor session 2".
  An IDSM-2 Data Port can be the destination port for only a single monitor session.
  If this is true, this means that I can only monitor simultaneously rx and tx in a source port per catalyst box running this image.: am I right?
  Correct
  Does it makes sense to monitor only rx direction for ports connecting with FWs, VPNs and WAN routers or we should monitor both ways?
  If you are going to use port span, then you really need to monitor both tx+rx. The promiscuous sensor can be configured to work when monitoring just a single direction (like just rx), but the sensor will be prone to false positives and false negatives. The sensor really needs to see both directions of TCP connections in order to properly monitor them. To monitor single direction you configure the TCP Reassembly mode to be "asym" which is short for asymmetric. It is generally only used when the sensor is deployed in a network with asymmetric routes.
  I have noticed that in this case we cannot do what customers wants unless we upgrade customer's IOS to 12.2(18)SXE or later... With these new IOS is possible to have 128 tx or both sources!
  I haven't read the Span notes on the latest IOS releases. I am glad to hear that the number of both sources has been increased per session.
  Alternatives:
  The alternative to using "both" span on a port basis is to use an "rx" vlan span.
  But you have to be very carefull with "rx" spans.
  If the vlan is strictly layer 2 (no ip address assigned to the switch for that vlan), then an "rx" span for the vlan will work well. All traffic coming IN from a firewall will be seen as "rx" packets on the firewall port. All traffic going OUT to the firewall will be seen as "rx" packets from the other switch port where they are entering the vlan. So all packets IN and OUT of the firewall would be seen.
  BUT if the switch itself Does have an IP Address on that vlan, and the switch routes between that vlan and other vlans, then this is no longer true.
  The span works well on physical ports, but the switches IP Address is on a Virtual Interface in the vlan. This Virtual Interface does not play well with span in my past experience. The switch has a feature known as MLS (Multi-Layer Switching), The first packets for a TCP connection (the SYN and SYN ACK) are sent through the Virtual Interface for routing. An "rx" vlan span DOES catch these first packets coming from a Virtual Interface. BUT additional packets are affected by MLS. Instead of routing the packets through the Virtual Interface, the MLS kicks in and the packets are Switched in Hardware to the other vlan, and the packet never actually goes through the Virtual Interface. So the packet will NOT be seen by the "rx" span of the vlan.
  Most users DO use the switch for routing, and so my recommendation is generally to use both tx+rx with Port Span to get the traffic. BUT if you are NOT routing, then the alternative "rx" span on the Vlan will work as well.

• Does the apple thunderbolt to ethernet dongle support promiscuous mode ?

  Does the apple thunderbolt to ethernet dongle support promiscuous mode ?
  I need to use the new Retina MBP as a professional laptop for work, and I need to use Etherreal. Etherreal needs the Ethernet card/dongle/chip to run in Promiscuous mode. I have heard that unblivably the thunderbolt Ethernet dongle does not support this, if so then the laptop will not pick all the packets on the wire... is this true ?
  Regs Mark.

  Hi Clinton,
  Thanks for your reply, However the promiscuous mode function that I am after is a function of the Ethernet NIC hardware and driver not just the OS.
  Wireshark allows the user to put network interface controllers that support promiscuous mode into that mode, in order to see all traffic visible on that interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic.
  Anyone out there actually used/tested the thunderbolt Ethernet adapter to sniff traffic with wireshark (Ethereal), can you please  if it can run in promiscuous mode ?
  Thanks.

• UCCX on VMWare needs ethernet promiscuous mode?

  Hello all,
  Just noticed something in the vmware host logs:
  2013-06-08T16:29:52.001Z cpu20:14694)etherswitch: L2Sec_EnforcePortCompliance:153: client ccx.eth0 requested promiscuous mode on port 0x4000024, disallowed by vswitch policy                
  And that's expected, because the default configuration of the vswitch denies ethernet promiscuous mode.
  Now the question is - does the virtual UCCX need promiscuous mode at all? I would expect to see it as a specific note in the documentation if it would. The docwici for UC on UCS is quite detailed and it get's bigger and bigger every day.
  I suppose the promiscuous mode is related somehow to call monitoring and recording, but is it really a requirement? I am using Desktop Based monitoring and recording. UCCX version 9.0.2.10000-71

  Hi,
  Please check your recording options.
  If it set not to spanless recording,you'll have allow promiscuous mode and rspan vlans.

• Ethernet Card in promiscuous mode

  Hello,
  I have a Powerbook G4 15p (1.25GHz) and I want to capture network trafic on a cisco trunk port.
  It works fine but I have no informations concerning vlan tags : is it possible to configure the Ethernet driver in promiscuous mode ?
  Best Regards,
  Guillaume
  Edit : same problem as describe here : http://support.intel.com/support/network/sb/cs-005897.htm

  I was thinking of a network driver option : How can I know what sort of network chipset is on my powerbook ?
  If I look to /System/Library/Extensions/IONetworkingFamily.kext/Contents/PlugIns, I can see this :
  Apple3Com3C90x.kext AppleDP83816Ethernet.kext AppleRTL8139Ethernet.kext
  AppleBCM440XEthernet.kext AppleGMACEthernet.kext AppleRTL8169Ethernet.kext
  AppleBCM5701Ethernet.kext AppleIntel8254XEthernet.kext Apple_DEC21x4Ethernet.kext
  AppleBMacEthernet.kext AppleIntel8255x.kext
  and there is the possibility to update an xml config file on some driver modules
  Here is the result of my kextstat :
  34 3 0x2dd90000 0x1f000 0x1e000 com.apple.iokit.IONetworkingFamily (1.5.0) <6 5 4 3 2>
    Mac OS X (10.4.3)  

• Does the Intel 82579LM NIC on the Portege R830 support Promiscuous mode?

  Hi,
  I've got a work laptop (Portege R830), which doesn't want to sniff packets. I've got it connected to a Netgear Hub (DS104), along with an older notebook, and then uplink to ADSL.
  Running a continuous ping to the default gateway and Wireshark on both devices and the other computer can see the pings from the Toshiba, but not vice-versa.
  The Toshiba is running as an Administrator account, has the Windows Firewall disabled, and my Symantec End Point Encryption disabled. I don't have any other AV to my knowledge.
  Does anyone have any ideas of services I should disable/enable, or knowledge of the features of this NIC?
  According to the Intel site "Yes, all currently marketed Intel PRO/100, Intel PRO/1000, Intel Gigabit, Intel PRO/10 Gigabit, and Intel 10 Gigabit adapters support Promiscuous mode. " But the Intel 82579 Gigabit Ethernet Controller is not in the list that follows on; http://www.intel.com/support/network/sb/CS-004185.htm?wapkw=%28promiscuous%29
  Thanks for your time.

  Usually the firewall or Internet Security software blocks pings so perhaps try uninstalling Symantec completely. Just disabling it may not disable everything.
  Another thing to try is use a Static IP Address instead of DHCP. Disabling IPv6 or installing a newer LAN driver from the Intel website may also help.

• Using promiscuous mode to collect UDP data

  Is it possible to set a NIC in promiscuous mode and to pull all UDP data?
  I have created a VI to listen to data coming across a specific UDP port, this work perfect for one device when I specify the NIC IP address.
  My challenge is I have multiple devices with different IP addresses/networks, that I have to switch between. Every time I switch I need to reconfigure my NIC IP address to capture the data. I would like all data to pass through regardless of IP address. Does LabView support this?
  Thanks

  No, LabVIEW does not natively support a way to put a network interface into promiscuous mode and capture all traffic. You'll either need to use a packet sniffer like Wireshark to capture to a file, and then process it later, or use other libraries. A starting point might be http://zone.ni.com/devzone/cda/epd/p/id/2660

• How to Set HyperV NIC in Promiscuous Mode

  Is there any way to set up a NIC on a virtual HyperV guest in promiscuous mode?
  I want to try and run a web filtering product on a VM. Wireshark does not indicate that it is capturing all traffic.
  I have my switch port mirrored already and it works with a regular box but not with the VM.
  Any help would be appreciated.
  Thanks,
  Andy

  I was able to make wireshark capture all the packets.
  I followed this post:
     http://fixmyitsystem.com/2013/08/Remote-Wireshark.html
  The only diference is that use and Internal Virtual Network  to connect from the
  guest to the host.
  My hyper-v host IP, for this network is 169.254.107.1 (check yours by doing ipconfig)
  and the Guest is 169.254.107.20
  Steps:
    - Just get rpcapd (http://nmap.org/dist/nmap-6.40-win32.zip).
    - Unzip it and install it on the hyper-v host
      Open PowerShell
      Enter-pssession Coremachine    
      Silently install: winpcap-nmap-4.02.exe /S
    - Next up you will have to create a firewall exception for
      this to be reachable from the management machine.
      netsh advfirewall firewall add rule name="Remote WinPcap" dir=in action=allow protocol=TCP localport=any remoteip=169.254.107.20
      (to turn on  the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=yes
      (to turn off the rule) netsh advfirewall firewall set rule name="Remote WinPcap" new enable=no
    - Navigate to C:\Program Files\WinPcap
      To start to packet capture service use
          .\rpcapd.exe -p 2002 -n
    - Get the GUID of the network card you want to use in WireShark  
        wmic nic where PhysicalAdapter="TRUE" get Description,GUID,MACAddress,Name,NetConnectionID
    - on wireshark
      Select Capture Options
      Click Manage Interfaces
      Select Local Interfaces tab and check the Hide box next to all of them
      Select remote Interfaces tab
      Click add button
      For the host specify the hostname or IP Address  
          (I use an internal network to conect to the host)
           My host IP is 169.254.107.1 and the Guest is 169.254.107.20
      The port default is 2002 (set with the -p switch earlier)
      Null authentication as set with the -n switch earlier
      OK
      You should now see a number of interfaces added
      Click Close
    - There will be a buffer size warning but it can be ignored, and hey presto,
      you are capturing packets from a remote  non GUI machine.  
      The process from here on in is the same as you would use WireShark with
      local traffic capture.

• Hyper-V NIC in promiscuous mode

  Hello,
      Is there a way to setup a NIC in hyper-V or the Hyper-V virtual Swith to support promisuous mode for Web Filtering Software like websense?
  Thank
  ML

  ~
  ~
  Victor, what you've posted is a description on how to monitor one VM's traffic on another VM inside the same Hyper-V, but what is needed, is to monitor traffic from some physical PCs on a VM, for example:
  There are machines A, B, and the Hyper-V host machine, all connected to the same physical switch, like HP Procurve or some Cisco device, etc. We can setup port mirroring on that switch (SPAN), so that all the traffic between A and B would be mirrored to
  the Hyper-V host machine port, and we even can monitor that traffic on the Hyper-V host. But what is needed, is to pass that mirrored traffic, coming from outside of Hyper-V to a guest virtual machine. Is there any way of doing that using the Hyper-V settings
  or some 3rd party switch extensions?
  ~
  ~
  https://blogs.technet.com/b/koalra/archive/2012/11/07/windows-server-2012-hyper-v-mirroring.aspx?Redirected=true
   =}
  TechNet Blogs }} Ko Allah's White House ... }}  Windows
  Server 2012 Hyper-V, port
  monitoring (Mirroring)-based network
  management
  ==
  Seung Joo Baek
  7 Nov 2012 1:25 AM                           
  the physical ports the port mirroring. Windows Server 2012 R2 and capture driver
  for my Hyper-V virtual switch extensions can be done through NDIS.
  This can be enabled by the PowerShell, cmdlets are:
  $a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5
  $a.SettingData.MonitorMode = 2
  add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName name_of_the_switch -VMSwitchExtensionFeature $a
   Wouldn't that difficult?
  Related switch expansion port of the NDIS,
  the identity of the captured driver,
  unplug the monitor mode 2 (port monitoring)
  and, in addition to the external port related functions.
  This involves a process, the external port is connected to a physical switch occurred on the VM in the packet will be monitored.
  Not a physical port setting, VM-to-be a part of it, for the time when, if you look at it, never to get a glimpse of the classroom.
  ==
  Plus:
  TechNet Blogs»
  Russian Windows Virtualization Discussion»
  Hyper-V Port Mirroring – захват внешнего трафика с физического интерфейса
   =}
  ==
  Alex A. Kibkalo
  5nine Software
  12 Mar 2014 8:27 PM
  I  (
  Alex A. Kibkalo )
  was asked several times whether Hyper-V Configure Port Mirroring so that traffic from the physical interface on top of a virtual switch, the whole thing
  went to the “LAN traffic mirroring” virtual machine for analysis. VMware is able do this, and Hyper-V Port Mirroring by default captures only traffic caught inside the
  virtual switch-external traffic, of course, is not a particular VM, there simply is not.
  While working in theMicrosoft
  team, I had a conversation on the subject
  Unfortunately, I do not remember with whom exactly :-(
  The rare and is not documented. It was recently found a solution to this problem.
  The following method works on nodes with Windows Server 2012 R2.
  Windows Server 2012 update must be installed
  2885541
  So, you will need to Configure Port Mirroring Destination mode for the machine which will channel bandwidth.
  For virtual switch is required to enable NDIS Capture.
  As a traffic source configure the external port of the virtual switch with the help of PowerShell commands:
  $a = Get-VMSystemSwitchExtensionPortFeature -Name “Ethernet Switch Port Security Settings”
  $a.SettingData.MonitorMode = 2
  add-VMSwitchExtensionPortFeature -ExternalPort –SwitchName v-switch_name -VMSwitchExtensionFeature $a
   I would be glad, if somebody will help.
  ==

• Macbook pro (june 2010) airport promiscuous mode

  Hi all,
  For my network security course, I have to sniff a wireless network.
  Is it possible to put the airport extreme in promiscuous mode? When I use wireshark and select the "capture packets in promiscuous mode" I can only see my own traffic...Although when I check my "en1" status in ifconfig, I see that the "promisc" flag is set..strange
  I've put the wpa/psk password in wireshark so that's not the problem.
  So my final question is, does the promiscuous mode on airport extreme work on a 2010 macbook pro?

  flawlessnyc wrote:
  Of course it's my network and devices. And I'm interested in email accounts. As a parent . . . . well ya gotta be diligent.
  Look at the devices - how are they accessing the email?
  If it is via webmail in the browser (or a 'browser based' app) look for account setting to only use https. Some providers will only allow login via https which is secure, http is not secure, these can usually be 'forced' with account settings.
  When logged in does the website remain on https, if it goes to http instead the email content could be visible on that network. Bookmark the https url for the child, and remove any http urls for the same site so they are less likely to use http by accident. Explain to the kids why the 'green lock' in the address bar (indicates https) is important for reading email or any other 'private' data.
  Do the same with search engines (so their searches may be 'invisible' to the local network).
  If they are using an email client like Apple Mail check the settings again for each mail server, there are options to only use the specific server, and only use secure protocols (SSL,TLS…). That should prevent the mail being sent in plain text across the network, however email is inherently insecure as a service (it bounces from mail server to mail server with to & from addresses visible) so the kids may be better off using iMessage or another chat service that has some level of encryption / privacy.
  You can try viewing the network traffic to find passwords for these services, but it is very involved…
  Monitor in promiscous mode on the same wifi channel as the network.
  Decrypt the wifi traffic (you need the network key for this since wifi itself is encrypted (WEP, WPA, WPA2 etc)
  Look for the email traffic & recombine the packets to follow the conversation, but you still cannot read https traffic.
  All you will be able to find is passwords or form values for websites that do not use https.
  There are other things they should be careful with - like avoiding unknown/ open/ free wifi networks. Even cellular towers can be malicious nowadays, so disabling cellular data could help them be a little more secure. They should also avoid accepting certificates or 'profiles' to connect to any network.
  I'm not sure that watching packets in the air will get you better results any quicker that learning how to secure the settings on each device, pass on the info to the kids & eventually they will start to get it
  P.S
  You may be able to lock settings via parental controls. iOS has 'restrictions' within the Settings app. Just use them carefully otherwise they will nag you about being unable to take a photo or use maps etc!

• SP 2013 Upgrade error - web application is configured with claims authentication mode however the content database you are trying to attach is intended to be used against a windows classic authentication mode.

  Hi there,
  I get this error when I perform a DB Attach upgrade from SharePoint 2010 to SharePoint 2013. 
  "web application is configured with claims authentication mode however the content database you are trying to attach is intended to be used against a windows classic authentication mode."
  Any help is appreciated. Thanks.

  There is other way of fixing this issue apart from what Amit mentioned. Create a classic based web application in SP 2013 using PowerShell.
  New-SPWebApplication -Name "TestApplication" -ApplicationPool "TestApplicationAppPool" -AuthenticationMethod "NTLM" -ApplicationPoolAccount (Get-SPManagedAccount "sppoc\spfarm") -Port 100 -URL "http://sp2013demo"
  Now mount the content database from SP 2010 on to the web application created above 
  Mount-SPContentDatabase WSS_Content_100 -DatabaseServer SQL2012Demo -WebApplication http://sp2013demo:100
  Once the mount is complete, convert the web application to use claims and migrate the user to use claims identity.
  Convert-SPWebApplication -Identity "http://sp2013demo:100" -To Claims –RetainPermissions -Force
  $w = Get-SPWebApplication "http://sp2013demo:100"
  $w.MigrateUsers($True)
  See my blog post about it: http://www.sharepointnadeem.com/2014/01/upgrade-from-sharepoint-2010-classic.html
  Please remember to up-vote or mark the reply as answer if you find it helpful.