Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IOS IDS configuration

from [Shane Mahon] Network Security [Permanent Link]
Subject: RE: IOS IDS configuration
Date: Tue, 28 Sep 2004 18:23:42 -0500 
-----Original Message-----
From: Dan Tesch [mailto:dan.tesch@comcast.net] 
Sent: Monday, September 27, 2004 9:12 PM
To: firewalls@securityfocus.com
Subject: Re: IOS IDS configuration


Thanks, I do understand how to actually delete a line
I was wondering if there is any benefit to doing so.
For instance, I was trying to do some admin. from home
but could not get my config to copy to a TFTP server
at home via internet - didn't know if the ip inspect tftp
line had something to do with it - and why some of
these on eth_0 and some eth_1??


The config you have pasted into the email doesn't tell us what the IDS will
do when an alarm fires.  Simply inspecting tftp traffic doesn't interfere
with your connection,unless you have an action defined to drop it on a
signature match.  There should be a line like 

ip audit name Ethernet_0_1 action { alarm | drop | reset }

that tells the router what to do when a tftp signature is matched.  There
should also be a config line that binds the policy to the particular
interface. You'll see it under that interface's configuration like this 

ip audit Ethernet_0_1 in 

...just for example.

I would suggest maybe turning on some packet debugging and or watching
matches to an ACL to troubleshoot your problem.




Type the line you wish to delete with a 'no' infront of it, 

should do 

it. (eg 'no ip inspect name Ethernet_0_1 ftp')




Dan Tesch wrote:


Hi, we have the IOSIDS functions enabled in our 2611
and I have read the docs but don't know if I can
disable single lines in the config.

example:

ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0_1 smtp
ip inspect name Ethernet_0_1 ftp
ip inspect name Ethernet_0_1 tcp
ip inspect name Ethernet_0_1 udp
ip inspect name Ethernet_0_1 cuseeme
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 udp
ip inspect name Ethernet_0_0 cuseeme
ip inspect name Ethernet_0_0 ftp
ip inspect name Ethernet_0_0 h323
ip inspect name Ethernet_0_0 rcmd
ip inspect name Ethernet_0_0 realaudio
ip inspect name Ethernet_0_0 smtp
ip inspect name Ethernet_0_0 streamworks
ip inspect name Ethernet_0_0 vdolive
ip inspect name Ethernet_0_0 sqlnet
ip inspect name Ethernet_0_0 tftp
ip audit notify log
ip audit po max-events 100

these appear to be defaults, if I am not using something 

like vdolive, 

sqlnet, streamworks, realaudio, etc. can I delete the 

lines? are there 

some helpful extra parameters anyone can suggest?

Thanks
 





Shane Mahon, CCNP, CCSP, RHCE
Internet Operations Manager
Newsstand, Inc.
http://www.newsstand.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PIX VPN to multiple subnets, Gary Crouch
Next by Date:  Re: Trend Micro Interscan Viruswall 3.81 CVP and Checkpoint Firewall-1 NG R55, Rob Hughes
Previous by Thread:  Re: IOS IDS configuration, Dan Tesch
Next by Thread:  Trend Micro Interscan Viruswall 3.81 CVP and Checkpoint Firewall-1 NG R55, allison.andrews
Indexes:  [Date] [Thread] [Top] [All Lists]