© 2001, Cisco Systems, Inc. CSIDS Chapter 8 Sensor Configuration

© 2001, Cisco Systems, Inc. CSIDS Objectives Upon completion of this chapter, you will be able to perform the following tasks: Configure the Sensors identification parameters, internal network entries, and the packet capture device setting. Enable the Sensor to generate log files and configure it to automatically transfer the log files to an FTP server. Enable and configure the IP fragment reassembly feature on the Sensor. Enable and configure the TCP Session reassembly feature on the Sensor. Configure advanced PostOffice settings. Configure the Sensor to send alarms to additional destinations.

© 2001, Cisco Systems, Inc. CSIDS Basic Configuration

© 2001, Cisco Systems, Inc. CSIDS Identification Settings Select the Sensor Click OK

© 2001, Cisco Systems, Inc. CSIDS Internal Networks Select the Sensor Select the Internal Networks tab Select Add Click OK

© 2001, Cisco Systems, Inc. CSIDS Packet Capture Device Choose your Monitoring Interface Select the Sensing tab Select the Sensor Click OK

© 2001, Cisco Systems, Inc. CSIDS Log File Configuration

© 2001, Cisco Systems, Inc. CSIDS Enabling the Sensor to Generate Log Files Click OK Select the Sensor Select the Logging tab Enable

© 2001, Cisco Systems, Inc. CSIDS Configuring Automatic Log File Transfer Select the Sensor Click OK Select the Logging tab Enter FTP server IP address, username, and password Enable

© 2001, Cisco Systems, Inc. CSIDS Advanced Settings Configuration

© 2001, Cisco Systems, Inc. CSIDS IP Fragment Reassembly Select the Sensing tab Select the Sensor Enable Click OK

© 2001, Cisco Systems, Inc. CSIDS TCP Session Reassembly Select the Sensing tab Select the Sensor Enable Choose Reassembly Type Enter Timeout Values Click OK

© 2001, Cisco Systems, Inc. CSIDS PostOffice Settings Select the Sensor Click OK Select the Advanced tab Select the PostOffice Setting tab

© 2001, Cisco Systems, Inc. CSIDS Additional Destinations Select the Sensor Select the Advanced tab Select the Additional Destinations tab Select Add Click OK

© 2001, Cisco Systems, Inc. CSIDS Summary The Sensors identification parameters are modified from the Properties>Identification tabs in CSPM. The internal network entries indicate to the Sensor what IP addresses are to considered internal for logging purposes. All other IP addresses will be considered external for logging purposes. The packet capture device identifies the device driver for the monitoring NIC on the Sensor. Sensors can generate log files and be configured to automatically transfer the log files to an FTP server. Sensors can perform IP fragment reassembly to prevent IDS evasion. Sensors can perform TCP Session reassembly to tune signature triggering for the users environment. Advanced PostOffice settings can be tuned to meet the needs of the user environment. Sensors can be configured to send alarms to additional destinations.

© 2001, Cisco Systems, Inc. CSIDS Lab Configure the Sensors Internal Network Definition and Sensor to Log Alarms Locally on a Log File

© 2001, Cisco Systems, Inc. CSIDS Pod P Your Pod Pod Q Peer Pod CSPM Lab Visual Objective rP e0/0 e0/ P.0 /24.P.1.4 rQ e0/0 e0/1.Q Q.0 / / P.3CSPM10.0.Q.3 Host ID = 3, Org ID = P Host Name = cspm P, Org Name = pod P Host ID = 3, Org ID = Q Host Name = cspm Q, Org Name = pod Q.6 sensorP idsmP sensorQ idsmQ