EDUCACIÓN PARA LA SALUD.

When troubleshooting the sensor, utilize idsconns to check connectivity with the management device.

idsstatuswill tell you what services are up.

cidServerversion will tell you what versions of the daemons are being used.

idsstart and idsstopdo just what they say. idsversverifies the version of sensor software.

Don’t forget to be logged in as netrangr to use these commands!

Configuring the SPAN Interface

Configure SPAN ports or VSPAN for either Egress, Ingress, or both. Egress is the SPAN port (or VSPAN) receiving and copying to the destination port.

Ingress is the SPAN port (or VSPAN) transmitting and copying to the destination port.

Both copies transmit and receive traffic to the destination port. The destination port is where the sensor resides.

Recovering the Sensor’s Password

Don’t even attempt to recover the sensor’s password unless you have a Solaris for Intel CD-ROM, Solaris Device Configuration Assistant disk (boot disk).

You need console access to the workstation for password recovery. The Solaris Device Configuration Assistant boot disk can be downloaded from Sun, not from Cisco.

You will be editing the shadow file in the OS that contains accounts and passwords. If you are not familiar or comfortable with the process, find a Unix person and have them do it for you.

Reinitializing the Sensor

Use the accompanying Upgrade/Recovery CD to reinitialize the sensor. If you have the image downloaded from Cisco.com, use that to save a minute or two.

Once you reinitialize the sensor, everything is overwritten, including passwords.You are starting from scratch.

Don’t forget to document your settings before going this route.

Upgrading a Sensor from 3.1 to 4.0

To upgrade sensor models IDS-4220-E or IDS-4230-FE, swap the cables for the sniffing interface as well as for the command and control

interface.

Before you can upgrade a sensor model IDS-4235 or IDS-4250, you have to upgrade the BIOS in order to install version 4.0.

The default username and password to log in to the CLI for version 4.0 are both cisco.

Q: How many ports does each sensor utilize and what are they for?

A: Each sensor utilizes two ports. One is used to sniff traffic (packets), while the other is for command and control.

Q: What command is utilized to verify connectivity between the sensor and management device?

A: idsconns. It will show you a [established] connection or a [syn sent] with a syn NOT rcvd!

Q: What port and protocol does the PostOffice protocol utilize?

A: UDP and 45000.

Q: Which options in sysconfig-sensor must be completed for initial deployment of a sensor in your IDS infrastructure?

A: Options 1–6, IP Address, IP Netmask, IP Host Name, Default Route, Access Control List, and Communications Infrastructure.

Q: Which account do you use to bootstrap the sensor?

A: root.

Q: In order to use the command-line interface, what account must you be logged in as?

A: netrangr.

Q: What interface must be configured on the 4220-E and 4230-FE sensors in order to monitor multicast traffic?

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to

www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

A: iprb0 must be reconfigured from the command and control interface to the monitoring interface.

Q: What does the command cidServer do and what user must you be in order to execute it?

A: cidServer can start and stop the Web server for IDM and also show the version. You must be root to execute the command.

Q: What configuration options require a reboot in sysconfig-sensor?

A: Options 1–5, IP Address, IP Netmask, IP Host Name, Default Route, and Network Access Control.

Q: If you are upgrading sensor models IDS-4220-E or IDS-4230-FE, what must you do before you can upgrade to version 4.0?

A: You have to swap the interface cables on the two ports.The PCI card that is normally used for sniffing on the IDS-4220-E and the IDS-4230-FE does not support monitoring of dot1q trunk packets or the tracking of alarm 993, Dropped Packet.The performance of the PCI card is also lower than the inte- grated NIC. If you do not swap the cables on the IDS-4220-E or IDS-4230- FE, there is a chance you will not be able to connect to your appliance over the network.

Q: Before you can upgrade to software version 4.0 on a sensor model IDS-4235 or IDS-4250, what has to be done first?

Cisco IDS