IDS mailing list archives
RE: Snoop on Cisco IDS (Was: CISCO IDS Packet capture)
From: "Alex Arndt" <aarndt () rogers com>
Date: Thu, 8 Apr 2004 15:11:20 -0400
Comments in-line below...
-----Original Message----- From: Billy Dodson [mailto:billy () pmm-i com] Sent: April 6, 2004 9:34 AM To: Strand, John; focus-ids () securityfocus com Subject: RE: CISCO IDS Packet capture I am uncertain if this is possible. You can run a snoop command from the shell and watch data. If you tried to log all that data on the IDS itself the hd would fill up in a matter of minutes. There might be a way to log it to a syslog server or something of that nature, but I have never tried. But if you just want to watch the data in real time you can run that snoop command.
This is only possible on a Cisco IDS sensor running the v3.1 or older software, since it runs on top of Solaris x86. The new version (v4.0 or newer) runs on top of Red Hat Linux, so it would use tcpdump instead of snoop. Unfortunately, just as Chad Skipper pointed out in another reply, you can't run the IDS software and tcpdump at the same time (unlike snoop and IDS in v3.1 and older) Just figured I'd offer this clarification given the fact that Cisco IDS users may be using either the old or the new IDS software... Alex Arndt CISSP, GCIA "Within all order is the potential for chaos..." --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- CISCO IDS Packet capture Strand, John (Apr 06)
- RE: CISCO IDS Packet capture Alex Arndt (Apr 08)
- RE: CISCO IDS Packet capture Chad R. Skipper (Apr 08)
- Re: CISCO IDS Packet capture James Fields (Apr 08)
- <Possible follow-ups>
- RE: CISCO IDS Packet capture Matt Vaughan (Apr 08)
- RE: CISCO IDS Packet capture Strand, John (Apr 08)
- RE: CISCO IDS Packet capture Billy Dodson (Apr 08)
- RE: Snoop on Cisco IDS (Was: CISCO IDS Packet capture) Alex Arndt (Apr 12)
- Re: Snoop on Cisco IDS (Was: CISCO IDS Packet capture) Jason Haar (Apr 15)
- RE: Snoop on Cisco IDS (Was: CISCO IDS Packet capture) Alex Arndt (Apr 12)
- RE: CISCO IDS Packet capture Terence Runge (Apr 08)