RE: Snoop on Cisco IDS (Was: CISCO IDS Packet capture)

["Alex Arndt" <aarndt () rogers com>]

Comments in-line below...

> -----Original Message-----
> From: Billy Dodson [mailto:billy () pmm-i com]
> Sent: April 6, 2004 9:34 AM
> To: Strand, John; focus-ids () securityfocus com
> Subject: RE: CISCO IDS Packet capture
>
> I am uncertain if this is possible.  You can run a snoop command from
> the shell and watch data.  If you tried to log all that data on the IDS
> itself the hd would fill up in a matter of minutes.  There might be a
> way to log it to a syslog server or something of that nature, but I have
> never tried.  But if you just want to watch the data in real time you
> can run that snoop command. 

This is only possible on a Cisco IDS sensor running the v3.1 or older
software, since it runs on top of Solaris x86.

The new version (v4.0 or newer) runs on top of Red Hat Linux, so
it would use tcpdump instead of snoop. Unfortunately, just as Chad
Skipper pointed out in another reply, you can't run the IDS software
and tcpdump at the same time (unlike snoop and IDS in v3.1 and older)

Just figured I'd offer this clarification given the fact that Cisco
IDS users may be using either the old or the new IDS software...

Alex Arndt
CISSP, GCIA

"Within all order is the potential for chaos..." 

---------------------------------------------------------------------------

---------------------------------------------------------------------------