Table of Contents
Advertisement
System Architectural Details
System Architectural Details
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
A-44
Blocking—Provides the ability to modify ACLs on routers and other devices
•
to dynamically affect the access policy on a network as the result of an event.
A block request is sent to the NAC. To avoid the performance impact and
delay of a control transaction, the request is in the form of a event.
CapturePacket—Provides the ability to capture the alert trigger packet. The
•
offending packet is included in the evAlert. You configure the signature to
perform this action by setting the master engine parameter CapturePacket to
True. If set to True, and the alert is not a SummaryAlarm, the current packet
is appended to the evAlert message.
You will not be able to query the IP log system and get only packets from a
specific time inside the log. If you supply a time range, you receive a single
file made up of all internal blocks that contain the time range requested.
Further refinement of the log file must be done on a separate platform,
because filtering the packets puts an undue burden on the sensor platform.
There are many tools available that allow you to filter and otherwise
manipulate the IP log files.
An interface must be active to activate a log from that interface. There is no
provision for erasing IP logs or sanitizing the sensor. You must reimage the
sensor if you want to remove all log files.
The IDS management systems cannot display IP log information, but
Note
through the CLI you can print the HEX and ASCII Base64 decoded
version of the CapturePacket field.
This section provides information about other system architecture details.
This section contains the following topics:
Communications, page A-45
•
•
IDAPI, page A-46
RDEP, page A-47
•
Sensor Directory Structure, page A-48
•
Appendix A
Intrusion Detection System Architecture
78-15597-02
Advertisement
Table of Contents
Troubleshooting
