Table of Contents
Advertisement
Chapter 1
Introducing the Sensor
Modules
The IDSM-2 performs network sensing—real-time monitoring of network
packets through packet capture and analysis. The IDSM-2 captures network
packets and then reassembles and compares the packet data against attack
signatures indicating typical intrusion activity. Network traffic is either copied to
the IDSM-2 based on security VLAN access control lists (VACLs) in the switch
or is copied to the IDSM-2 through the switch's Switched Port Analyzer (SPAN)
port feature. These methods route user-specified traffic to the IDSM-2 based on
switch ports, VLANs, or traffic type to be inspected. (See
Figure
1-5.)
Figure 1-5
IDSM-2 Block Diagram
The IDSM-2 searches for patterns of misuse by examining either the data portion
and/or the header portion of network packets. Content-based attacks contain
potentially malicious data in the packet payload, whereas, context-based attacks
contain potentially malicious data in the packet headers.
You can configure the IDSM-2 to generate an alert when it detects potential
attacks. Additionally, you can configure the IDSM-2 to transmit TCP resets on the
source VLAN, generate an IP log, and/or initiate blocking countermeasures on a
firewall or other managed device. Alerts are generated by the IDSM-2 through the
Catalyst 6500 series switch backplane to the IDS manager, where they are logged
or displayed on a graphical user interface.
Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1
1-15
78-15597-02
Advertisement
Table of Contents
Troubleshooting
