ISR Computing -

CCIE Security - Initial Sensor Configuration in Promiscuous Mode

Configure IP address

service host
->network settings
-->host ip 10.0.0.10/24, 10.0.0.1

Configure to allow traffic from management station

service host
->network settings
-->access-list 10.0.0.100/32

Enable physical sensing interface

service interface
->physical-interface FastEthernet0/0
-->admin-state enabled

Enable IPS analysis engine on physical interface

service analysis-engine
->virtual-sensor vs0
-->physical-interface FastEthernet0/0 

When you setup SPAN or RSAPN session on the Cisco switches "ingress" keyword on the session destination is used to allow sensing interface to send RST packets.

VLAN Groups - are used in sniffing/sensing mode.

VLAN Pairs - are used for Inline mode.

META Engine - is used to combine multiple signatures.

"swap attacker victim" is used in cases where the source address is the victim (Smurf attack).

SPAN rx - is used when you want to monitor whole VLAN

SPAN both - is used when you are monitoring single device or port

In case of RSPAN it is "rx"

When defining blocking devices in Cisco IPS, keep in mind that Cisco IOS supports ssh v2, but on ASA it will connect with version 1 only. So you probably need to allow both v1 and v2 on Cisco ASA.

In order to test ssh or telnet reachability I suggest you create "service" account called "linux". Using this account connect to IPS sensor, and you will find yourself in nice bash shell. Test using regular linux commands.

When setting up RSPAN session don't forget "dot1q" keyword

monitor session  destination int Fa0/10 encapsulation dot1q