All Cisco-Network Study Notes: based on Red Hat Linux-IDSM

We can see from this chapter that the IDSM sensor, although intimidating on the surface, is no more difficult to configure and manage then the more-conventional Cisco IDS appliances. It consists of two versions: the original version of the IDSM sensor (based on an embedded version of Windows) and version 2 (based on Red Hat Linux).

The Cisco IDSM sensor has three command modes: exec mode, configuration mode, and diagnostic mode. Through them, we manage and configure the IDSM sensor at the command line.

In order to start using the IDSM sensor, you need to configure the monitoring port to capture the appropriate VLAN traffic. To do this on a Catalyst 6000/6500 switch, we use the set vlan command. Once we have the monitor port in the correct VLAN, we can either configure SPAN or use a VACL depending on the need. SPAN is easier to configure but does not have as much flexibility as the VACL. The VACL, meanwhile, can capture very specific traffic—for instance, a single given protocol such as HTTP only. Or it can filter on a given MAC address. To configure the SPAN, we use the set span [rx | tx | both] [create] command.

Configuring the VACL is a bit more involved. We first start with the command set security acl ip permit < > capture which sets up the ACL name, permits IP, and instructs the VACL to capture traffic. Next, we commit the ACL by using the commit security acl command and apply it to the VLAN of interest using the command set security acl map [vlans].

The IDSM sensor has two interfaces that sit on the backplane of the switch. The first, or port 1, is the monitoring interface. The second, or port 2 interface, is the command and control interface that we use to control and manage the IDSM sensor. Since the IDSM sensor is a line card for the Catalyst 6000/6500 series switch, there is no impact on the switching performance.

The IDSM sensor can have the operating system upgraded or patched by using an FTP server, the ids-installer command and the apply command. To update or upgrade the IDSM sensor software, you need to boot to a different partition than the one that will be upgraded. In most cases, you will be booting to partition 2 or the maintenance partition using the reset hdd:2 command. Before we can upload the image to the partition, we need to configure the maintenance partition with a network configuration using the ids-installer netconfig command. Using FTP and the ids-installer system command on the IDSM sensor uploads the update/patch image to the IDSM sensor