RE: CISCOs new IPS

["Gary Halleen" <ghalleen () cisco com>]

Mike,

To look at the packet that triggered the attack, you have to enable the
TriggerPacket (also known as CapturePacket) flag on the signature.  Once
this is enabled, a pcap-format packet will be delivered to the monitoring
console with the alert.

Gary


 

-----Original Message-----
From: Mike Johnson [mailto:mike () enoch org] 
Sent: Saturday, January 29, 2005 11:01 AM
To: ghalleen () cisco com
Cc: focus-ids () securityfocus com
Subject: Re: CISCOs new IPS

Gary Halleen (ghalleen) wrote:
> Actually, that's not quite correct, Billy?
>
> Cisco IPS 5.0 is just around the corner, and is a full-fledged 
> appliance-based IPS product.  It will support various drop actions, as 
> well as traffic normalization and antivirus/antiworm.

Can you explain this a little more?  We have a few 4240's in place now (not
inline, obviously), and we're looking forward to 5.0 (though getting more
and more annoyed at the slipping ship dates), so I'd love to go ahead and
get a head start on some of the new features.

And while I'm at it, am I totally missing a way to get a look at the actual
packets that trigger the alerts?

Mike

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------