14.第五天(第二部分)：Installing and Maintaining the IDSM-2

idsm-2

performance:500mbps

size:1ru/slot

processor:dual 1.1.3 ghz

operating system:linux

即支持在线模式也支持离线模式

port1:不能配置只是发送tcp reset

port2:command

ports 7 and 8:sensing口,已经做好trunk

vlan map

既能对二层又能对三层流量控制

ip access-list ex icmp

permit icmp any any

ip access-list ex http

permit tcp any any eq 80

vlan access-map vacl 1

match ip address icmp

action drop

vlan access-map vacl 2

match ip address http

action drop

vlan access-map vlan 3

action forward

vlan filter vacl vlan-list 200(调用)

做在线模式

设置native vlan 到sensing接口7和8

其他vlan除了native vlan过滤掉

关掉bpdu

离线模式:

switch>show module(查看模块)

console>(enable)session 4(选择ips模块进入)

catos配置span

console>(enable)set span 2/1-2 3/7 rx inpkts enable create(可以接收注入)

ios配置span

router(config)#monitor session 1 source int 2/1 rx

router(config)#monitor session 1 source int 2/2 rx

router(config)#monitor session 1 destination intrusion-detection-module 3 data-port 1

data-port 1就是sensor 7

data-port 2就是sensor 8

6500 vacl抓包

router#config t

router(config)#vlan access-map ids 10

router(config-access-map)#match ip address web-ftp

router(config-access-map)#action forward capture(送到ips分析)

router(config)#vlan access-map ids 20

router(config-access-map)#action forward

例子:

router#conf t

router(config)#ip access-list extended web-mail

router(config-ext-nacl)#permit any any eq www

router(config-ext-nacl)#permit any any eq smtp

router#config t

router(config)#vlan access-map capture_web_mail 10

router(config-access-map)#match ip address web_mail

router(config-access-map)#action forward capture

router(config)#vlan access-map capture_web_mail 20

router(config-access-map)#action forward

router(config)#vlan filter capture_web_mail vlan-list 200

router(config)#intrusion-detection module 3 data-port 1 capture

catos vacl

console>(enable)set security acl ip test permit tcp any any eq 80 capture

console>(enable)set security acl ip test permit tcp any any eq 25 capture

console>(enable)set security acl ip test permit ip any any

console>(enable)commit security acl test(把列表提交到引擎)

console>(enable)set security acl map test 200(应用到vlan）

console>(enable)set security acl capture-ports 3/7(把3/7设置到capture接口,默认已经把3/7,3/8设置成为capture接口)mls ip ids on catos抓包

console>(enable)session 15

msfc>enable

msfc#conf t

msfc(config)#ip access-list extended web_mail

msfc(config-ext-nacl)#permit any any eq www

msfc(config-ext-nacl)#permit any any eq smtp

msfc(config)#interface vlan 100

msfc(config-if)#mls ip ids web_mail

msfc(config-if)#end

msfc#exit

console>(enable)set security acl captre 3/7

mls ip ids on ios抓包

router#configure terminal

router(config)#ip access-list extened web_mail

router(config-ext-nacl)#permit anny any eq www

router(config-ext-nacl)#permit any any eq smtp

router(config)#int f2/1

router(config-if)#no switchport

rotuer(config-if)#ip add 10.1.1.1 255.255.255.0

router(config-if)#mls ip ids web_mail

router(config)#intrusion-detection module 3 data-port 1 capture

在线模式:

cisco ios把两个数据口划入不同vlan

intrusion-detection module 13 management-port access-vlan 147(把管理接口划分到147vlan)

intrusion-detection module 13 data-port 1 access-vlan 661(把sensor3/7划分到vlan 661)

intrusion-detection module 13 data-port 2 access-vlan 662(把sensor3/8划分到vlan 662)

catos划分接口

console>(enable)set vlan 100 3/2(把管理vlan划分到vlan 100)

aip-ssm(asa插的ips模块)

asa插ips模块

asa(config)#policy-map outside_policy

asa(config-pmap)#class internet

asa(config-pmap-c)#ips inline(在线模式)/promiscuous(离线模式) fail-open(如果ips坏了包就过了)/fail-close(如果ips坏了包过不了)

asa ips模块接口初始化

firewall#show module(查看相关模块)

firewall#session 1(进入ips）

防火墙的ips模块配置界面是嵌入在asdm里面的,当插入这个模块就会出现.

csc asa防病毒模块

支持杀毒url过滤,垃圾邮件过滤

初始化

firewall#show module

firewall#session 1

菜单化配置界面