AIP-SSM 20 questions

Similar Messages

• Customizing signatures question on AIP-SSM

  Hi all
  actually our customer has an AIP-SSM module which is configured in inline mode.some users are appeared as attackers in the IPS event store .
  can i deny any unwanted connection for these users without affecting on the legitimate connections of these users like internet browsing ???
  i tried to make the signature action to be "deny connection inline" but when the signature fire , the user who has appeared as an attacker is totally blocked and cannot access internet.
  anyone face this issue ??
  please advice.
  regards

  Hi Mohammed.
  Right now I'm preparing the IPS Exam, and I have read some where that:
  "deny connection inline" will stop the connection totaly. But if the same user(IP Address) has many "deny connection inline", the IPS will say that there is a problem with this PC, and I'll not lose ressource and time to block each connection, and the the IPS sensor will block the Host.
  You can tune the Signature to solve this issue, but this will not solve the main problem.
  But as Andy said, thier is a Sweep attack from these PCs. try to scan them with Anti-Virus, and anti-worm... because they are the source of this issues.
  Sweep is a "Network Reconnaissance Attack". Please take a look at this link for more information:
  http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliSgEng.html#wp1048257
  I hope this helpful.
  Best regards
  Reda
  [email protected]

• Do I need two AIP-SSM modules if I am configuring failover?

  Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
  I would like to configure the module in the first ASA with the fail-open setting.  Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
  Would there be any problems configuring it this way?
  Would the active/standby ASA's complain that there is only one AIP-SSM module?
  Thanks in advance.

  Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
  Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
  Your kind answer will be greatly appreciated.
  Best regards...

• Configuring SNMP Trap receiver on AIP-SSM sensor

  I receive the following error message from my ASA5520 firewall when attempting to forward SNMP traps from my AIP-SSM20 sensor to a server on my Inside interface that is configured to receive SNMP traps:
  ASA-4-418001: Through-the-device packet to/from management-only network is denied: udp src management: 10.3.21.2/32768 dst Inside: PPC0ES/162
  Can I reconfigure the management IP address of the AIP-SSM sensor to connect to the Inside interface instead of the management vlan or does my SNMP server have to reside on the management vlan with the sensor?

  Hi Subodh,
  Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  If you have any other specific questions, feel free to post back.
  Hope that helps.
  -Mike

• AIP-SSM configuration assistance

  I have two questions regarding the AIP-SSM.
  1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
  2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
  3) Should then the management interface be used as the gateway for the SSM?
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 65.x.x.1 255.255.255.0 standby 65.x.x.2
  interface GigabitEthernet0/1
  nameif dmz
  security-level 50
  ip address 172.16.x.1 255.255.255.0 standby 172.16.x.2
  interface GigabitEthernet0/2
  nameif inside
  security-level 100
  ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  speed 100
  duplex full
  nameif management
  security-level 100
  ip address 10.0.x.1 255.255.255.0 standby 10.0.x.2
  management-only

  Here are the answers to your questions-
  1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
  Ans) No. ACL on SSM is completely independent of ACLs on ASA.
  2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
  Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.
  3) Should then the management interface be used as the gateway for the SSM?
  Ans) You are right .. :-)
  Hope that helps.
  Regards,
  Vibhor.

• Configuring AIP-SSM modelue

  hi,
  we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
  Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
  Please share the experience.
  Thanks in advance.
  Subodh

  Hi Subodh,
  Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  If you have any other specific questions, feel free to post back.
  Hope that helps.
  -Mike

• Monitoring AIM-IPS-K9 and AIP-SSM-10

  Does anyone have any tips on monitoring the IPS devices for being up, healthy, not-in-bypass, and running normally, I had five of them fail after the E3 upgrade (one is still tweaked due what TAC has identified as a corrupt license issue). Although CSMARS 6.0 lists some unreachable devices once daily, it has all devices in the list making it less that useful information, but that is a different question.
  AIM-IPS-K9: 19 ea.
  AIP-SSM-10: 3 ea.

  Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
  You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

• AIP-SSM Int gig0/0

  Looking for an explanation of the gig0/0 interface in the AIP-SSM-20. The ASA runs 8.2 and the IPS runs 6.2.
  The documentation I'm reading doesn't mention it all. I want a management interface separate from the default connection between the ASA and the ips module.

  Hi Tanveer,
  Thanks for the detailed response.
  I believe that I was confusing the different modules.
  Here is one last question from the setup command and the advanced configuration:
  Management0/0 and gigabit 0/1 are given different IP addresses, correct? We want to use a same management vlan used by all networking devices. Does the gig0/1 have a different ip and is it the interface which connects to the ASA over the backplane?
  Modify interface/virtual sensor configuration?[no]: yes
  Current interface configuration
  Command control: Management0/0
  Unassigned:
  Monitored:
  GigabitEthernet0/1
  Thank you in advance!

• Installing signature update for IDSM-2 on AIP-SSM

  Hi every one,im not sure about this question but i think its beter to ask you experts.i want to know that if i have signature update for example for my IDSM-2 can i instal this sig update on my AIP-SSM --> suppose that IPS software on both devices are same and also i have installed valid license key on AIP-SSM.now can i do this or no? and i know that if you have not valid license installed on IDSM-2 you cant instal any sig update on IDSM-2 but what about AIP-SSM?i mean can i instal sig update on AIP-SSM without installed valid license key on AIP-SSM? thanks

  There are 3 main types of Signature Updates.
  1) IPS Sensor Signature Updates
  2) CSM Signature Updates for IPS Sensors
  3) IOS IPS Signature Updates
  The IPS Signature Update filename is in the form: IPS-sig-Sxxx-req-Ey.pkg
  This is most likely what you are referrnig to in your post. This file can be installed on ANY IDS/IPS Appliance or Module.
  The Requirement here is not the platform but rather the Engine Level. The "req-Ey" portion of the filename tells you that the sensor must already be running the "y" Engine level of software.
  So an IPS-sig-S436-req-E3.pkg file can be installed on any IDS/IPS Appliance or Module so long as the software on that sensor is an "E3" version.
  The CSM updates, are signature updates for the Cisco Security Manager. They contain special files that CSM uses to update itself, and then also included within the CSM update is the actual sensor update described above. CSM unpackages the CSM update, updates itself, and then uses that embedded file to upgrade the actual sensor.
  The third type of file is for IOS Routers loaded with special IOS software that has the special IOS IPS features where the Router itself (instead of a separate IDS/IPS module) does the signature monitoring.
  These IOS IPS Signature Updates get installed on the actual router, and are not installed on the IDS/IPS Sensor Appliances or Modules.
  So in answer to your question, yes the same Signature Update for your IDSM-2 is the exact same Signature Update for your SSM modules.
  The exact same file is available through multiple different paths on cisco.com. But it doesn't matter through which cisco.com path you downloaded the file you can still install it on all IDS/IPS Appliances and Modules.
  As for licensing, the license works the same on all IDS/IPS Appliances and Modules. A license must be on the sensor for the Signature Update to be applied.
  NOTE: A Trial License is available from cisco.com for new sensors to allow you time to get everything setup correctly for your sensor to be covered by a service contract, and get the standard license from the service contract.

• AIP-SSM crash during S389 Signature upgrade

  Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
  1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav

• Using ASA5510 AIP-SSM in IDS mode

  Hi,
  I' ve a Cisco ASA5510 with  AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
  without the traffic passing through the Firewall.
  I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit  all the traffic to the  Sensor but it doesn't work, no packet recived on sensor.
  somebody can help me?
  thanks

  Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
  The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
  The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
  It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
  - Bob

• Will the AIP-SSM for the ASA stop this?

  I have a client emailed me today that someone did a script injection attack on one of their web servers. It ran a backdoor Trojan virus on their web server. I know the AIP-SSM will stop the Trojan, but will it stop someone from doing the script injection attack. If so, is it documented and can you point me to the document.
  Thanks.
  Dan

  Hi,
  If you know exactly which of the various script injection attacks was used you can simply look it up here:
  http://tools.cisco.com/security/center/home.x
  If you don't know exactly which one then it's slightly harded to know whether it would have been stopped, but searching on "script injection" or similar should narrow down the candidates and give you an idea on whether it would have been stopped or not.
  Remember that an IPS isn't perfect, but it *will* significantly lower your risk if setup and maintained properly.
  HTH
  Andrew.

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• Password Reset for AIP-SSM 10

  Hi,
  i have an ASA5520 with v 7.2(2) running.
  but the IPS module spftware is 5.1
  when i tried to login to the > session 1
  it prompts me for a login and password.
  i tried cisco and a few other combinations.. but no luck ,,
  how do i reset it ?? also that reset procedure on the docs says its resets password or the user cisco ..
  how can i be sure if the user cisco even exists on it or not ?
  any help please ???

  no man it doesnt ..
  the link u specified says it too..
  hw-module module slot_number password-reset?This command recovers a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the AIP-SSM without having to re-image the device.
  Note: This command starts support from IPS 6.0 (ASA 7.2 version) and is used to restore the Cisco CLI account password to the default cisco
  hers my ASA and IPS details..
  ASA# sh version
  Cisco Adaptive Security Appliance Software Version 7.2(2)
  Device Manager Version 5.2(2)
  Compiled on Wed 22-Nov-06 14:16 by builders
  System image file is "disk0:/asa722-k8.bin"
  Config file at boot was "startup-config"
  ASA up 22 days 3 hours
  Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  ASA# sh module 1
  Mod Card Type Model Serial No.
  1 ASA5500 SSM-10 ASA-SSM-10 B155670DW4
  Mod MAC Add Range Hw Ver. Fw Ver. Sw Ver.
  1 00xx to 001 1.0 1.0(10)0 5.0(2)S152.0
  Mod SSM Apps. Name Status SSM Apps Version
  1 IPS Up 5.0(2)S152.0
  Mod Status Data Plane Status Compatibility
  1 Up Up