AIP-SSM configured with event action "produce alert", but it drop packets
Hi, I configured an AIP-SSM IPS on event action for "Produce Alert", but when fire a signature, it drop the packets. So, what will be the problem?
Try these links:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/cliguide/clievact.htm#wp1034058
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
Similar Messages
-
AIP-SSM Configuration Maintenance in Active Stdby modes
So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?
So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
If there is no good reason, is it on the AIP-SSM road map to provide this feature?
This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip. -
AIP-SSM configuration assistance
I have two questions regarding the AIP-SSM.
1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
3) Should then the management interface be used as the gateway for the SSM?
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.x.x.1 255.255.255.0 standby 65.x.x.2
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 172.16.x.1 255.255.255.0 standby 172.16.x.2
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.x.1 255.255.255.0 standby 192.168.x.2
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 10.0.x.1 255.255.255.0 standby 10.0.x.2
management-onlyHere are the answers to your questions-
1) Does the ACL on AIP-SSM have any type of relations to the ASA ACL?
Ans) No. ACL on SSM is completely independent of ACLs on ASA.
2) Our four interfaces are all in use. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
Ans) Absolutely. You can assign the management port of SSM an IP in the same subnet as your managemnet interface. That way all management traffic will be kept independent of normal DATA traffic.
3) Should then the management interface be used as the gateway for the SSM?
Ans) You are right .. :-)
Hope that helps.
Regards,
Vibhor. -
Changing port configuration with Event Manager
Hello,
I'm trying to change the configuration of a port when the port goes down with EEM.
So when an flex connect access-point is disconnected the port becomes an access-port.
I don't want to use the MAC address.
Does anyone has experience with this.
Below is the applet I'm using.
Thanks in advanced,
Michel
event manager applet CONFIG-ACCESS-PORT
event neighbor-discovery interface regexp "(FastEthernet[0-9]\/[0-9]+)" cdp delete
action 100 regexp "(AIR-LAP)" "$_nd_cdp_platform" value
action 110 if $_regexp_result eq "1"
action 200 cli command "enable"
action 210 cli command "config t"
action 220 cli command "interface $_nd_local_intf_name"
action 240 cli command "switchport mode access"
action 250 cli command "switchport access vlan 20"
action 260 cli command "no switchport trunk encapsulation dot1q"
action 270 cli command "no switchport trunk native vlan 88"
action 280 cli command "no switchport trunk allowed vlan 88,100"
action 290 cli command "spanning-tree portfast"
action 400 syslog msg "EXECUTED EEM APPLET FOR ACCESS-PORT interface $_nd_local_intf_name"
action 500 cli command "end"
action 510 cli command "copy run start"Hi Evan,
For sure! There is a really good example on the configuration guide, and assciated caveats.
http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_0100011.html
Benefits for using LAG is increased bandwidth, and redundancy - especially if you have the two (or more in the case of a 5508 WLC) ports connected to different physical switches, eg a 3750 stack.
Best,
Evan -
AIP-SSM configuration / blocking SMTP
Hi all,
I need some help regarding a deployment of a IPS module on a ASA. I configured it in transparent mode, with the intention to only monitor the traffic going through the module. Otherwise after aplying the policy and put it in operation, it started blocking SMTP and ICMP traffic. Here follows the configuration applied to it:
class-map outside-class
match any
policy-map outside-policy
class outside-class
ips promiscuous fail-open
service-policy outside-policy interface outside
Is there anything else I should consider to put this module just monitoring the traffic instead of having it denying any traffic?
Thanks in AdvanceYou may need to create an access-list permitting all traffic, and then apply the access-list to both interfaces in both directions (in and out).
This will ensure connections can go from the lower security zone to the higher as well as from the higher security zone to the lower.
You may also need to add icmp permit lines to permit icmp traffic through each interface. -
New business configuration with DBM action control
Hi,
We want to update certain additional information for order and split after billing. DBM blocks data updation in DBM order after billing creation and order close.
How we can achieve same?
Regards,
BobbyHi,
i think you have to ensure that the order does not get closed action/status ORD_CLOSE.
Kind regards
Robert -
Issue with applying Event Action filters
Dear friends,
A general question on Event Action filters. There is a signature with sig ID 6257.
The following is the event action filter configuration:
service event-action-rules rules0
filters edit DHCP
signature-id-range 6257
subsignature-id-range 0
attacker-address-range 172.20.20.10,172.20.20.11
actions-to-remove produce-alert
filter-item-status Enabled
stop-on-match True
os-relevance not-relevant
exit
Even though a valid DHCP offer is being given by the DHCP server, this alert is getting fired.
We have even excluded the IP's of the DHCP Servers - 172.20.20.10 and 172.20.20.11 from the Attacker Address range parameter in the signature but still this alert gets fired.
evIdsAlert: eventId=1204853641442197329 vendor=Cisco severity=low
originator:
hostId: IDSM2Core1
appName: sensorApp
appInstanceId: 592
time: April 7, 2008 5:46:48 AM UTC offset=180 timeZone=1
signature: description=DHCP Client DoS id=6257 version=S316
subsigId: 0
sigDetails: Server Offered a Malicious IP Address
marsCategory: DoS/Host
interfaceGroup: vs0
vlan: 200
participants:
attacker:
addr: 172.20.20.10 locality=OUT
port: 0
target:
addr: 10.1.1.78 locality=OUT
port: 0
os: idSource=unknown type=unknown relevance=unknown
summary: 4 final=true initialAlert=1204853641442197267 summaryType=Regular
alertDetails: Regular Summary: 4 events this interval ;
riskRatingValue: 25 targetValueRating=medium
threatRatingValue: 25
interface: ge0_7
protocol: udp
Looking forward to your kind help and advise on this.
Thanks a lot
GautamSome things to check:
1) Is the filter in the active list? Filters can be enabled or disabled, but they can also be active ro inactive. You've only show a part of your configuration so I can't tell if the filter is part of the active list.
2) Are there actions other than produce-alert for the signature? Or is an event action override adding other actions?
Produce-alert is not the only action that can cause an alert to be generated. The produce-verbose-alert, request-snmp-trap, log-attacker-packets, log-victim-packet, and log-pair-packets will also cause alerts to be generated. Modify the filter to also remove these actions.
3) The alert you've shown is a Summary Alert. There may be an issue with Summarization and the Filters. Try modifying the signature to set it to FireAll with no summarization.
4) If you have multiple filters then check the order of the filters. If the event is matching an earlier filter where the stop-on-match is set to True, then it will not check the event against this filter. Either move this filter up higher in the filter list, or change earlier filters to be "stop-on-match false".
5) Also check to see if you are running the latest 5.1(7) or 6.0(4) Service pack. If running earlier 5.1 or 6.0 versions you might be hitting a bug that could have already been fixed.
If none of the above help, then contact the TAC. It could be that you may have foung a bug that the sensor development team is unaware of.
To help in identifying the problem take a packet capture of the packets from 172.20.20.10 for several minutes around the time when the sensor is generating these alerts.
This way the team can both check if the signature is firing correctly, and if the filters are working correctly for that signature. -
Transparent mode with AIP-SSM-20
I currently have an ASA5510 in routed mode with an AIP-SSM-20.
There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE. This part should present no issue.
However, this will remove the IPS device, and I still want to use IPS.
So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN. The transparent ASA would be functioning strictly as an IPS appliance.
Setup would look something like this:
Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
Can the AIP-SSM still perform IPS with the ASA in transparent mode?
Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
Regards.AFAIR, There is no problem to setup AIP in a transparent firewall.
"An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Marcin -
hi,
we have AIP-SSM-40 modeule installed on ASA 5540 but it is just physically present.
Is it possible to configure to this modeule in inline or like IDS mode? It has only one Ethernet interface. Can this interface be treated as sensor interface and mark a copy of all incoming frames on this interface ( by SPA on switches ).
Please share the experience.
Thanks in advance.
SubodhHi Subodh,
Yes, the AIP-SSM can operate in either inline (IPS) or promiscuous (IDS) mode. I would recommend you start by reviewing the following config guide, which shows you how to configure the ASA to pass traffic to the SSM for inspection:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
If you have any other specific questions, feel free to post back.
Hope that helps.
-Mike -
AIP-SSM 10 & Email Notification
Hi there,
How could I configure the IPS module for email notification for certain events !!
Regards,I have created PERL scripts that run on a UNIX server to automate IPS signature updates without VMS/CSM. The second script includes a string search of the AIP SSM 10's Event Log to email the result of the update attempt. You could use that if you know what the Event Log entries look like for which you want email notification. The app is on my website:
http://www.lhb-consulting.com/pages/apps . Good luck.
--Lisa -
I have recently confgured my AIP-SSM-20 module in my firewalls (ASA 5540) which are configured in HA(Active/Standby).This implementation i have done on 13th June. It was working fine.
Now, i have observerd that the AIP-SSM-20 module in the primary firewall had gone to unresponsive state.
Below is the status of show module and show failover command.
FW1-5540# sh module
Mod Card Type Model Serial No.
0 ASA 5540 Adaptive Security Appliance ASA5540 JMX1234L11F
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAF1341ADPS
Mod MAC Address Range Hw Version Fw Version Sw Version
0 0021.d871.77ab to 0021.d871.77af 2.0 1.0(11)4 8.0(3)6
1 0023.ebf6.11ce to 0023.ebf6.11ce 1.0 1.0(11)5 6.2(2)E4
Mod SSM Application Name Status SSM Application Version
1 IPS Not Applicable 6.2(2)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
1 Unresponsive Not Applicable
FW1-5540# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.0(3)6, Mate 8.0(3)6
Last Failover at: 09:06:14 UTC Jun 15 2010
This host:
This host: Primary - Failed
Active time: 191436 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
Interface DMZ_LAN (10.192.153.13): Normal (Waiting)
Interface INTRANET (10.192.154.13): Normal (Waiting)
Interface management (0.0.0.0): Link Down (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.2(2)E4) status (Unresponsive/Down)
IPS, 6.2(2)E4, Not Applicable
Other host: Secondary - Active
Active time: 192692 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
Interface DMZ_LAN (10.192.153.5): Unknown (Waiting)
Interface INTRANET (10.192.154.5): Unknown (Waiting)
Interface management (0.0.0.0): Unknown (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
IPS, 7.0(2)E4, Up
Stateful Failover Logical Update Statistics
Link : Unconfigured.
I have tried using the
hw-module module 1 reset
to reset the IPS module but the status is always unresponsive.
Its production environment where i cannnot expirement much. Ned help to rectify the problem.Hi Scott,
I have almost same problem of sbgcsd in my customer. I'm deploying two ASA-5512 in failover configuration. One day, after almost 2 months testing project in a lab, when we install in customer's datacenter the systems presented following errors:
ciscoasa2(config)# failover
Detected an Active mate
ciscoasa2# Mate NOT PRESENT card in slot 1 is different from mine IPS5512
I tried to discover what was happened with IPS modulo, then I saw error in IPS status: "Unresponsive".
ciscoasa2# sh module ips
Mod Card Type Model Serial No.
ips Unknown N/A FCH1712J7UL
Mod MAC Address Range Hw Version Fw Version Sw Version
ips 7cad.746f.8796 to 7cad.746f.8796 N/A N/A
Mod SSM Application Name Status SSM Application Version
ips Unknown No Image Present Not Applicable
Mod Status Data Plane Status Compatibility
ips Unresponsive Not Applicable
Mod License Name License Status Time Remaining
ips IPS Module Disabled perpetual
According with Cisco Foruns I tried to "Reloading, Shutting Down, Resetting, and Recovering AIP-SSM" (*) using "hw-module module " command. But unfortunatelly ASA didn't accept this command. See below:
ciscoasa2# hw-module module 1 reload
^
ERROR: % Invalid input detected at '^' marker
What happened with this command (hw-module) ? Maybe is a problem in Software version ? When I entered "sh flash" command I saw that didn't exist any software for AIP-SMM module:
ciscoasa2# sh flash
--#-- --length-- -----date/time------ path
11 4096 Sep 12 2013 13:56:54 log
21 4096 Sep 12 2013 13:57:10 crypto_archive
100 0 Sep 12 2013 13:57:10 nat_ident_migrate
22 4096 Sep 12 2013 13:57:10 coredumpinfo
23 59 Sep 12 2013 13:57:10 coredumpinfo/coredump.cfg
101 34523136 Sep 12 2013 14:00:14 asa861-2-smp-k8.bin
102 17851400 Sep 12 2013 14:04:36 asdm-66114.bin
103 38191104 Apr 24 2014 12:59:58 asa912-smp-k8.bin
104 6867 Apr 24 2014 13:01:20 startup-config-jcl.txt
105 24095116 Jun 17 2014 14:54:14 asdm-721.bi
But another ASA (#1) have image:
ciscoasa1# sh flash
--#-- --length-- -----date/time------ path
11 4096 Sep 10 2013 06:42:56 log
21 4096 Apr 17 2014 03:13:12 crypto_archive
123 5276864 Apr 17 2014 03:13:12 crypto_archive/crypto_eng0_arch_1.bin
110 0 Sep 10 2013 06:43:12 nat_ident_migrate
22 4096 Sep 10 2013 06:43:12 coredumpinfo
23 59 Sep 10 2013 06:43:12 coredumpinfo/coredump.cfg
111 34523136 Sep 10 2013 06:44:24 asa861-2-smp-k8.bin
112 42637312 Sep 10 2013 06:45:46 IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip <===
But I am not sure if this image is really the right image do AIP-SSM in ASA#2. But anyway I copy (through a simple TFTP server) from ASA#1 to ASA#2 , but after this, the same problem ramained !
Because I didn't applied the Failover condition to system.
What can I do now ?
Thank you very much in advance.
Leonardo_Melo.(CCAI-JCL-Brazil). -
AIP-SSM crash during S389 Signature upgrade
Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.Based on your show version, you already have E4, what is it that you are trying to do?
Mike -
ASA failover with 1 AIP SSM in Active/Standby?
I have a customer with two ASAs; in Active/Standby. They want to purchase one AIP. Will failover (without the AIP functionality) to the Standby work if the AIP is configured for Promiscuous mode? Thanks, Bob
The only connection to the SSM that can be done internally through the ASA is a "session". This is an internal telnet to the SSM and can be used to access the SSM's CLI.
This is very usefull when you manage your SSM directly through the CLI.
However, most customers prefer to use a graphics based tool like IDM, ASDM, or CSM for managing the configuration of the SSM, and prefer to use a graphics based tool like IEV or CS MARS for monitoring of the alerts from the SSM.
All of these graphics based tools need network access to the SSM through a web port (https on port 443 by default). Access to this port is not allowed internally through the ASA direct to the SSM.
All web connections must be made to the External Management interface of the SSM.
If you are not using all 4 of your ASA interfaces you could choose to wire the External SSM interface directly to one of your ASA interfaces, and create a small subnet for the ASA and IPS IP Addresses. So then all external connections to the SSM would be routed into the ASA, then out of the ASA, and into the external port of the SSM.
That subnet of just the ASA and SSM could be made using a network reserved for local IPs (like a 10, or 172, or 192 network) and then use NAT/PAT for translation on the other network interfaces of the ASA.
But it does still require that wire connected to the external port of the SSM. -
How to block p2p applications(Bittorent like) with AIP-SSM-10?
Hi,
How to block p2p application using AIP-SSM-10 working with ASA5520?AIP is on promiscuous mode.
Thanks,
SivaThere are several signatures that detect p2p, for bit torrent there is 11020.0
Yahoo triggers: 5539.0, 11200.0, 11212.0, 11217.0 & 11219.0
etc..
Some are disabled by default though so please ensure you enable the ones that you need.
If you want to block these then you will have to use event actions that work in promiscuous setup for example request block connection and tcp reset. Please note that care must be taken when using these event actions.
For more information about the event actions please refer the link below:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1069467 -
Hi,
Understand that AIP-SSM doesn't support email alert, may i know what are the alert option that I can configure in order to receive notification when a severity 1 event had been detected?
regardsIME is a free tool. IF it supports email alerts you can download that and use it:
http://www.cisco.com/en/US/products/ps9610/index.html
Regards
Farrukh
Maybe you are looking for
-
Hello all- In Hyperion Planning prior to version 9 (during the time of application manager) how did we add attributes to the application( was it through web client?) and how was refresh of application done via planning desktop? Thanks! Edited by: use
-
PSE vs. Lightroom -- Organization
Does anyone have a comparison of the organization & cataloging between Adobe Photoshop Elements and Adobe Lightroom? I'm only interested in knowing how the photo managment aspects of these to programs compare... Thanks! Mike
-
Why does my scrolling stop working?
Sometimes the scrolling works in the open windows, sometimes it doesn't... It's happened with open file windows AND almost every program I use (adobe cc to iWorks....) WHY? Restarting helps, sometimes, and it's always temporarily. But I don't have
-
BlackBerry really needs to stop slashing prices so much.
The Q5 is now available for Rs 13,990 in India! 3 months it had received a price cut of 5K from its original price of Rs 24,990. It's like the early adopters are paying insanely. Not cool. Not try to rant but, I had saved for almost a year before I
-
Hi: suppose i want to test xml messages in RWB in Test message. I am getting constant payloads of xml message. We need to populate fields in that screen : Message interface ,interface namespace ,user name and password. There is also a url : 1) In the