AIP-SSM (Not Applicable)

Similar Messages

• AIP-SSM, it is not sensing the traffic

  Hi everyone, i have a trouble, now iam using an ASA 5510 with AIP-SSM10, my problem is when I redirect the traffic to the AIP-SSM for detects attacks, i probe it and then I look in the events logs of the IPS, and the sensor dont detect nothing, is necessary to install an IPS license??, it is for my own project, thanks.

  Unless you are scanning across the ASA, the SSM module will not "see" the scan and cannot produce events. To alarm on an SSM module, you must scan from one network to another. Basically, the SSM cannot do promiscuous monitoring. I would recommend an IPS appliance if you want to monitor traffic sent between hosts of the same network.
  ** Pls rate if this helps **

• AIP SSM Command/control Interface is not coming up

  Hi to all,
  kindly be informed that , i have AIP SSM for ASA, i configured it and its workign fine.but its command control interface is not coming up at all, i connect my lap top direct to AIP management interface but its status is always is down.kindly look at this configuration and guide me how i can communicate with AIP using mangement inerface.
  My LapTop ip is 192.168.1.2/24
  AIP Configuration
  IPS1# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.2(1)E3
  Host:
  Realm Keys key1.0
  Signature Definition:
  Signature Update S365.0 2008-10-31
  Virus Update V1.4 2007-03-02
  OS Version: 2.4.30-IDS-smp-bigphys
  Platform: ASA-SSM-20
  Serial Number: JAF1319AJRG
  No license present
  Sensor up-time is 13 days.
  Using 1019777024 out of 2093604864 bytes of available memory (48% usage)
  application-data is using 47.1M out of 166.8M bytes of available disk space (30% usage)
  boot is using 39.7M out of 68.6M bytes of available disk space (61% usage)
  MainApp E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500 Running
  AnalysisEngine E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500 Running
  CLI E-2008_OCT_16_16_24 (Release) 2008-10-16T16:40:57-0500
  Upgrade History:
  IPS-K9-6.2-1-E3 16:24:00 UTC Thu Oct 16 2008
  Recovery Partition Version 1.1 - 6.2(1)E3
  Host Certificate Valid from: 12-Jul-2009 to 13-Jul-2011
  IPS1#sh conf
  ! Current configuration last modified Sun Jul 12 23:56:08 2009
  ! Version 6.2(1)
  ! Host:
  ! Realm Keys key1.0
  ! Signature Definition:
  ! Signature Update S365.0 2008-10-31
  ! Virus Update V1.4 2007-03-02
  service interface
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 192.168.1.3/24,192.168.1.1
  host-name Cinet-IPS1
  telnet-option enabled
  access-list 0.0.0.0/0
  exit
  time-zone-settings
  offset 0
  standard-time-zone-name UTC
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  exit
  service web-server
  exit
  service anomaly-detection ad0
  exit
  service external-product-interface
  exit
  service health-monitor
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/1
  exit
  exit

  If the interface won't link Up, then it is likely a cabling problem.
  Even with a bad configuration on the AIP you should at least get link UP if your cabling is correct, so I don't think configuration is your problem here.
  If I remember right the command and control interface of the SSM is a 10/100 TX interface. When connecting from a laptop directly to the command and control interface it would require a cross over cable rather than the normal straight through cable.
  If you don't have a cross over cable, then try connecting the SSM to a switch and see if the SSM will link UP. The switch is designed to internally do the cross over.

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav

• AIP-SSM module hung

  I have recently confgured my AIP-SSM-20 module in my firewalls (ASA 5540) which are configured in HA(Active/Standby).This implementation i have done on 13th June. It was working fine.
  Now, i have observerd that the AIP-SSM-20 module in the primary firewall had gone to unresponsive state.
  Below is the status of show module and show failover command.
  FW1-5540# sh module
  Mod Card Type                                    Model              Serial No.
    0 ASA 5540 Adaptive Security Appliance         ASA5540            JMX1234L11F
    1 ASA 5500 Series Security Services Module-20  ASA-SSM-20         JAF1341ADPS
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    0 0021.d871.77ab to 0021.d871.77af  2.0          1.0(11)4     8.0(3)6
    1 0023.ebf6.11ce to 0023.ebf6.11ce  1.0          1.0(11)5     6.2(2)E4
  Mod SSM Application Name           Status           SSM Application Version
    1 IPS                            Not Applicable   6.2(2)E4
  Mod Status             Data Plane Status     Compatibility
    0 Up Sys             Not Applicable
    1 Unresponsive       Not Applicable
  FW1-5540# sh failover
  Failover On
  Failover unit Primary
  Failover LAN Interface: FAILOVER GigabitEthernet0/2 (up)
  Unit Poll frequency 1 seconds, holdtime 15 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 3 of 250 maximum
  Version: Ours 8.0(3)6, Mate 8.0(3)6
  Last Failover at: 09:06:14 UTC Jun 15 2010
          This host:
                  This host: Primary - Failed
                  Active time: 191436 (sec)
                  slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                    Interface DMZ_LAN (10.192.153.13): Normal (Waiting)
                    Interface INTRANET (10.192.154.13): Normal (Waiting)
                    Interface management (0.0.0.0): Link Down (Waiting)
                  slot 1: ASA-SSM-20 hw/sw rev (1.0/6.2(2)E4) status (Unresponsive/Down)
                    IPS, 6.2(2)E4, Not Applicable
          Other host: Secondary - Active
                  Active time: 192692 (sec)
                  slot 0: ASA5540 hw/sw rev (2.0/8.0(3)6) status (Up Sys)
                    Interface DMZ_LAN (10.192.153.5): Unknown (Waiting)
                    Interface INTRANET (10.192.154.5): Unknown (Waiting)
                    Interface management (0.0.0.0): Unknown (Waiting)
                  slot 1: ASA-SSM-20 hw/sw rev (1.0/7.0(2)E4) status (Up/Up)
                    IPS, 7.0(2)E4, Up
  Stateful Failover Logical Update Statistics
          Link : Unconfigured.
  I have tried using the
  hw-module module 1 reset
  to reset the IPS module but the status is always unresponsive.
  Its production environment where i cannnot expirement much. Ned help to rectify the problem.

  Hi Scott, 
  I have almost same problem of sbgcsd in my customer. I'm deploying two ASA-5512 in failover configuration. One day, after almost 2 months testing project in a lab, when we install in customer's datacenter the systems presented following errors:
    ciscoasa2(config)# failover
          Detected an Active mate
    ciscoasa2# Mate NOT PRESENT card in slot 1 is different from mine IPS5512
  I tried to discover what was happened with IPS modulo, then I saw error in IPS status: "Unresponsive".
    ciscoasa2# sh module ips
    Mod  Card Type                                    Model              Serial No.
     ips Unknown                                      N/A                FCH1712J7UL
    Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
     ips 7cad.746f.8796 to 7cad.746f.8796  N/A          N/A 
    Mod  SSM Application Name           Status           SSM Application Version
     ips Unknown                        No Image Present Not Applicable  
    Mod  Status             Data Plane Status     Compatibility
     ips Unresponsive       Not Applicable 
    Mod  License Name   License Status  Time Remaining
     ips IPS Module     Disabled        perpetual
  According with Cisco Foruns I tried to "Reloading, Shutting Down, Resetting, and Recovering AIP-SSM" (*) using "hw-module module " command. But unfortunatelly ASA didn't accept this command. See below:
    ciscoasa2# hw-module module 1 reload
               ^
    ERROR: % Invalid input detected at '^' marker
  What happened with this command (hw-module) ? Maybe is a problem in Software version ? When I entered "sh flash" command I saw that didn't exist any software for AIP-SMM module:
    ciscoasa2# sh flash
    --#--  --length--  -----date/time------  path
     11  4096        Sep 12 2013 13:56:54  log
     21  4096        Sep 12 2013 13:57:10  crypto_archive
    100  0           Sep 12 2013 13:57:10  nat_ident_migrate
     22  4096        Sep 12 2013 13:57:10  coredumpinfo
     23  59          Sep 12 2013 13:57:10  coredumpinfo/coredump.cfg
    101  34523136    Sep 12 2013 14:00:14  asa861-2-smp-k8.bin
    102  17851400    Sep 12 2013 14:04:36  asdm-66114.bin
    103  38191104    Apr 24 2014 12:59:58  asa912-smp-k8.bin
    104  6867        Apr 24 2014 13:01:20  startup-config-jcl.txt
    105  24095116    Jun 17 2014 14:54:14  asdm-721.bi
  But another ASA (#1) have image:
  ciscoasa1# sh flash
  --#--  --length--  -----date/time------  path
     11  4096        Sep 10 2013 06:42:56  log
     21  4096        Apr 17 2014 03:13:12  crypto_archive
    123  5276864     Apr 17 2014 03:13:12  crypto_archive/crypto_eng0_arch_1.bin
    110  0           Sep 10 2013 06:43:12  nat_ident_migrate
     22  4096        Sep 10 2013 06:43:12  coredumpinfo
     23  59          Sep 10 2013 06:43:12  coredumpinfo/coredump.cfg
    111  34523136    Sep 10 2013 06:44:24  asa861-2-smp-k8.bin
    112  42637312    Sep 10 2013 06:45:46  IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip <===
  But I am not sure if this image is really the right image do AIP-SSM in ASA#2. But anyway I copy (through a simple TFTP server) from ASA#1 to ASA#2 , but after this, the same problem ramained ! 
  Because I didn't applied the Failover condition to system. 
  What can I do now ?
  Thank you very much in advance.
  Leonardo_Melo.(CCAI-JCL-Brazil).

• Failure to Upgrade the software of my AIP-SSM-20

  Dear all,
  I have failed to upgrade the software of my AIP-SSM-20 on the ASA. The AIP-SSM-20 had an Image of version IPS-K9-5.1-7-E1.pkg and I tried to upgrade it to IPS-K9-6.1-1-E2.pkg but after the upgrade the AIP-SSM-20 became unusable. I can no longer log on  to the IPS Module from the ASA. When I initiated a connection to the module with session 1 command, the systems says card in slot 1 did not respond to system request. I decided to restored the system image from the ASA by using the hw-module module 1 recover configure and hw-module module 1 recover boot commands but has so far failed.When  I issued the command hw-module module 1 boot command, the status of the IPS shows recover and would be in that state even for days.And my TFTP server shows that it is transfering the images to the IPS.
  I don't know where I have gone wrong and I would be very happy if somebody can give me a procedure that would help me to re-image the software of the IPS.
  Any help would be highly appreciated.
  Claude Fozao

  Halijen has already send you a link to reimage,let me briefly answer what a system image and upgrade files are and the difference between them
  The System Image files are meant to be used only when a complete erasing of the sensor's image is needed.  This is generally because the installed files were corrupted, or so old that it would be easier to start over and make it look like it came from the factory; than to use the standard "upgrade" files.So in case you are doing reimaging than use .img files which are system reimage files
  In more than 90% of the cases, most customers will want to "upgrade" rather than do a System Image.  The "upgrade" is done from within the sensor itself, and will both load the higher version as well as convert your current configuration to work with the newer version.it uses .pkg files
  A usual poblem with the System Re-imaging process is that the card winds up in a boot loop because of an error.  When ROMMON detects an error it reboots and tries the same steps again which usually winds up with the same error which causes a reboot, etc.....
  So determining if the card is in a reboot loop, and what the error is would be the next step in your debugging process.
  Execute "debug module-boot".  Enter "hw-module module 1 recover stop".   Wait for a few minutes, and then enter "hw-module module 1 recover boot".
  The output from ROMMON on the SSM will be seen on your ASA connection.Look at the configuration being passed to the SSM's ROMMON and look for any bad entries.Watch to see if it able to download the System Image file, or if it continuously reboots.
  If it continuously reboots, then look to see what error message is seen just prior to the reboot.
  Some common problems:
  1) Typos in IP address, gateway, tftp server IP, or system image filename.
  2) If the tftp server is on the same subnet as the SSM's IP Address, then try leaving the Gateway address blank since it is not needed.
  3) Remember that the IP Address is for the external interface of the SSM.  So be sure you are using an address that is applicable for the network where you are pluggin in the SSM's external interface.
  4) If the TFTP Server is on another subnet, then be sure there is a route to the other network.  If having to route back through the ASA, then ensure that the ASA will allow TFTP packets to pass through the ASA.  (The ASA could wind up blocking the TFTP packets depending on the ASA configuration)
  5) Be sure the file can be downloaded from the TFTP server.  Check the file permissions, and the directory where the file is located.   From your desktop try to downlaod the file from the tftp server.  This will ensure you are using the correct directory and that the file has correct permissions.  Once common problem is that the file may be /tftpboot/sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img.  But because the tftp server automatically starts in /tftpboot, you may need to NOT specify it for the file and instead just use: sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img
  6) Check to make sure the file is not corrupted by running an md5sum and checking it against the value listed on cisco's web site.

• CSM to update IPS AIP -SSM

  Hi all,
  I need some help. I am configuring my CSM 3.1 to apply update on my IPS AIP-SSM.
  I went to the apply IPS Tab and choose to update from cisco.com. But it is always like processing for a long time.
  I tried to enter my username and password for the sensors or the CCO account but still no improvement. Does anyone knows how to configure this. I tried reading the user guide there is no examples.
  Thanks

  The IPS-engine-E2-req-5.1-7.pkg Engine Update file is just to upgrade an existing 5.1(7)E1 sensor to 5.1(7)E2.
  It only changes the "engine" features of the sensor that are necessary for installing signature updates requiring E2. It does not change other files on the sensor.
  The IPS-K9-5.1-8-E2.pkg Service Pack file is for upgrading the entire image to the next service pack level as well as upgrading the "engine" features. So you get all of the latest bug fixes.
  So which to use?
  If you are running 5.1(7)E1 then you will eventually want to get to 5.1(8)E2. But the upgrade to 5.1(8)E2 WILL require a reboot and so if running in an inline mode it should only be done during a scheduled network downtime. For most networks this could be a week or even a month before the downtime can be scheduled to do this type of upgrade. So the IPS-engine-E2-5.1-7.pkg file is a short term solution to get you to the E2 level required for signature updates, until you can schedule the upgrade to 5.1(8)E2.
  The IPS-engine... file will NOT reboot the sensor. It will temporarilly stop analysis and if Software ByPass is set to auto then traffic will be allowed to pass through the sensor unanalyzed while the engine update takes place. Because the traffic will continue to flow with Software ByPass most companies will allow an Engine update to be installed without having to schedule network downtime.
  Of course, the above discussion was really only applicable when E2 was the latest Engine release. Now that E3 is out, the discussion really becomes how to get to E3.
  There is Not an IPS-engine-E3-req-5.1-7.pkg engine update file.
  So you must get to 5.1(8)E3 if you want to keep getting recent signature updates.
  So then it just depends on your current IPS version.
  If you are running 5.1(7)E2 or earlier version then you must schedule a downtime and install the IPS-K9-5.1-8-E3.pkg file in order to install the latest E3 required signature updates.
  If you are running 5.1(8)E2 already, then you need to install the IPS-engine-E3-req-5.1-8.pkg file because the only thing needing to be upgraded is the Engine level to E3.
  General Rules of Thumb:
  Always ensure you are at the latest Service Pack level for the major/minor version train you are using. (5.1(8) in this case)
  If you are running the latest Service Pack then you will be able to simply install an Engine Update when the next Engine Update comes out without having to schedule downtime.
  If you are not at the latest Service Pack level then you will want to schedule a network downtime to do that upgrade within 60 days of the Service Pack being released.
  If an Engine Update comes out before you get a chance to upgrade to the next Service Pack, then install the Engine Update for the prior Service Pack (that you should at least be at) as a temporary measure to keep getting signature updates. And schedule a Service Pack upgrade as soon as possible.
  Why 60 days?
  If a new Engine Update is released within 60 of a Service Pack release, then the Engine Update will be released for both the latest Service Pack AND the one prior. But if the new Engine Update is longer than 60 days after the latest Service Pack, then an Engine Update will be created only for the latest Service Pack and not for the prior. This is why E3 was only released for 5.1(8). E3 was released more than 60 days after 5.1(8) so there was not an E3 for the prior 5.1(7).
  So you see that an Engine Update for a prior Service Pack should be considered a temporary measure until you can get the next Service Pack installed.
  If you wait too long another Engine Update might come out, and you might be forced into an immediate network downtime to get to the latest Service Pack.
  As for do you HAVE to install IPS-engine-E2-req-5.1-7.pkg before installing IPS-K9-5.1-8-E2.pkg (or more importantly IPS-K9-5.1-8-E3.pkg).
  The answer is NO.
  You can go directly from any 5.0 or 5.1 version directly to IPS-K9-5.1-8-E3.pkg.

• Using ASA5510 AIP-SSM in IDS mode

  Hi,
  I' ve a Cisco ASA5510 with  AIP-SSM and I wold like to use it like a one-armed IDS for connect them to a span port of a switch in my network,
  without the traffic passing through the Firewall.
  I've try to configure it and connect the interface inside (fast0/1) to the span port, I create the policy for permit  all the traffic to the  Sensor but it doesn't work, no packet recived on sensor.
  somebody can help me?
  thanks

  Unfortunately you can't use the AIP-SSM in an ASA with a spanning switch like you could with the 4200 series appliances.
  The reason is that the ASA was built to be a firewall, and no matter how much of that functionality you turn off, it still needs to see TCP and UDP conversations flowing thru the ASA in order to pass that traffic to the AIP-SSM sensor (I tired very hard to see if I could get around this limitation, but you can't).
  The best you can hope to do is put the ASA in-line (I know this reduces reliability) and turn off as much of the firewall configs you can. Then you can promisciously monitor the traffic passing thru teh ASA with teh AIP-SSM.
  It's not ideal, but it's the cheapest IPS sensor in Cisco's line up right now.
  - Bob

• Will the AIP-SSM for the ASA stop this?

  I have a client emailed me today that someone did a script injection attack on one of their web servers. It ran a backdoor Trojan virus on their web server. I know the AIP-SSM will stop the Trojan, but will it stop someone from doing the script injection attack. If so, is it documented and can you point me to the document.
  Thanks.
  Dan

  Hi,
  If you know exactly which of the various script injection attacks was used you can simply look it up here:
  http://tools.cisco.com/security/center/home.x
  If you don't know exactly which one then it's slightly harded to know whether it would have been stopped, but searching on "script injection" or similar should narrow down the candidates and give you an idea on whether it would have been stopped or not.
  Remember that an IPS isn't perfect, but it *will* significantly lower your risk if setup and maintained properly.
  HTH
  Andrew.

• Password Reset for AIP-SSM 10

  Hi,
  i have an ASA5520 with v 7.2(2) running.
  but the IPS module spftware is 5.1
  when i tried to login to the > session 1
  it prompts me for a login and password.
  i tried cisco and a few other combinations.. but no luck ,,
  how do i reset it ?? also that reset procedure on the docs says its resets password or the user cisco ..
  how can i be sure if the user cisco even exists on it or not ?
  any help please ???

  no man it doesnt ..
  the link u specified says it too..
  hw-module module slot_number password-reset?This command recovers a password on a Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM) or the AIP-SSM without having to re-image the device.
  Note: This command starts support from IPS 6.0 (ASA 7.2 version) and is used to restore the Cisco CLI account password to the default cisco
  hers my ASA and IPS details..
  ASA# sh version
  Cisco Adaptive Security Appliance Software Version 7.2(2)
  Device Manager Version 5.2(2)
  Compiled on Wed 22-Nov-06 14:16 by builders
  System image file is "disk0:/asa722-k8.bin"
  Config file at boot was "startup-config"
  ASA up 22 days 3 hours
  Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
  ASA# sh module 1
  Mod Card Type Model Serial No.
  1 ASA5500 SSM-10 ASA-SSM-10 B155670DW4
  Mod MAC Add Range Hw Ver. Fw Ver. Sw Ver.
  1 00xx to 001 1.0 1.0(10)0 5.0(2)S152.0
  Mod SSM Apps. Name Status SSM Apps Version
  1 IPS Up 5.0(2)S152.0
  Mod Status Data Plane Status Compatibility
  1 Up Up

• Sync configs between AIP-SSMs

  We have a pair of ASA 5520s in active/stanby mode. This part of the situation works great, configurations are always synced to the standby, nothing is lost. Planned failover has worked every time without users even noticing.
  We have an AIP-SSM-20 in each.
  The challenge arises as it seems there is still no easy and automatic way to sync the configuration of the SSMs together.
  Due to all the false positives, we need to perform configurations on the AIP-SSMs. Is there a method I am overlooking, how do you do it?
  Thanks.

  Thanks for your reply. I've gotten back on this subject....
  Does this run as a service, like it is running all the time and needs to be installed on a system which is always up, or does this run as an application only as needed.
  Based on the requirements, I can not tell. It can run on desktop OSes or Server OSes.
  "Hard Drive
  • 100 GB
  Memory (RAM)
  • 2 GB
  Supported Operating Systems
  • Windows Vista Business and Ultimate (32-bit only)
  • Windows XP Professional (32-bit only)
  • Windows 2003 server
  Note: Cisco IPS Manager Express supports only the 32-bit U.S. English version of Windows."
  100GB for an application, seems rather hefty to me. Is this for real?
  Thanks

• How to block p2p applications(Bittorent like) with AIP-SSM-10?

  Hi,
  How to block p2p application using AIP-SSM-10 working with ASA5520?AIP is on promiscuous mode.
  Thanks,
  Siva

  There are several signatures that detect p2p, for bit torrent there is 11020.0
  Yahoo triggers: 5539.0, 11200.0, 11212.0, 11217.0 & 11219.0
  etc..
  Some are disabled by default though so please ensure you enable the ones that you need.
  If you want to block these then you will have to use event actions that work in promiscuous setup for example request block connection and tcp reset. Please note that care must be taken when using these event actions.
  For more information about the event actions please refer the link below:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1069467

• Obtaining hardware and signature support for AIP SSM-10

  We have a 5510 which we have purchased an AIP SSM-10 card for the ASA which is already under a support contract. We now wish to add hardware maintenance for the new AIP SSM-10 card as well as signature updates. Our Cisco supplier will not confirm that we will receive signature updates with the hardware support though (we have been trying to get an answer from them since June or July now).
  Could someone let us know what the correct part number is so we can ask for the specific option that will provide both hardware cover and signature updates.

  i think this is what you need,
  CON-SU1-AS1A1PK9
  IPS SVC, AR NBD ASA5510-AIP10SP-K9
  cisco smartnet support

• Signature Updates for AIP-SSM 10

  Hi all how can i obtain Signature Updates for AIP-SSM 10 where i am having 60 day trial license with me

  Here is the main file download page for the IPS sensors.
  Find the section for the version you are running and click on the Latest Signature Updates link to take to you to the download page for signature updates.
  You can then download which ever signature update you want.
  NOTE1: Each Signature Updates contains all signatures from previous Sig levels. So you only need to download the latest one.
  NOTE2: Each signature update has a specific E (Engine) level requirement. You can execute "show ver" on your sensor to determine if it is at an E1 or E2 level. If it is at E1 and you want the latest sigs that require E2 then you will first need to install the E2 upgrade.
  On that main download page look for the "Latest Upgrades" link for your version, and look for the IPS-engine-E2-req-X.X-X.pkg file where the X.X-X matches your sensor version.
  If there is not an X.X-X matching your sensor version, then you may need to upgrade the software version for your sensor as well.
  NOTE3: Many of these links will also require an account on cisco.com. And for some of these files that account may also need to be verified for being from a country where the USA's export restrictions allow downloads for encryption. (Most countries qualify but you do have to go through that qualification step). It has been over 10 years that I have had do this so I am not sure of the latest procedures for getting an account or validating it for encrpytion downloads.

• Configuring AIP SSM to monitor only

  Hi all,
  We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
  Thanks!
  Jacques

  Configure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
  hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
  fail-open} [sensor {sensor_name | mapped_name}]
  http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
  Geroge