ASA instead of IPS to block torrents' signatures

Similar Messages

• IPS host blocking not happening in VLAN 1

  Hi
  I have IDSM2 module installed in 6500 core switch and configured in prismouscous mode. i have added interfaces of 6500 in IPS as blocking device and i can see all the vlan interfaces along with Vlan 1,
  When i test the attack, i can see the IPS action as a deny host entry in access-list across all the vlan except native vlan 1.
  Is there any exception for for native vlan? i would appreciate if some one can share experience!
  IDSM2
  Image version 7.0(1)
  Signature: S475
  E3
  Regards

  Both the URLs are working & I configured the SSL one. Telnet to the port also happens with IP & hostname in OIM & Ad servers
  http://pwoim:7001/spmlws/OIMProvisioning
  https://pwoim:7002/spmlws/OIMProvisioning

• Proper ASA-SSM-20 IPS and MARS Intergration

  I?m trying to understand how to best manage my MARS and ASA-SSM-20 IPS implementation. I?ve been running this solution for about 2 months and have been experimenting with how to manage alert s from the blades to MARS.
  The MARS documentation says to configure 2 Event Action Override -Verbose Alerts and Log Pair Packets. However there seems to be a major drawback:
  1. The IPS generates alert for signatures that by default have no alert action configured. At first glance this seems ok, but over time I found that many false positives are generated for signatures that would otherwise remain quite.
  My question is, how should this be managed? I want verbose alerts and logged pair packets for signatures that produce alerts by default, but if I manually configure this, is there a performance consideration?

  You might be hitting the bug CSCuc34812.
  Please contact Cisco TAC to have the issue analyzed.
  Regards,
  Sawan Gupta

• IPS 4240 Blocking Questions with Pix 515E

  I have enabled Blocking on the 4240 and have set the Blocking Device as our Pix 515E. When I look at the Signature Configurations quite a few Signature Actions are set to Produce Alert only. If blocking is enabled do you have to also go and set the Signature Actions to Deny or TCP Reset? So far my IPS dosen't show any Denied Attackers and it has detected High level Traffic which I would assume should now be blocked. Thanks John

  Yes, you have to go under the signatures you want and enable blocking for them as an action. Configuring blocking globally (defining the blocking device, the interface,, the login details for the device, etc), doesn't actually enable any blocking on the sensor per se, you still have to go and enable blocking for that particular signature. when that particular sig fires in future, the sensor will block it on the device you have configured.
  Be very careful with blocking, the reason we don't simply block all signatures is that it would be very dangerous to blindly add access-lists to a device that will stop traffic. You first need to make sure you're not getting any false-positives on the signatures and end up blocking valid traffic. Also, on a busy sensor you could easily overrun both the sensor and the blocking device with writing and removing 1000's of access-lists onto it. And finally, although not likely, blocking can even be used as a denial of service attack, where an attacker, if they know what signatures you are blocking on, can spoof packets past your sensor so that it will deny traffic to legitimate hosts.
  You need to look at what signatures you really want to block on, then enable blocking on them individually.

• What is the best method to block out signatures?

  Hi
  Hopefully someone has some ideas on this.
  Basically my company needs to block out signatures and private information like telephone numbers in PDF documents which we publish on the web.
  We have been using the rectangle tool and 'lock' button to block out and lock the boxes so people with the Adobe reader can't read them. This isn't perfect because its like a new layer and when scrolling up and down the information behind the box is viewable for a split second. And even with the lock button ticked people with Acrobat Pro can still untick this and move the box. This can be fixed by password protecting the document but its a pain!
  Now we have a new problem. It seems these rectangle boxes don't appear on some third-party PDF viewing software. Namely the one on the iPad! People using iPads can see all private details we are publishing on the web!!
  Are there better ways to block out signature using Acrobat?? We are using Acrobat Pro 7. Since this problem arose out website has had to come down. Anyone got any ideas?
  Thanks for your help.
  Steve

  Also, the version you are using is so old that 1) it's not supported anymore and 2) most readers here won't know how it works.
  Redaction could be your solution, but the latest version does this better and differently.
  You can also certify the doc and lock it.
  Try creating signature appearances without personal info in it.
  Get a trial of Acrobat 10 and see if that's the way to go.
  Ben

• How to block Torrent sites in isa server

  how to block Torrent sites in isa server

  Hi,
  hth:
  http://social.technet.microsoft.com/Forums/forefront/en-US/a1a19e8b-c60e-4fcf-afa3-cf52cfc88f23/how-to-detectblock-peertopeer-activity-in-isatmg
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3276?GPP=MarcGrote

• Using IPS 6.3 customized signatures in CS MARS

  A client has a Cisco IPS 6.3 module installed in a Catalyst 6500, *with fully customized signatures* which generate thousands of alerts clearly visible in its IPS Event Viewer.
  MARS is pulling info from that IPS, but the customized signatures do not appear in any Incident. Is it possible for MARS to pull all those customized signatures??
  Thanks in advance

  The first step is to get MARS to parse the event. The next step is to create the necessary inspection rules.
  You can start here:
  http://ciscomars.blogspot.com/2008/03/custom-ips-signatures-with-cisco-mars.html

• WRVS4400NV2 IPS now blocking Cisco IPS Auto Update Server

  Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto  update as it had been doing without issue for months. I looked in the logs and the IPS was  showing an HTTP Error when attempting to update. I checked and nothing  had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
  The WRVS4400N IPS was blocking connections with the cisco auto update  server because it detected an RPC Anomaly in the traffic. So apparently,  something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
  FYI-I also posted this issue to the small business router community discussion forum.

  Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto  update as it had been doing without issue for months. I looked in the logs and the IPS was  showing an HTTP Error when attempting to update. I checked and nothing  had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
  The WRVS4400N IPS was blocking connections with the cisco auto update  server because it detected an RPC Anomaly in the traffic. So apparently,  something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
  FYI-I also posted this issue to the small business router community discussion forum.

• Re: WRT160Nv2 - how to block "Torrent application"and website

  Dear sir,
  I want to know  is it possible to block "Torrent Application" and Torrent Related web site Please help me..
  Regards
  Thomas.

  You can use the feature "Access Restriction" on the router to block some application or website you want.

• ASA Botnet Filtering - Does it block Tor Exit nodes?

  Hello Group.   I am looking into to methods to block TOR network activity both inbound and outbound.   Outbound is pretty straightforward by utilizing IPS and AV signatures.   Inbound seems to be a little more involved.   Preventing inbound traffic requires blocking all of the TOR exiit nodes which comprise a list of multiple thousands of  IPs including small percentage  that are dynamic.   Does the ASA Botnet Filter encompass these IPs? 
  Thanks in advance for any input.
  /JT

  Hi,
  One of the sources that the Botnet traffic filter uses is senderbase.org (also it uses many others)so you can evaluate one of the IP address that you know that belongs to the TOR network and see what reputation it has (to see if the botnet feature will catch it); but remember that the main idea behind this feature is the botnet detection; and I don't think we can qualify this site as a botnet site.
  Thanks,
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
  http://www.cisco.com/web/partners/tools/pdihd.html

• IOS IPS for blocking IM and P2P

  Any recommendations on the best way to use IOS IPS to stop P2P and IM?
  I set up a 3845 with 12.3(14)T1 to do this by importing signatures from the latest SDF using SDM. I used the attack-drop, and all IM and P2P signatures I could find. I changed them all to drop and reset. I then applied it to the inside interface of a 3845. I also set up nbar with a drop policy for all P2P traffic.
  The configuration caused very slow web response time for users, including blocked pages. Removing the IPS filter made everything work properly again. The router also stopped rebooting periodically.
  Is there a recommended way to set this up that does not cause slow performance and reboots?

  OK, went back and loaded some upgraded software. Now using 12.4.1 Advanced security IOS on the 3845, and SDM 211. The new 256MB.sdf signature file has all the IM and P2P signatures in it already!
  After applying the IPS inbound on the serial interface, I changed the UDP signatures action to drop and the TCP to drop/reset.
  Everything appears to be working beautifully. Yahoo and MSN messenger get dropped, as well as the peer to peer requests. I am unable to download Bittorrent. Web access is fast, and there is no hesitation by the router in configuring the IPS.
  This appears to be a great solution so far.

• IPS host block based on custom criteria

  Back when I was using Microsoft ISA I was able to setup rules that would (permanently) block a host exhibiting certain behaviour. I am trying to achieve the same using a Cisco ASA IPS.
  We have certain special ports open on IP addresses but the common attack ports (22, 3389...) are blocked. I would liek to setup a rule where a host is immediatelly shunned when they try to hit such a port so that the host cannot even proceed to the open ports. To me anyone trying to access these ports is up to no good and should be blocked.
  Is there any way to do this on Cisco ASA?

  Hello Paul,
  Yes, you can do it..
  1. Create an access-list with  the source subnet/host along with ports you want to take care of.
  2. Call that access-list in class-map
  3. Call this class-map in policy-map and give the command ips promiscuous fail-open/fail-close.
  4. Apply policy-map on particular interface.
  ciscoasa(config)#access−list traffic_for_ips permit tcp host x.x.x.x any eq 22
  ciscoasa(config)#class−map ips_class_map
  ciscoasa(config−cmap)#match access−list traffic_for_ips
  ciscoasa(config)#policy−map interface-policy
  ciscoasa(config−pmap)#class ips_class_map
  ciscoasa(config−pmap−c)#ips promiscuous fail−open
  !−−− Two decisions need to be made.
  !−−− First, does the AIP−SSM function
  !−−− in inline or promiscuous mode?
  !−−− Second, does the ASA fail−open or fail−closed?
  ciscoasa(config)#service−policy interface_policy interface inside

• How to create a new rule in Windows Firewall to permit some specific IPs and block all other computers

  Hello,
  I have a Win7 PC. I want to block all incoming connections except 3 or 4 IPs. How can i do this?
  I created a new rule to block all connections using this steps:
  Inbound rules > New Rule > Custom > All Programs > All Protocols / Ports > All Local/Remote IPs > Block the connectiion > All profiles > Then i gave a name
  This rule works fine and blocks all incoming connections.
  Then i want to create a new rule to allow specific IPs using this steps:
  Inbound rules > New Rule > Custom > All Programs > All Protocols / Ports > Remote IPs: 192.168.10.5, 192.168.10.10 > Allow the connection > All profiles > Then i gave a name
  But 192.168.10.5 and 192.168.10.10 couldn't reach W7 machine. 
  (If rules are disabled or FW is off; both IPs could reach W7 machine)
  Thanks

  Hi,
  How did you check these two IP address? Through remote access? According to your description, it should only allow remote IP could access this computer. Please also allow local IP for test.
  Roger Lu
  TechNet Community Support

• ASA5515X - WSE,AVC and IPS - Application block per user

  Can I enable web applicaction blocking based on user or group of users with WSE license or do I need another type of license.?
  Thanks,
  Ivan

  WSE is always packaged, at a minimum with AVC. that combination on an ASA is all the licensing you need to block web applications per user. You will of course need to implement a scheme to identify your users in order to use their identity in a policy. That can be via local database (seldom used as it doesn't scale well) or via integration with your Microsoft AD infrastructure (via active authentication or optionally using the free Context Directory Agent (CDA) server running on a VM in your environment) or via something like the Identity Services Engine (ISE - a licensed product).

• Inspect other firewall traffic using ASA 5585-X IPS SSP

  Is it possible to inspect traffic from other firewalls (say checkpoint firewall) apart from the one the ASA firewall the ASA IPS SSP is running on?
  Any help will be appreciated
  O.

  Hello Amit,
  Can you share :
  show ips detail
  show  module 1 details
  show service-policy
  Now, can you explain a little about this:
  on the switch end port tengig 1/8 is connected on nexus and specific vlans are monotored on that interface. But as of now i am not able to see any traffic on that interface. I dont know what wrong i am doing as this is the firstime on this IPS module. there is no ports connected on the firewall. only port connected is tengig 1/8 which is on the ips module which is in promisucs mode.
  I mean the firewall is the one that will redirect the traffic to the IPS sensor so not sure I follow you!
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com