Cisco IPS 4240 stops file downloads at 90%

Similar Messages

• Bitcoin generator and Cisco IPS 4240

  I have a problem with Bitcoin generator installed somewhere in local network.
  I have IPS 4240 what connected as IPS (All traffic to internet passes through IPS.
  The software on IPS is very old.. and I can not upgade it.
  Version 6.0(6)E4
  Can I configure IPS tj detect and prevent bitcoin?

  Please any one can answer these questions...Your help is appreciable...Thse are blocking me...
  We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
  1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
  2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
  3) How many types of events will be generated by this IPS 4240 sensor.
  4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
  5) Can you provide me some Examples to generate different events.
  6) What is the difference between CLI, IDM and IME?
  7) How we can know that configured IPS system is in Inline mode?

• Deployment of Cisco IPS 4240 devices

  I can't seem to find any information regarding mass rollouts of Cisco IPS 4240 devices. I have 6 devices I intend to roll out to several remote offices and tie into a centralized Cisco MARS appliance. Without using any CSM/LMS software, is there an quick and dirty way to pull this off? I'm thinking to configure a single IPS device then pull and distribute its configuration file to the remaining devices. Would like to see how others have accomplished this...

  If all of your sensors are the same type (all 4240s in your situation) and will all run the extact same configuration, then the copy command will help you out.
  There was a new feature added into the copy command in IPS 6.1 that will help you in copying config from one sensor to another.
  You full configure one sensor (use IME, IDM, or CLI). When you are happy with the configuration then use the copy command to copy it TO an SCP server.
  Now bringup a second sensor and configure the basic networking parameters through setup (ip address, gateway, etc...).
  Now use the copy command on the second to copy the first sensors configuration FROM the SCP server into the running config of the second sensor.
  It will prompt you whether to overwrite the second sensor's networking parameters.
  Answer NO.
  The rest of the first sensor's configuration will copied into the second sensor.
  The second sensor will keep it's own unique IP but will gain the rest of the configuration from the first sensor's config.
  Continue doing this with any additional sensors.
  The process can then be repeated anytime additional changes are made to the first sensor.
  Keep in mind though that this only works if the sensor's configuration will be exactly duplicated (including what interfaces would be monitored and how).
  If each sensor will have some unique tunings then you will need to either manage each sensor on it's own, or purchase CSM that can be used to share only certain portions of the configuration across multiple sensors.

• TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

  I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
  We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
  However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
  I am a beginner is IPS, Any inputs will be valuable for me.

  We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
  For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
  -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
  -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
  -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
  TCP resets are a best effort response, they aren't going to be a 100% effective stop

• Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

  I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
  Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

  Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
  The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
  - Bob

• Cisco IPS (global correlation) is downloading lots of updates from the iron-port website

  I have query on Global correlation.
  Following is the observed behavior
  Scenario 1:
  Global Correlation Inspection: ON (Standard)
  Reputation Filter: ON
  Result: Global correlation downloads in bytes or KBs (observed on proxy)
  Scenario 2:
  Global Correlation Inspection: OFF
  Reputation Filter: ON
  Result: Global correlation downloads 4-5 MB every 5 Minutes (observed on proxy)
  This behavior has been observed on both IPS devices one by one. What we wanted the clarity on is why is does global correlation download so much of data when it is OFF, and downloads only minimal data when ON. The equation does not seem to be right.
  Request you for your prompt response.
  Regards,
  Neal

  Both global correlation and reputation filtering retrieve updates from the SensorBase network, or IronPort. By default, they communicate with the network every five minutes. This value cannot be changed by the IPS administrator.

• Cisco IPS 4240

  Hi,
  Why again and again IPS inspection load in going high. High IPS inspection load causing Latency in network. how to overcome from this. 
  Thanks in advance..
  Regards,
  Usman  

  Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
  The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
  - Bob

• New to IPS 4240 - What else can I use to manage it?

  I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.
  My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.
  I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.
  Thanks!

  The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.
  My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:
  The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.
  the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.
  Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.
  Matt

• Reg. Cisco IPS Inline VLAN Mode

  Hi
  Currently my Cisco IPS 4240 version 5.1(5) , is in Promiscous mode.Soon i will be configuring it in Inline mode .i will be using only 1 IPS Interface and will be configuring VLANs in the switch and connect the trunk port to the Gig0/0 of the IPS .The issue is that if the IPS goes down , will the packet flow continue to run smoothly i.e will the "Auto bypass mode" will be applicable for this scenario too and let the traffic goes without inspection ?
  Ankur

  Perfectly normal. Your test does not test the Software ByPass feature.
  The confusion is in how Software ByPass and Virtual Sensor assignment are related.
  If ByPass is set ON (Not Auto, but specifcally ON) then the traffic will be software bypassed regardless of whether or not analysis engine is running or whether the inline pair is assigned to any virtual sensors.
  The driver does the bypass, and never even attempts to send it to the analysis engine.
  If Software ByPass is set to Auto OR Off, the driver will always attempt to send the packets to the analysis engine.
  The only difference between Auto and Off is what happens when the analysis engine STOPS pulling new packets from the driver.
  With Software ByPass Auto, the driver will start passing the packets straight through and not send them to analysis engine.
  With Software ByPass Off, the driver will bring the link down on the NICs until analysis engine is able to start receiving packets again.
  So you see that Software ByPass is a function of the NIC driver.
  Whether or not the pair is actually assigned to a virtual sensor is UNKNOWN by the NIC driver itself.
  Whether or not the inline pair is assigned to a virtual sensor is solely a function of the analysis engine. If the analysis engine is functioning is running then the driver is always going to send it the packets. The analysis engine then checks to see if the packets should be monitored. If the inline pair is assigned to a virtual sensor then it is monitored before being passed back to the driver for transmit.
  IF the inline pair is NOT assigned to a virtual sensor, then the packet is STILL passed back to the driver for transmit.
  So an inline pair that is NOT assigned to a virtual sensor will STILL have packets passed through if analysis engine is Running. So long as analysis engine is runninng the NIC driver in Software ByPass Auto or Off does not care whether or not it is actually monitored. The driver only knows that it must pass the packet to the analysis engine and the analysis engine will send the packet back for transmit.
  So adding and removing inline pairs from virtual sensors does NOT test the Software ByPass feature. The packets will always be passed through so long as analysis engine is running.
  If analysis engine stops passing traffic, then software bypass kicks in and all inline pairs (whether monitored or not) will be treated the same depending on whether bypass is Auto or Off.
  The only way to really test Software ByPass is to simulate an actual failure of the analysis engine.
  To do this:
  create a service account
  login with service account
  switch to user roor (su - root)
  The root password is the same as the service account password.
  Execute "ps -ef" to find the pid of the sensorApp process (which is the analysis engine)
  Now execute "kill -9 ###" replacing the ### with the pid of the sensorApp process.
  Now the Software ByPass functionality should kick in.
  You can always run "show int" to see the current running status of the Software ByPass feature in the driver.
  It will be either On, Off, or Auto_On or Auto_Off
  The Auto_On and Auto_Off are the 2 running states for the Auto configuration. Auto_Off is when analysis engine is working, and auto_on is when the analysis engine is not working.

• Cisco IPS OID specific log fields

  I am setting up a third-party log server checkpoint smartevent server to log events from Cisco IPS 4240. The setup requires to configure the OID specific log fields of the IPS. Where do i get the information. Will appreciate your assistance.

  I believe what you are looking for is available here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_snmp.html#wp1042408
  http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.383
  Let us know if you need more info.
  Regards,
  Sawan Gupta

• IPS 4240 -email arlert configuration and Which mode

  hi
  My topology
  1)
  Internet-router(2ISP terminated in Single Router-two different Firewall-(ASA5510 and PIX 515e)-->inside interface connected in IPS4240--->From IPS to L33750 Switch.
  Is right place to put IPS4240 and tell me IPS in which mode(inline or Promiscous).
  2) I am able to see log in IPS 4240, i want to configure IPS alert to my mail id , where i need to start the configuration.? pl advise
  thanks
  Karthik

  Email alert configuration is not supported in IPS/IDS.
  I think you can configure in promiscuous mode as Customers requiring promiscuous mode (non-inline) deployments are encouraged to migrate to the Cisco IPS 4240 Sensor, which supports up to 250 Mbps of IPS throughput.
  The below URL helps to configure IPS 4240 in promiscuous mode:
  http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliInter.html#wp1033699

• IPS 4240 - additional card

  Hi,
  Does anybody know, when will be available 4xFE cards for IPS 4240 (for total 8 interfaces)?
  Regards,
  Krzysztof

  Cisco IDS 4250 is supported in version 5.0 Inline if the 4FE, Gig TX PCI card, two of the SX PCI cards, or the XL card is installed. Cisco IPS 4240 is supported in version 5.0, Inline supported (it has four sensing interfaces). IPS 4255 is supported in version 5.0, Inline is supported (it has four sensing interfaces). IDSM-2 is supported in version 5.0, Inline supported (it has two sensing interfaces).
  http://www.cisco.com/en/US/netsol/ns498/netqa0900aecd8029e8de.html

• How to configure IPS 4240 - K9 to send log file to syslog server

  I am looking for the commands in how to configure IPS 4240-k9 to send log file to SYSLOG server. If anybody has or came across similer issue please advice.
  Thanks in advanced.

  Ali -
  I am sorry to tell you, but the Cisco IPS Sensors do not send Syslog messages. Your only options for sending signature event information are:
  SDEE (an TLS Encrypted XML formatted message) the sensor is the SDEE Host and your event receiver (MARS, IME, Intelitactics, etc) is the client.
  SNMP Traps - You need to set the "Action" on each signature you want the sensor to send a trap.
  - Bob

• User account to download Cisco IPS signature

  Hi All,
  I wanted to enable the Autoupdate in IPS but it asks for Cisco acc with cryptographic privileges to download Cisco IPS signature and signature engine updates from Cisco.com.
  is their any default acc for this ?
  I have CCO acc whether is this can be used ?
  You must have a Cisco.com user account with cryptographic privileges to download Cisco IPS signature and signature engine updates from Cisco.com.

  Using your cisco.com account go to this link and see if you can download the IPS-K9-6.1-2-E3.pkg file to your own desktop machine.
  http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=6.1%282%29E3&mdfid=280302728&sftType=Intrusion+Prevention+System+%28IPS%29+System+Upgrades&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+IPS+4260+Sensor&treeMdfId=278875311&treeName=Intrusion+Prevention+System+%28IPS%29&modifmdfid=null&imname=&hybrid=Y&imst=N&lr=Y
  If you can download this file with your account, then you can use that account and password when configuring the sensor for the cisco.com automatic upgrades.
  If you can not download the file with your account, then your account does not have the right settings.
  Either your account does not have crypto access or your account is not properly linked to your service contract for your sensors.
  There are a handfull of countries not allowed to have crypto access, users from all other countries would just need to get their account modified for crypto access (I am not sure what that procedure is).

• Web browsing and file downloads stops

  Hi Guys,
  I've been looking at a few posts but not seen the answer yet.  I'd be grateful if someone could help me out or point me in the right direction.
  I had BT Infinity 2 installed with the HH5 on Friday.  I have problems with browsing web pages.  When I click a link most of the time the page loads quickly without issue, but then occassionally the page wont load and the page will 'stick'.  It sometimes take 30-60 seconds for the page to fully load, or there is a timeout.  Usually, by reloading the page it resolves this and the page loads really quickly again but within a minute you will have the same issue.
  Also, I have downloaded a few files, from 300mb to 1gb.  Just like web browsing, the file download will stop and the only way to resume the download is to reboot the HH5.  I had to reboot the HH5 five times to download the full 1gb file.  I checked the connection and it's not dropping so I wonder why the connection just stops or sticks for a while.
  I know it can take a while for the connection to settle down but it shouldn't stop working.
  Am hoping someone could help me out with this as i need this for my business.
  With thanks,

  I would leave it alone for the next few days and do not keep restarting the Homehub. This will cause DLM (Dynamic Line Management) to kick in and lower your speeds because it will interpret the restarts as a fault. It is normal for the speeds to fluctuate during the training period. If things do not improve after the ten day training period post back for more advice.