CISCO IPS Global Correlation

Hi,
While enabling Global correlation, I understood that we need to configure proxy or DNS.
Also, I hope that needs to open the port (80/443) on the firewall for the management IP address of IPSto reach the cisco sensor database. If i'm correct what about the destination IP, do we need to enable "any" or specific IP is there.
ACL:
Source (IPS Management IP) -> Port (80/443) -> Destination?

Hi,
Global correlation features only contain external IP addresses, so if you position a sensor in an
internal lab, you may never receive global correlation information.
Source (IPS Management IP) -> Port (80/443) -Detination is https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
Regards
Rajeswar

Similar Messages

  • Cisco IPS (global correlation) is downloading lots of updates from the iron-port website

    I have query on Global correlation.
    Following is the observed behavior
    Scenario 1:
    Global Correlation Inspection: ON (Standard)
    Reputation Filter: ON
    Result: Global correlation downloads in bytes or KBs (observed on proxy)
    Scenario 2:
    Global Correlation Inspection: OFF
    Reputation Filter: ON
    Result: Global correlation downloads 4-5 MB every 5 Minutes (observed on proxy)
    This behavior has been observed on both IPS devices one by one. What we wanted the clarity on is why is does global correlation download so much of data when it is OFF, and downloads only minimal data when ON. The equation does not seem to be right.
    Request you for your prompt response.
    Regards,
    Neal

    Both global correlation and reputation filtering retrieve updates from the SensorBase network, or IronPort. By default, they communicate with the network every five minutes. This value cannot be changed by the IPS administrator.

  • ASA botnet filter vs ips global correlation

    Does the global correlation include the data from botnet filter? On Cisc's site it says this on the global correlation
    Customers deploying Cisco IPS can benefit from  Global Correlation in multiple ways. First, bad traffic from known  sources is stopped immediately. This includes zero-day attacks, for  which no traditional threat prevention currently exists, advanced  persistent threats (APTs), and botnet command and control traffic

    Hello Matt,
    Check the following info:
    Cisco ASA Botnet Traffic Filter
    This paper focuses on how Cisco Security Intelligence Operations relates to botnet threat identification, and its interaction with the Cisco ASA Botnet Traffic Filter. It is important to realize that a comprehensive security deployment should include Cisco Intrusion Prevention Systems (IPS) with its reputation based Global Correlation service and IPS signatures in conjunction with the security services provided by the ASA security appliance such as Botnet Traffic Filter.
    So I would say they both provide you security based on databases from the SIO but they will not be equal on their funcionalities, that is why Cisco recommend to use both when possible,
    Regards

  • IPS V7 Global Correlation

    Dear all,
    IPS Correlation update will be done through the Management interface right? So I should confirm the ability of the IPS Management IP address to be able to access internet right?
    I did so, but still not able to have global correlation update, what I am having each time I enable global correlation is a boost of traffic generated from the IPS and directed to the outside that is consuming the total internet link bandwidth.
    What could be the reason behind this boost, and how may I troubleshoot the reason why the correlation is not being updated.
    Regards,

    Hi,
    I had the exact same problem that I solved to day.
    Full connectivity but still the error:
    # sh statistics global-correlation
    Network Participation:
       Counters:
          Total Connection Attempts = 0
          Total Connection Failures = 0
          Connection Failures Since Last Success = 0
       Connection History:
    Updates:
       Status Of Last Update Attempt = Failed
       Time Since Last Successful Update = 3826 minutes
       Counters:
          Update Failures Since Last Success = 764
          Total Update Attempts = 22747
          Total Update Failures = 806
       Update Interval In Seconds = 300
       Update Server = update-manifests.ironport.com
       Update Server Address = 204.15.82.17
       Current Versions:
          config = 1236210407
          drop = 1312830724
          ip = 1312830846
          rule = 1312744926
    # sh events error error warning past 12:00
    evError: eventId=1304592381890230981 severity=error vendor=Cisco
      originator:
        hostId: xxxxxxxx
        appName: collaborationApp
        appInstanceId: 458
      time: 2011/08/11 00:38:28 2011/08/11 02:38:28 GMT+01:00
      errorMessage: name=errUnclassified A global correlation update failed: Failed download of ibrs/1.1/drop/default/1313021562 :
      URI does not contain a valid ip address
    Messages, like this one, in the category - Reputation update failure - were logged 49 times in the last 14699 seconds.
    I found a tip when searching that worked for me :
    Issue the: dns-secondary-server disable to flush DNS wait for GC to update again.
    Thanks to: http://doublef.org/archives/cisco-ips-global-correlation-update-failures 
    HTH
    Edit: I see a difference in our output, you don't have the ip address in update server field:
    Update Server Address = Unknown
    Might not bee the same problem.

  • "Global Correlation" = Critical - Cisco AIP-SSM-20

    We are getting this error on both IME and IDM. What causes this, and how does one resolve it?
    We are also not getting new events in IME - could this be related to the problem?

    correct..The sensor must operate in Inline mode so that the Global Correlation features can increase efficacy by being able to use the inline deny actions.
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html

  • IPS 7.X Global Correlation in IME question

    I was reading in the documentation for the new verison of IME that utilizes the new Global Correlation feature in IPS 7.X.
    Quick question: Is the Global Correlation module a separate feature that has to be purchased? If so, do you license it for the IME or do you license it per sensor device? Would anyone be willing to share the cost?

    The Global Correlation feature is licensed on the sensor rather than IME, but is not a new license, it is the same license used for signature updates. So the Cisco Service for IPS contracts provide the license that works for both Signature Updates and Global Correlation Updates.

  • IPS Tech Talk -Global Correlation

    Robert Albach of the Cisco IPS Team invites you to attend a Web seminar using WebEx. This event requires registration.
    The event is a 30 minute webinar on Global Correlation - its operation and how it works with your Cisco IPS. Following the presentation there will be Question and Answer period with members of the IPS development team.
    Topic: Cisco IPS Tech Talk 2010 Nov 18
    Host: Robert Albach
    Date and Time:
    November 18, 2010 10:00 am, Central Standard Time (Chicago, GMT-06:00)
    To register for the online event
    1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=204029379&t=a&EA=ralbach%40cisco.com&ET=6511931d5b5055f2311dc9824532002a&ETR=2c3560b429c7cfc0c2553092a899c175&RT=MiM3&p
    2. Click "Register".
    3. On the registration form, enter your information and then click "Submit".
    Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.
    For assistance
    You can contact Robert Albach at:
    [email protected]

    Will this event be available for viewing later?  10am CST is about 1am here in Korea, so I don't think I'll be able to attend live.

  • Cisco ASA SSM-10 Global Correlation critical

    Hello,
    I have a high value for Global Correlation parameter, which I generated my ips module is alarmed, how I can reset this value?
    Additionally, the automatical updates does not work properly in the module. What could be the problem?
    Thanks for you help.

    Ensure dns is configured on the sensor. It will need to communicate to receive updates. also ensure you have a valid license.
    Sent from Cisco Technical Support iPhone App

  • IPS-4420 Global Correlation status critcal

    How to check in the IPS 4420 is Globel correlation license are there or not?
    In IDS 4420 IDM event montor page I am facing two below problem
    1. Event Retrieval       =========== Critical
    2. Global Correlation  =========== Critical.
    I configure IPS box got to the Internet without proxy. But I don't how to check the IPS are connected to Cisco Global Correlation server?
    Why its shwoing critcal on Event Retrieval and Global Correlation.

    Are you planning to use the Global Correlation feature?
    Here is the information on Global Correlation for your reference:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html
    If don't want to use that feature, you can disable that in the sensor health metric section so it's not showing Critical.
    Similarly, for Even Retrieval, you can just disable that in the sensor health metric section. This is only useful if your IPS events are retrieved by an external monitoring system, eg: IME.
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2117358
    Message was edited by: Jennifer Halim

  • MARS 6.0.4 reporting for IPS 7.0 Global Correlation Reputation Filtering

    Does anyone know if there is a report available in MARS to see what IP addresses were denied by Reputation Filtering on IPS 7.0?
    I found a report that shows attacks that were prevented due to global correlation score, but not for packets denied by Reputation Filtering.
    Replies are greatly appreciated.
    Thanks,
    Mark

    Thanks for the reply, but what I am looking for is reporting on what packets were dropped with Reputation Filtering(doesn't have a report in MARS) Not the GLobal Correlation risk rating blocks(Which does have a report available in MARS).

  • Global correlation / reputation filtering in monitoring mode

    We use Cisco appliances primarily in monitoring mode.  We'd like to use the IPS reputation filtering / global correlation to alert us when we have connections to "bad" IP addresses (e.g. botnet, etc).  Is it even possible to use either of these features for this purpose?  According the the following document is appears there may not be alerts for packets denied before signature analysis.  Surely that can't be???
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_collaboration.html#wp1067283
    "Note This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched. It does not apply to reputation filtering where the packet is denied before signature analysis, and no alerts are generated when packets are denied by reputation filtering. "

    Just listened to the techtalk on global correlation. about 16 minutes in...."we do not send events just to keep the load quiet".   Can someone from Cisco please confirm that this completely naive and poorly engineered facet of the solution still works this way? I'm sorry to sound like an arse, but I am so completely frustrated with the value we get out of these appliances.  Apparently, the ASA botnet functionality can do what we want, but not the stand alone IPS appliance....come on Cisco.

  • Global correlation can't updated

    version is IPS7.0, asa5520-aip-ssm.
    Singatrue and  IME can be sucessfully updated,
    Global correlation can't updated,
    the Status of global correlation is Critical.
    I saw the website
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html#wp1053280
    and updated following the web page. But  can't work it.
    How could I update global correlation
    or go back old sensorbase?

    The output provided clearly indicates that the AIP-SSM is unable to resolve the update server address.  The server name update-manifests.ironport.com is not user configurable.
    Do you have more than one DNS server configured?  If so, disable all but the primary DNS server.
    If you only have one DNS server configured, please verify the AIP-SSM's management IP address has unrestricted access to the Internet.  (At a minimum TCP ports 80 and 443 and UDP port 53).
    Scott

  • Global Correlation Risk Delta

    Hi,
    I'm currently working on Tuning a pair of IPS modules in ASA's. We are currently in Promiscous and tuning/filtering to ensure we don't block any valid traffic when making the switch to inline.
    We are using the new 7.0.1 code and getting the global correlation / reputation data - works great & rocks.
    When viewing the events - there is a paramater - "Global Correlation Risk Delta" -- Could someone explain to me what that is?
    I understand how it adjusts the RR based on reputation & have the chart (including it for those who do not have it - got it from a networkers prezo). However I am having a hard time figuring out what Global Correlation Risk Delta is/means/does...anyone know?
    Thanks,
    Brad

    Here is a basic description.
    Without Global Correlation (versions prior to 7.0, or version 7.0 with the feature turned off) all alert triggerings will have a Risk Rating calculated.
    How a Risk Rating is calculated is explained in the following White Paper on cisco.com:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7299.html
    Now with version 7.0 when Global Correlation is enabled there is now a new parameter added to the Risk Rating calculation ( + Global Correlation Risk Delta )
    The Global Correlation Risk Delta is either 0 or a positive value and so can keep the Risk Rating the same, or raise the Risk Rating, but will not decrease the Risk Rating.
    The Global Correlation Risk Delta is calculated based on both the Attacker IP address, and the Initial Risk Rating ( The Initial Risk Rating is the Risk Rating calculated without the Global Correlation Risk Delta).
    When Global Correlation is enabled in version 7.0 the sensor will download a Reputation Database from the cisco servers. This reputation database contains lists of Public IP Addresses that have been known to be sources of attacks in the past. With that database a Negative Reputation Score is determined for each Address in the database. The Negative Reputation Score could range anywhere from a -0.5 to a -10. If only a few atttacks have been seen from the address, the score may be only slightl negative in the -0.5 - -3 range. The worst offending Attacker IP Addresses could have negative scores in the -8 to -10 range.
    That Reputation Database is only for Public IP Addresses. So Private IP Addresses (addresses used only with NAT/PAT and are not Internet routable) will not exist in the Reputation Database.
    If the attacker IP Address is a Private IP Address, or is a Public IP Address that is NOT in the Reputation Database, then the sensor will automatically set the Global Correlation Risk Delta to 0.
    When added into the Original Risk Rating, the Risk Rating winds up the same (no change).
    So Global Correlation has no effect on Private IP Addresses, or Public IP Addresses that do NOT have Negative Reputation.
    It is only when the Attacker is from a Public IP Address with Negative Reputation that the Global Correlation Risk Delta is calculated.
    Internally the sensor has a formula to calculate what that Delta should be.
    The inputs to that formula are the Negative Reputation Score for the Atttacker IP, Original Risk Rating, as well as some proprietary variables for fine tuning the formula.
    All of these are inputs to the formula, and the one output is the Delta.
    The Delta is then Added to the Initial Risk Rating and results in a Higher Risk Rating.
    The chart from your first post is a result of plugging in the highest 20 possible Risk Ratings, and 20 possible negative Reputation scores, and uses the original proprietary variable settings, and shows you what the formula will output as the Global Correlation Risk Delta.
    So this should be used as just an example.
    The formula will still be used for Risk Ratings lower than 80 that are not shown on the chart, and will also be used for Negative Reputation Scores that are not neatly rounded to a 0.5 number.
    Also the proprietary variables are also subject to change, as we continue to fine tune the formula.
    So the chart you've posted is a good example of the type of Deltas that the formula can output.
    Because of this calculated Delta being added to the Risk Rating, the same attack coming from a known Negative Reputation Public Address will wind up with a Higher Risk Rating than the same attack coming from a Private IP Address (or even the same Public Address when not using Global Correlation).
    The sensor then has features for how it can then make use of the Risk Rating.
    And I will talk about this in the next post. I am limited by the number of characters in a single post or I would have put it into this post.

  • Global correlation events

    I have an ASA 5510 with an SSM-10 module. I have global correlation turned on and updating. When I look at the dashboard's "Global Correlation Report" I see packets that have been denied by global correlation. Can someone tell me how global correlation events are logged? I'd like to be able to see the raw data associated with the global correlation.
    Thanks.

    Hi,
    Take a look at this:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html#wp1065809
    As can be seen, whenever "global correlation" causes any kind of action to be taken by the IPS it produces an alert unless the packet is being denied by "reputation filtering" which does not produce any kind of alert. Also, "This feature only applies to global correlation  inspection where the traffic is allowed if no specific signature is  matched".
    I am not sure of all those fields in then alert but i have seen at least some of them. If you are not seeing any alerts with those fields, then global correlation may not be seeing any instances where it has had to modify the risk ratings and take appropriate actions for it, that is, you may not be receiving any kind of such packets from malicious hosts at all in the first place.
    Also, if you have "reputation filtering" on, you might want to turn it OFF to ensure it is not causing this behavior.
    Rregards,
    Prapanch

  • Global Correlation update Failure error

    Hello,
    I have received following error in IPS regarding global correlation update
    A global correlation update failed: ExecLoadCollabUpdate control transaction failed: Control transaction cannot be completed at this time
    is any one aware about this error? is it major issue and affecting IPS? I think this is because correlation update failure. Please let me know if any one has more information on this error

    Whenever a global correlation update fails, an evError event is generated. The error message is included in sensor statistics. The following conditions result in a status message with the severity of Error:
    •The sensor is unlicensed
    •No DNS or HTTP proxy server is configured
    •The manifest exchange failed
    •An update file download failed
    •Applying or committing the update failed
    For global correlation update fails, refer
    http://www.cisco.com/c/en/us/support/docs/security/ips-4200-series-sensors/50360-ids-faq.html

Maybe you are looking for

  • Is it possible to use Facetime between Mac and iPad with the same Apple ID?

    Hello, I have a MacBook Pro and an iPad. May MacBook is used by my wife and me at home. I take the Pad with me when I travel. On the MacBook I have and Apple ID registered. It is the same I use with the iPad. Do I need a differnt ID for my wife if we

  • ReCAPTCHA works in IE8 but not in Firefox - Graphics missing

    reCAPTCHA works in IE8 but not in Firefox All graphics, the challenge, option boxes, and logo do not appear.

  • Principal Propagation with SOAP sender

    Hello I've already read some blogs and SAP help about configuring the principal propagation (PP), those blogs explains details about the configuration with SAP (ABAP and Java) system. However in my case I have the third party SOAP sender application.

  • How can I hide completed To Do items in printed List format?

    I have iCal configured to hide completed To Do items. When I print my calendar in List view, however, iCal prints those competed and hidden To Do items. Why can't I hide completed items in List view as I can in Calendar view. Is my only option to del

  • Loading data into two cubes

    We want to set up a delta refresh from R/3 data that will pull data into two cubes.  One cube I want all the records to be loaded, in the second cube I want to filter the records that are loaded into that cube.  I can figure out how to load the data