Cisco IPS OID specific log fields

Similar Messages

• Cisco ips logging options (SDEE, IME, Archiving)

  Based on the following post, cisco IPS' can send basic syslog messages: https://supportforums.cisco.com/discussion/12180461/cisco-asa-5585-syslog-options-ips
  Does anyone know which messages are sent via syslog?
  Also, I understand the Cisco IME can be used to retrieve SDEE logs. I understand it can archive files. I need to make sure the logs are archived, and kept for at least a year. My concern for Cisco IME is that I won't know if the IME application fails or not. I believe it needs to be running in order for it to retrieve the SDEE logs.
  Also, if the max number of archived files ever hits, is it possible to move old files to another folder? And then move those files back when they need to be viewed in the IME?
  I am also hitting a deadend when it comes to finding alternatives for logging SDEE events. Splunk used to have a tool that could do this. But it is now deprecated. Anyone aware of any good SDEE retrival tools?
  Any suggestions are appreciated

  There are very few IPS-related syslog messages generated -  primarily health of the overall sensor device or platform. Anything useful as far as actual IPS intrusion events, attempts etc. will only be available on the legacy Cisco IPS platforms via SDEE.
  Cisco IME (free, limited number of managed devices, runs on a PC without any real archiving etc.) is the least cost option to retrieve and display the events.
  Stepping up in the Cisco offerings would be to use Cisco Security Manager. It does archiving, hierarchical storage etc. However it's days are numbered as Cisco revamps both  the IPS and traditional ASA features to account for both their development of CX-related products (including IPS) and the SourceFire product line. I don't now that I'd recommend CSM for a new buy.
  If you have existing Cisco IPS and really need to archive the SDEE-retrieved events, then you could use LogRhythm or such as noted in the earlier reply.

• Cisco ips ssm -- with cisco IME -- logs

  Hi, can any one tell me how do i pull the logs from SSM mo
  dule to the cisco IME server for log analysis.
  i know that syslog is not supported in SSM and the only option is to have IME server...
  -Rajesh

  You will need to add the IPS-SSM module to your IME, and it will automatically pull logs from the module once it has been added to your IME.

• Cisco IPS 4260 - Monitoring

  hi!
  we have installed two cisco ips 4260 in our test environment and want now to monitor the inspection load, which is from my point of view much more important than the cpu load, with the open source network tool cacti. I want to send alerts when a specific threshold has exceeded.
  I already monitor the cpu load, the interfaces with snmp. Do you know if it is possible to get the value of the inspection load of the ips by snmp?
  Which others parameters of the ips sensors are important to monitor?
  Thanks!!!

  At this time the sensor's inspection load is not exposed via a SNMP OID.  There is an enhancement request to add SNMP monitoring of various sensor health metrics in a future release.
  Thanks,
  Scott

• TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

  I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
  We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
  However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
  I am a beginner is IPS, Any inputs will be valuable for me.

  We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
  For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
  -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
  -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
  -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
  TCP resets are a best effort response, they aren't going to be a 100% effective stop

• Hi Friends,help in purchasing new cisco IPS

  Hi Friends,
                  I am working as a network admin in a telecom based company and we have two lease
                  line of of 2mb and 1 mb bandwidth resp.I have a cisco asa 5510 and i want to purchase a cisco IPS.
                  I am very fresh to this security field so pls kindly suggest me which series of
                  cisco IPS is suitable for my comp network.
  Any kind of help is appreciated.
                                                    Thankx a lot in advance.

  Hii Arghadip,
  i have given my friend user id,i checked in workplace,it was not ther friend...how can i rectify this problem..
  awaiting for your reply buddy.
  Regards
  Raju Aitha

• Vpdn: searching for snmp oid to log out vpdn session

  Hello colleagues,
  Cisco 7204 works as vpdn server.
  There are two problems:
  1) I'm searching for snmp oid to log out , terminate vpdn session
  2) radius server does not receives snmp statistics of incoming traffic of vpdn users.
  Please is anyone able to assist me?
  aaa new-model
  aaa authentication login default local
  aaa authentication ppp default group radius local
  aaa authentication ppp VPDN local group radius
  aaa authorization network default local group radius
  aaa accounting delay-start
  aaa accounting update periodic 3
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa session-id common
  vpdn enable
  vpdn-group 1
  ! Default PPTP VPDN group
  description HOMENET
  accept-dialin
  protocol pptp
  virtual-template 3
  interface Virtual-Template3
  ip unnumbered Loopback1
  peer default ip address pool vpdn-pool
  no keepalive
  ppp authentication chap VPDN
  snmp-server community xxxxxxx RW
  snmp-server chassis-id 0x0E
  snmp-server enable traps tty
  radius-server host x.x.x.x auth-port 1812 acct-port 1813
  radius-server timeout 60
  radius-server key 7
  radius-server authorization permit missing Service-Type
  Best regards, Petr Akimov

  Hello –
  I received a reply from the developer of the script, and listed below is the new code that was suggested:
  #!/bin/bash
  value=`snmpwalk $1 -v1 -c $2 .1.3.6.1.2.1.25.1.5.0 | cut -d " " -f4`
  if [[ value -gt  $3 ]]
  then
  echo " $value Users Online, Critical!"
  retval=2;
  else
       if [[ $value -gt $4 ]]
             then
             echo " $value users online, Warning!"
             retval=1;
             else
             echo " $value Users online, fine."
             retval=0;
             fi
  fi
  exit $retval;
  I checked the server in question, and there were two, 2, user logins active on the system. I ran the snmpwalk command, and the output was the following:
  HOST-RESOURCES-MIB::hrSystemNumUsers.0 = Gauge32: 15
  I then modified the script to include the above text, and ran it again. The output was the following:
  15 users on line, Normal.
  For some reason, the value of 12 appears to be that for no users logged into the system. I am not sure why that is the case.
  If nothing else, progress has been made with the modification of the script.  The snmp service that I have installed on the server is that which came bundled as a
  feature with the server. The only thing that was not installed was the SNMP WMI Provider option.

• Cisco ips 4270 unequal cpu utilization

  I am having 2 cisco IPS 4270 devices with an IOS version 7.0(2)E4. When monitoring through IPS manager, I am able to see 4 CPU's.
  In CPU 1 the utilzation is showing near to 100 percent. CPU 2 is showing zero or very less utilsation. CPU 3 & CPU 4 are showing average utilization - nearly equal to 40 percent.
  I doubt why i am getting zero percent CPU utilization in CPU 2 and 100 percent utilisation in CPU 1?
  whether we can do a distribution of CPU among the four CPU's.?
  Hey cisco folks, please help.

  This was mentioned in a previous post, specifically the reply by Scott Fringer.  Post here:
  https://supportforums.cisco.com/message/3065777#3065777
  In Scott's post, he quoted the E3 engine release notes regarding CPU utilization (highlighting mine):
  The E3 signature engine update contains changes from CSCsu77935
  The resolution of this defect modified the idle time algorithm of the sensor by applying additional CPU to polling of the NICs to decrease the polling interval and reduce latency. This results in the CPU usage being reported higher than in previous releases, including using external tools such as top and ps.
  You can notice this additional CPU load on single-CPU platforms, as well as the primary CPU of multi-core systems. Since the additional CPU load that is reported while polling is actually available to process packets, and reduces as inspection load goes up, it does not negatively affect the overall throughput of the IPS.
  So, what you are seeing should be considered normal, and doesn't need correction.  That is, unless you are seeing packet loss.

• Cisco IPS Manager 7.0.2

  Hi,
  I installed Cisco IPS Manager and it can see the AIP-SSM ips. But I do not see any real time logs and cannot create any report. What can cause this problem ?
  Thanks

  It could be a lot of things, I would do the following:
  > To start of, verify if any events are coming on the AIP-SSM itself (via GUI or console)
  > Is the 'Events Connection' showing as connected on the IME summary window?
  > Goto Events >> Historical >> Last x duration and see if any events came from the AIP-SSM
  > Double click the AIP-SSM (or right click and update the status) to get the latest certiifcate
  > Restart the IME service
  Regards
  Farrukh

• Cisco IPS 4200 Series Feature

  Does the Cisco IPS 4200 can support RADIUS for user authentication?
  Does the Cisco IPS 4200 can support SYSLOG for sending logging to outside?

  Are you kidding me? Then how do you explain
  the fact that security devices such as
  checkpoint and ASA firewalls are allowed
  authentication via tacacs/radius and you can
  send syslog back to a syslog server. Normally
  the information is got sent back via the
  Command and Control (C&C) interface which
  should be on a secure network in the first
  place.
  This is a limitation of the of the IDS itself.
  I have not tried version 5.x or 6.x yet but
  if they are similar to version 4.1, then
  they are nothing but a Linux box. You can
  "shell" into the box and install PAM on it
  so that you can use external authentication
  such as radius/tacacs or even LDAP.

• Cisco IPS Events Collector?

  I use CiscoWorks VMS / Security Monitor for my cisco ips sensors. I'm very familiar with the idsalarms utility for exporting event data to an xml file. But I would like to find a solution to pulling the events off the sensors without VMS or idsalarms. Is there another command line utility or standalone software that will connect to the sensors just for saving the events to a file?

  Hi NItesh,
  i'm suggesting to deploy another log server.
  and config remote log target to that server.
  in another way,
  you can config monitoring log recovery in Monitoring Configuration > System Operations > Log Message Recovery.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#pgfId-1083029

• WRVS4400NV2 IPS now blocking Cisco IPS Auto Update Server

  Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto  update as it had been doing without issue for months. I looked in the logs and the IPS was  showing an HTTP Error when attempting to update. I checked and nothing  had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
  The WRVS4400N IPS was blocking connections with the cisco auto update  server because it detected an RPC Anomaly in the traffic. So apparently,  something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
  FYI-I also posted this issue to the small business router community discussion forum.

  Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto  update as it had been doing without issue for months. I looked in the logs and the IPS was  showing an HTTP Error when attempting to update. I checked and nothing  had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
  The WRVS4400N IPS was blocking connections with the cisco auto update  server because it detected an RPC Anomaly in the traffic. So apparently,  something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
  FYI-I also posted this issue to the small business router community discussion forum.

• CS-MARS 4.3.1 and Cisco IPS 5.1(6)

  Hello everyone,
  I start this discussion as I think I'm experiencing something really strange with CS-MARS 4.3.1 (build 2600) and Cisco IPS 5.1(6).
  I upgraded today our MARS box from 4.2.8 to 4.3.1. And a bit later, I decided to migrate one of our IPS from 4.1 to 5.1.
  After all the upgrades, I deleted the old IDS 4.1 from MARS and recreated it. But I can't have MARS to communicate with the IPS! From the MARS box I can "telnet ... 443", I have a response, but MARS complains again and again of being not able to contact the IPS. "Try a telnet ... 443 from the MARS appliance to check if IP connectivity is present" is the message reported by the "View Error" after a "test connectivity" has been issued.
  The problem is that I need that first connection to make MARS subscribes to the IPS in order to receive the logs.
  I made a try with a 5.1 IPS already present before the upgrade : same result "Can't connect". But as the MARS box subscribed previously to the IPS, the logs are arriving.
  Does someone else have this strange behaviour ?
  Regards,
  Jean-Fran?ois Gobin

  hello,
  When I upgrade the mars to 4.3.1. I've noticed that the mars doesn't received any logs from IPS,ASA and other reporting device. But when I check ASA and IPS, i'm pretty sure that the ASA and IPS were sending syslogs alerts to mars the only problem is the mars could not receive. I can ping the IPS / ASA in the mars console but failed when i test the connectivity/discover in Web Interface.
  I also execute the pnstart and pnstatus command in the CLI console.
  This is what i get:
  [pnadmin]$ pnstart
  [pnadmin]$ pnstatus
  Configuration error: host name does not match janus.conf::janusBoxName.
  Please contact Cisco for support.
  [pnadmin]$
  Any ideas about this?...
  Carlou

• Cisco ips 4200 - errsystemerror-ct-sensorapp.443 not responding

  Hi team,
  Does anyone have come across the below error while accessing the cisco ips 4200 running with 7.0 version. The Gui closes automatically after this message.
  errsystemerror-ct-sensorapp.443 not responding, clientpipe failed.
  regards()

  Problem resolved by rebooting the device.. It is documented in cisco.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_qanda_item09186a008025c533.shtml
  When I attempt to log in to IPS, I receive this error message:
  errSystemError-ct-sensorAPP.450 not responding, clientpipe failed
  . How can I resolve this error?
  A. In order to resolve this error, use the reset command in order to reboot the IPS.
  Rate of this was helpful...

• CISCO IPS 4270 rebooting again and again

  Dear Experts,
  We are facing problem where Cisco IPS 4270 is keep rebooting, attached are the logs.
  after entering username and password it again goes into restart cycle
  Appreciate your help
  Muhammad Nasim

  You should try reimageing you sensor. If that doesn't;t fix this issue, you need to RMA the unit to Cisco.
  Cisco might just let you RMA the unit as is if you have a contract, but bringing it is faster.
  - Bob