Cisco IPS Tech Tips - Protecting Industrial Environments - Nov. 20 2012

Similar Messages

• Cisco IPS Tech Tips: Data Center Protections and Platforms

  Hello Cisco Community Forum Members;
  Robert Albach invites you to attend a 30-45 minute Web seminar on the Cisco   IPS internal operations using WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - Data Center Protections and Platforms
  Host: Robert Albach
  Date and Time:
  Thursday, July 19, 2012 10:00 am, Central Daylight Time (Chicago, GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=206048546&t=a&EA=ralbach%40cisco.com&ET=ade69a0aa29f279471b6a85feae46a71&ETR=5b39cf5f535442c1763f090845d7ddd3&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation.

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• Cisco IPS Tech Tips: 2010 Dec 16 - show tech commands

  Robert Albach invites you to attend a Web seminar using WebEx. This event requires registration.
  IPS Tech Tips are monthly webinars lasting approximately 30 minutes with question and answer to follow. This month’s event will focus on the “show tech” command and its potential relevance to your IPS operation.
  Topic: Cisco IPS Tech Tip 2010 Dec 16 - Show Tech
  Host: Robert Albach
  Date and Time:
  December 16, 2010 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=205452108&t=a&EA=ralbach%40cisco.com&ET=72ce549014a807001ae666a6d82dcc7c&ETR=6ff5ff3ebf442ab68017b906c9ead1a7&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.
  For assistance
  You can contact Robert Albach at:
  [email protected]
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and any documents and other materials exchanged or viewed during the session to be recorded. By joining this session, you automatically consent to such recordings. If you do not consent to the recording, discuss your concerns with the meeting host prior to the start of the recording or do not join the session. Please note that any such recordings may be subject to discovery in the event of litigation.

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• Cisco IPS Tech Tips: 2010 Dec. 16 - Show Tech Part 1 Recording

  Hi Cisco IPS Users,
  I've attached the recording from our last Tech Tips regarding the "show tech" command. We hope that you will find this of value in the operation of your Cisco IPS.
  As always feel free to leave comments on the content or future subjects you would like to see us address.
  The continuation of this discussion will take place today (Jan 27th).
  Thanks,
  -Robert
  Robert Albach
  IPS Product Management
  [email protected]

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• IPS Tech Tips: IPS Best Practices with Cisco Remote Management Services

  Hi Folks -
  Another IPS Tech Tip coming up and this time we will be hearing from some past and current Cisco Remote Services members on their best practice suggestions. As always these are about 30 minutes of content and then Q&A - a low cost high reward event.
  Hope to see you there.
  -Robert
  Cisco invites you to attend a 30-45 minute Web seminar on IPS Best   Practices delivered via WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - IPS Best Practices with Cisco Remote Management   Services
  Host: Robert Albach
  Date and Time:
  Wednesday, October 10, 2012 10:00 am, Central Daylight Time (Chicago,   GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=203590900&t=a&EA=ralbach%40cisco.com&ET=28f4bc362d7a05aac60acf105143e2bb&ETR=fdb3148ab8c8762602ea8ded5f2e6300&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation. If you wish to be excluded from these invitations   then please let me know!

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

• IPS Tech Tip - Evasions - TCP/IP examples and handling - Sig team presentation

  Hi Customers,
  Its summer time and nothing evokes cool quite like a discussion into the TCP / IP stack and how creative attacker types try to hide attacks behind it. This presentation will feature a security researcher from our signature team and will be the first of several presentations on evastions and how the Cisco IPS handle them.
  We hope that you can make it.
  Thanks,
  -Robert
  Robert Albach invites you to attend a 30-45 minute Web seminar on the Cisco IPS internal operations using WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - Handling Evasions
  Host: Robert Albach
  Date and Time:
  August 25, 2011 9:30 am, Central Daylight Time (Chicago, GMT-05:00)
  To register for the online event
  1. Go to https://ciscosales.webex.com/ciscosales/onstage/g.php?d=201261254&t=a&EA=ralbach%40cisco.com&ET=64ed8e6d81005252203f6671cfeee480&ETR=fb46b8799a6afe989e9a744f0fac0d77&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.

  Sadly we did not get the recording done. The presentation and the example pcaps  however are on this forum now.
  -Robert

• IPS Tech Tip - "show tech" command part 2 - IPS dev team webinar

  Hi Folks,
  The IPS product management and development team would like to invite you to this 30-40 minute webinar followed by Q&A sessions. These will be recorded and put on this forum as well. We hope you can attend.
  -Robert
  Robert Albach invites you to attend a Web seminar using WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - show tech part 2
  Host: Robert Albach
  This month's Cisco IPS Tech Tip will continue December's show tech command discussion. The show tech command holds a wealth of information regarding your IPS's performance and status. Cisco IPS development team members will continue to talk about what all this information means to you and then answers your questions.
  Date and Time:
  January 27, 2011 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=202882129&t=a&EA=ralbach%40cisco.com&ET=85576c2dbfd6dca4b756de40b6728a2b&ETR=5d7e40b0e38f564be0a8bd55114369fc&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.

  Sadly we did not get the recording done. The presentation and the example pcaps  however are on this forum now.
  -Robert

• IPS Tech Tips - Introducing NGFW with IPS

  Robert Albach invites you to attend a 30-45 minute Web seminar on the Cisco new NGFW with IPS and its operations. This event requires registration.
  Topic: Cisco IPS Tech Tips - Introducing NGFW with IPS
  Host: Cisco Security Group
  Date and Time:
  Thursday, December 19, 2013 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=207672622&t=a&EA=ralbach%40cisco.com&ET=5a30e5f0d7b86e89044459f4fac9065e&ETR=6d878102a33643d67bc6b9d3df08da27&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.

  The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
  This one will be posted a few days after the event.
  -Robert

• IPS Tech Talk -Global Correlation

  Robert Albach of the Cisco IPS Team invites you to attend a Web seminar using WebEx. This event requires registration.
  The event is a 30 minute webinar on Global Correlation - its operation and how it works with your Cisco IPS. Following the presentation there will be Question and Answer period with members of the IPS development team.
  Topic: Cisco IPS Tech Talk 2010 Nov 18
  Host: Robert Albach
  Date and Time:
  November 18, 2010 10:00 am, Central Standard Time (Chicago, GMT-06:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=204029379&t=a&EA=ralbach%40cisco.com&ET=6511931d5b5055f2311dc9824532002a&ETR=2c3560b429c7cfc0c2553092a899c175&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click "Submit".
  Once the host approves your registration, you will receive a confirmation email message with instructions on how to join the event.
  For assistance
  You can contact Robert Albach at:
  [email protected]

  Will this event be available for viewing later?  10am CST is about 1am here in Korea, so I don't think I'll be able to attend live.

• Evaluating cisco IPS AIP-SSM-10 allong side Tipping Point S330

  Hello all,
  What are your thoughts on this matter?  I am also going to be looking at the Palo Alto solution for IPS as well.
  I'm probably going to use the cisco 4200 sensors if they offer multi segment like the tipping point does. 
  I'm looking at protecting the perimiter but NOT replacing my current firewall.  The current firewall is the Microsoft TMG.
  I like what I see on the Cisco IPS express.  I've also looked at the CSM for management.  It seems that Cisco is a lot more flexible when it comes to editing and managing the signatures.
  ARe there similar experiences out there that you would like to share?
  Thanks!
  Kurt

  Both products are pretty strong. But Tipping point have a much more comprehensive, promptly updated, and a well managed signature base. Both products can monitor multiple segements (terminologies are different).
  A good way to compare is to subsribe to their IPS signature updates and see the difference, I mean both from Cisco and DV labs
  BR
  Farrukh

• Cisco ips 4206 Analysis Engine not running

  Cisco IPS 4206
  AnalysisEngine     BE-BEAU_E4_2010_MAR_25_02_09_7_0_2   (Ipsbuild)   2010-03-25T02:11:05-0500   NotRunning  
  Sensor health is showing critical .
  Application showing failed .
  Can any body help me on this,.

  We have had this issue in the past with our sensors and the only way that we were able to clear it was with a reboot of the sensor.  If you decide to reboot then you should probably do a "show tech" before the reboot and open a case with support to see what the root cause of the issue was.

• Cisco IPS make slow copy between linux server

  we have 3 subnet A, B, C . Each subnet have some linux servers. Subnet C is protected by cisco IPS 4270.
  1)If we config IPS to bypass traffice, copy speed between servers around 10MB/s -> 25MB/s.
  2) IF  IPS protect subnetC.
  When we copy file from a serrver of SubnetC to subnet A or B, copy speed increase from min to around 20MB/s.
  And when we copy file from a serrver of SubnetA or B to subnet C, copy speed very slow around 700kB/s-> 2MB/s
  The server used command "scp .... "
  So we think there are signatures we should tuning. we have CSM but we havent seen any relate events about this problem.
  Help me check this problem!

  Hello,
  You can do what Jon mentioned, you might see a signature being triggered when Host C takes place but if by any chance you do not then create captures for both traffic flows (With C and Without C).
  Afterwards compare
  You might find some weird in that TCP session that involes C (packet loss, then retransmissions, ooo packets, etc).
  Make sure you correlate all of the information
  Rate all of the helpful posts!!!
  Regards,
  Jcarvaja
  Follow me on http://laguiadelnetworking.com

• Tech Tip of the Week: Windows Powershell CMDlets

  This week’s tech tip is for all you Windows PowerShell users.If you’re using PowerShell,  you may already know about CMDlets. If not, this post is sure to excite you, as CMDlets (pronounced “command-let”) are nifty commands that will ease the process of using
  Powershell. 
  Here are 5 CMDlets to get you started:
  1. Get-Recipient | Where {$_.EmailAddresses –match “[email protected]”}
  This CMDlet will find an email address that is inside of the quotes.
  2. (Get-Mailbox) | ForEach {Set-Mailbox $_.Identity –RetentionPolicy “Contoso-Policy”}
  This CMDlet applies a single retention policy to all users.
  3. Get-MSOLUser | Set-MSOLUser –PasswordNeverExpires $true
  This sets all users passwords to never expire (Requires Azure Module)
  4. (Get-Recipient) | ForEach {Add-RecipientPermission –identity $_.PrimarySMTPAddress –trustee [email protected] –AccessRights SendAs –Confirm:$Y}
  This gives a single mailbox SendAs rights to all other recipients (groups, mailboxes, external contacts).
  5. (Get-Mailbox) | ForEach {Enable-Mailbox –identity $_.PrimarySMTPAddress –Archive}
  This CMdlet turns on archiving for all mailboxes
  Try out these CMDlets and let us know what you think!

  This week’s tech tip is for all you Windows PowerShell users.If you’re using PowerShell,  you may already know about CMDlets. If not, this post is sure to excite you, as CMDlets (pronounced “command-let”) are nifty commands that will ease the process of using
  Powershell. 
  Here are 5 CMDlets to get you started:
  1. Get-Recipient | Where {$_.EmailAddresses –match “[email protected]”}
  This CMDlet will find an email address that is inside of the quotes.
  2. (Get-Mailbox) | ForEach {Set-Mailbox $_.Identity –RetentionPolicy “Contoso-Policy”}
  This CMDlet applies a single retention policy to all users.
  3. Get-MSOLUser | Set-MSOLUser –PasswordNeverExpires $true
  This sets all users passwords to never expire (Requires Azure Module)
  4. (Get-Recipient) | ForEach {Add-RecipientPermission –identity $_.PrimarySMTPAddress –trustee [email protected] –AccessRights SendAs –Confirm:$Y}
  This gives a single mailbox SendAs rights to all other recipients (groups, mailboxes, external contacts).
  5. (Get-Mailbox) | ForEach {Enable-Mailbox –identity $_.PrimarySMTPAddress –Archive}
  This CMdlet turns on archiving for all mailboxes
  Try out these CMDlets and let us know what you think!

• Tech Tip of the Week: Syncing Distribution Groups in Office 365

  Having trouble getting your distribution groups to sync when migrating to Office 365?
  We recently worked with a customer who had over 300 distribution groups that were not syncing to Office 365. Upon review, we noticed that the distribution groups did not have a Display Name.
  Here are the steps we took in order to resolve the problem:
  1. Open ADUC “Active Directory Users and Computers “On the top menu click on view and select Advanced Features.
  2. Find the Distribution List that is not syncing to your Office 365 tenant > right click the Distribution List > select Properties > click on the attribute editor tab.
  3. There are a couple attributes that must be filled out in order  for it to Synchronize to Office 365.
  Attributes: mail,
  displayName – if they do not have any data, fill it in. Once completed click ok.
  4. Open the MIISClient. This is located on your DIRSYNC Server. The default path is: “C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe”
  5. Click on Metaverse Search > input the following:
  Attribute: Mail
  Operator: Contains
  Value: 
  “Email Address of the DG”
  6. Once filled in click on search > double click the search results > click on the connectors tab. Note: If
  you only see SourceAD Management Agent, perform the following:
  7. Click on Management Agents > Right click SourceAD > click on Run > click on Full Import Stage Only > click on ok.
  8. Right click SourceAD > click on run > click on Full Sync > click on ok.
  9. Right click TargetWebService > click on Run > click on Full Confirming Import Stage > click on ok.
  10. Right click TargetWebService > click on Run > click on Full Confirming Sync > click on ok.
  11. Right click TargetWebService > click on Run > click on Export > click on ok.
  We hope you found this week’s Tech Tip useful! Do you have a problem you want us to solve in our Tech Tip of the week series? Let us know!

  Check to see that your remote session is still active, using Get-PSSession.

• TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

  I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
  We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
  However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
  I am a beginner is IPS, Any inputs will be valuable for me.

  We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
  For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
  -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
  -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
  -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
  TCP resets are a best effort response, they aren't going to be a 100% effective stop