Cisco NM-IPS-K9 running 7.0

Similar Messages

• Cisco IOS IPS - How to manage signatures?

  Hello everyone,
  I'd like to efficiently tune signatures in IOS IPS on one router, a 1941. Available options I found are:
  CLI: not efficient to tune a group of signatures (example: Windows OS)
  CCP 2.7 (Windows GUI): best tool I know, but not efficient, since:
  a bit bugged (sometimes won't work on some computers)
  needs IE9 to work fine, thus excluding its use on W8/W8.1
  turnaround to use onIE10/IE11 won't always work (one computer refuses to keep compatibility view settings, for example)
  not able to efficiently sort signatures, using several criteria (main drawback)
  not able to exclude sets of signatures - like compile failed signatures
  CCP 2.8: only available in express version. I installed it, but did not see a tab about signature tuning ...
  Cisco Security Manager is complete overkill, since it needs a license and a server. Not simple to tune IPS on only one router ;-)
  IPS Manager Express: seems a nice tool, but mainly designed for IPS sensors and firewalls, and not able to tune signatures for a router.
  So, if one of you has an idea about a tool, whether Cisco or 3rd party, running preferably on Windows, it is very velcome!
  Thanks!

  Hello Will,
  I have only played with the CLI and with that I was able to selective enable the signatures I wanted (even using the sub-id intentifier), changed the action,compile the ones required, etc.
  If this is what you are looking for when refering to tune signatures CLI will be fine, if more than that is needed well you have all of the software that you could use.
  No other software available
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Cisco ASA IPS vs Bruteforce

  Who can help me, I need device that will block bruteforce attack to our webmail servers, 5 wrong password input = block for 10 min, for example.
  Can I use for this Cisco ASA IPS?

  Depending on how your specific webmail server works, perhaps you could use/tune:
  SIG 6256.0 (HTTP Authorization Failure)
  -or-
  SIG 20020.0 (HTTP Authentication Brute Force Attempt)
  Or, create a custom signature based off of one of the above.

• Cisco ASA IPS SSM-10

  Hello,
  I just upgraded one of my Cisco ASA IPS SSM-10 from version 7.0 (6) E4 to version 7.0 (7) E4 and the Radius authentication stopped working. I use Microsoft 2008 Radius and I still have 10 more of these working with version 7.0 (6) E4.
  I used to have the same Radius authentication issue with version 6 until we upgraded to ver 7.0 (6) E4 and this latest version screwed up again.
  Does anyone know if there is a Radius authentication bug in this latest version 7.0 (7) E4?
  Thank you
  Si

  There is a known issue CSCty46104. However a show-tech log can give more details as to why there was a failure in your case.
  Regards
  Sawan Gupta

• HA for Cisco IDS/IPS 42xx appliances

  Can anyone refer me to documentation on the Cisco site that talks about high-availability options and configuration examples for Cisco IDS/IPS 42xx appliances? Thank you in advance.

  I am also interested in understanding the high availability options.
  I found the following in the IPS V5 datasheet:
  Auto and manual sensor bypass configuration-High availability can be achieved through numerous mechanisms for Cisco IPS sensors. Resiliency and redundancy can be delivered through unique network collaboration, for example, hot Standby Router Protocol (HSRP) configuration and Cisco EtherChannel® load balancing on Cisco Catalyst switches to divert traffic to a secondary IPS device upon the failure of a primary device.
  I would like to have more info about how to divert traffic to a secondary IPS device; info about HSRP and EtherChannel load balancing as it relates to IPS. Is this HA option only available in bypass mode? Thanks.

• Cisco IOS IPS on 2811

  Hi,
  Is it possible to install NM-CIDS-K9 Intrusion module on a Cisco 2811 and run IPS 5.0 on it ? i.e. with similar functionality to a IPS 4200 series appliance.
  From what i understand that you can do the above but the module will only work as IDS and not as in-line IPS (ability to drop packets etc) ?
  Are there any routers that can have a Network module running in IPS mode to provide the same functionality as IPS appliance (4200 etc) ?
  Is it correct that IOS IPS is only a fraction of the appliance based IPS ?
  Regards \\ Naman

  I am not really sure if there are any routers that can have a Network module running in IPS mode to provide the same functionality as IPS appliance as such, but the module will only work as IDS and not as in-line IPS

• Cisco 4240 IPS Inline and CDP neighbor

  Has anyone seen IPS device block CDP or prevent CDP?
  I was told that the Inline IPS device is preventing the use of CDP.

  Found that the CDP issue is a reported bug.
  CSCsg45642 Bug Details
  Symptom:
  CDP traffic is not passed from one interface to the other in an inline pair.
  Conditions:
  Sensor running 5.1.1 or later configured in inline mode. Bypass mode enabled or disabled.
  Workaround:
  None at this time.
  Further Problem Description:
  http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg45642

• Cisco IOS IPS in Cisco 2921/k9 router

  Hi All,
  I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
  Will it support on the Basic IP Base IOS or do i need to change the IOS?
  If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
  Do i need to buy any addtional module for this like (NME-IPS-K9) ?
  Thanks in advance for your quick support
  regards
  Sunny

  Hi Sunny
  1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
  2. Correct, the modules and appliances run a different kind of software and are much more powerful
  3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
  I hope this helps, let us know.
  regards
  Herbert
  jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1)  Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2)  I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3)  If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
  2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
  Services Routers does not require a Security Feature license.
  In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
  thanks alot for the support.
  regards
  Sunny

• Cisco Connect does not run with Mac OSX Mountain Lion (10.8.2)

  When I first installed Cisco Connect that came with my E1500 router, I was running Mac OSX Snow Leopard (10.7) and it worked fine.  I upgraded my OSX to Mountain Lion and now when I start Cisco Connect, I get:
  Unsupported operating system
  The router software supports these operating systems:
  - Mac OS X 10.5.8 or later
  - Mac OS X 10.6.1 or later
  - Mac OS X 10.7 or later
  I saw some other thread/info/download on Cisco Connect with Lion (10.7) but nothing for Moutain Lion (10.8) - is there a fix forthcoming?
  Thanks
  Gary

  All i want to do is disable the guest function through cisco. i live in an apartment and everyone logs into my guest account. i was at my neighbours and they were laughing saying they done need to subscribe for the internet cause they just log onto local wi fi. and mine is one of them. i dont know if that'll slow down my internet with so many people using it. but all i want to do is just avoid it all together and get rid of it. but in this case i am having the same problem as all of you. to disable the guest function you need to go through cisco connect and it is not compatible with mac osx mountain lion. grrrrrrr

• Cisco mobile does not running in the background ont my ipad

  Hi
  I have a Cisco Callmanager 7.1.5, an ASA5510, an Iphone and an Ipad
  I have configure the VPN on my iphone and my ipad and I can make a VPN connection to the ASA through the WIFI
  I have configure the  Cisco Mobile 8.1.2.3245 on my iphone and my ipad.
  If the application is open, I am connected to the CCM and I can make and receive calls.
  On the iphone when the application is  running in the background, its good I can receive calls
  On the ipad when the application is running in the background, I can't receive calls, I am unregistered
  On the ipad, if I disconnect the VPN, and make a WIFI connection on my local network. When the application is running in the background, I can receive calls.
  It is an ipad2 with iso 5.0.1 (9A405)
  I reverse the ID of the IPAD and IPHONE, and it is the same.
  The problem is only on the IPAD when there is my VPN connection
  Could you help me?
  Thanks
  nicolas

  A double click on the Home button will reveal a tray containing all apps that are currently running (suspended?).
  Side swiping this will reveal as many as are active, with a swipe to the right when on the first display will reveal further controls for the iPad, mainly relating to the iPod part, but also containing a screen lock option I believe.
  Click and hold any one of them till they 'jiggle' and show a - you can then click this to remove it, relaunching the app as required in the normal way.
  Regards,
  Colin R.
  Message was edited by: Colin Robinson
  PS Tap the Home button once to get out of this mode.

• Cisco Agent Desktop software running multiple times in Task Manager

  Has anyone seen an issue with Cisco Agent Desktop v 6.6(1) where after closing the program completely it stays running in Windows Task Manager. We have the Agent software installed on 8 PCs and only one of them is having this happen to them. One time the PC had 15 instances of Agent.exe running in Task manager. A reboot of the PC corrected the issue, however when the issue does happen her chat box within the Agent software shows as Initializing and the agent's name appears and reappears on the Supervisor Desktop software.
  If anyone needs any other info as to the versions we're using or anything else please let me know. I have searched all over the net for a solution and haven't found anything. My next step is to do a TAC case, but I wanted to post something here to see what responses I got.
  Thanks,
  Nick

  Hi Nick,
  Check this bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd75811
  Multiple Agent.exe Instances Created Causing CAD Agent to Disappear.
  Regards
  Gurpreet

• Cisco Messaging Interface-Not Running

  Hi All,
  On the UCM 6.0 the Cisco Messaging Interface service is activated and when i check the status in 'control center feature services' it shows 'Not Running' and 'Activated'. If i start and refresh the page it again shows as 'Not Running'

  Hi Vineet,
  This interface is only used in CCM to Legacy VM integrations (via SMDI) if you are not setup that way this is why you are seeing this :)
  Cisco Messaging Interface Service
  The Cisco Messaging Interface allows you to connect a simplified message desk interface (SMDI)-compliant external **Third Party** voice-mail system with the Cisco CallManager. The CMI service provides the communication between the voice-mail system and Cisco CallManager. The SMDI defines a way for a phone system to provide a voice-mail system with the information needed to intelligently process incoming calls.
  Genrally the Cisco Messaging Interface (CMI) is a Cisco CallManager service that should be run only on the publisher server. This service intercepts calls destined for voicemail and generates appropriate SMDI messages, which are then delivered to one of the server's Component Object Model (COM) ports.
  From this doc;
  http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008037e2f3.html#wp1024396
  Hope this helps!
  Rob

• NME-IPS K9 running in 3845 not accessible

  I am not able to ping or ssh into my IPS module. I am not able to access it via the router either. When I try to create a session via the router I get the following : Trying xx.xxx.xxx.xxxx, 2114 Open..... and it just sits there. Is there another way to access it and/or reboot the module, without restarting the router.

  Hello,
  1. You can reset the NME-IPS module from the Router CLI.
  This will only reset the NME-IPS not the Router.
  router# service-module ids-sensor 1/0 reset
         Use reset only to recover from shutdown or failed state
         Warning: May lose data on the hard disc!
         Do you want to reset?[confirm]
  http://tools.cisco.com/squish/b63A4
  2. After it comes back up, check if the module is responsive.
  You can also issue: 'show inventory' and check if the module is even detected by the router.
  If the module is not even detected by the router, it may be an hardware issue.
  3. Check if the module is correctly configured.
  Check my configuration document for this.
  https://supportforums.cisco.com/docs/DOC-12364
  Sid Chandrachud
  TAC Security Solutions

• Cisco IOS IPS ?

  Hi,
  I am currently studying CCSP SNRS by Greg Bastien. I have the following Lab scenario and would like clarification on what I am seeing. I want to verify that my IPS setup is working, so I have run 'angry ip' port/ip address scan at the router. When I use 'sh ip ips statistics' I see 'signature 3051:1 packets checked: [0:1]' which translates to 'TCP Connection Window Size DoS ATOMIC.TCP'.
  Is this signature 3051 an indication that the router has seen the IP scan ? and considered this a reconnassaince attack. Are there any other ways of verifying the attack ?

  Hi,
  If you see signature alert messages, then it means there is a match and IPS fires an alert message which is the default setting of a signatures.
  In your case, it only means that the 3051:1 signature saw one packet matching, so it just recorded the information. For this signature to fire (which means for ips to identify an attack, it has to check other parameters as well).
  If you look into the details of the definition of this signature, it has a global summary threshold and summary interval settings. Which means the ips has to see this signature match within the summary interval for the number of times defined in the summary threshold, then it will validate a signature match, thus send alarm and perform actions defined in the signature.
  So in your case, it just shows there is a packet matching this signature. You might be able to find more detailed information if you run a sniffer and capture your "angry ip' traffic sent to the router.
  Thanks,
  -Chris

• ARP Poisoning & Cisco IDS/IPS Solutions

  I am trying to find out if someone familiar with Cisco's IDS/IPS (network and/or host-based) solutions can tell me if the product(s) can identify and/or prevent ARP poison routing attacks. If so, does it require customizing signatures or is there out of the box detection signatures?
  Thanks for any information

  There are some. Go here and do a search for "arp":
  http://tools.cisco.com/security/center/search.x?search=Signature
  Perhaps it goes without saying, but remember that the sensor has to see the relevant layer 2 traffic for these to work.