Correlating Cisco ASA-SSM-IPS Events/Logs

I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

Hi Chris,
Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

Similar Messages

  • CISCO ASA SSM-10

    I have an ASA 5520, and I have Cisco ASA SSM-10, but I'm not sure how to work with it. My problems are here:
    1. What software do I need to get this to work
    2. From the rj45 connection on this module, where does it connects to.
    3. Give me some guide to configure it and test to see if it works.

    Hi,
    you need to do couple of things to get this to work.
    1. Configuration on ASA to forward the traffic to the module
    2. Chose whether you are going to plug the IPS in inline/promiscious mode
    3. Configure the IPS module
    Configuring ASA to forward the traffic to the module:-
    access-l IPS permit ip any any
    class-IPS
    match access-list IPS
    policy-map global-policy
    class IPS
    IPS inline/promiscious fail-open/fail-close
    When you do this ASa is configured to send the traffic to the module.
    Now you need to get in to the IPS
    you can get in to the through CLI on ASA:-
    do session 1
    it will ask you for username and password
    both are cisco by default
    run the command setup
    and it will walk you through the initial configuration of the sensor.
    once the sensor is configured
    log in to the IDM
    and need to go to configuration>> policies and assign vs0 to the backplane interface of the module so that sigs come in to the act of the traffic.
    you can connect the module in front of the IPS to the switch vlan where the other interface exist from where you want to see this traffic and want ips to come into act.
    Suppose you want to apply the IPS on inside network
    ASA inside interface ip:-192.168.1.1
    Module ip:-192.168.1.3/192.168.1.1
    Here the gateway for the module is the ASA inside interface.
    now all the traffic going outbound or coming in from the inside itnerface will be monitored by the IPS.
    now connect the ethernet interface of the module to the same vlan on switch where your inside interface is connected.
    Now you can even manage the IDM of the IPS just like you manage the ASDM for the ASA, you just need to have your host/network allowed to gain access to it.
    Thanks

  • Swap Cisco ASA SSM-10 from dead firewall

            Good afternoon,
    I currenty have 2 cisco 5510 firewalls one of the firewals is completly dead but contains a Cisco ASA SSM-10 can i remove this card and just place it into a working unit, will i have any problems doing so.
    Regards
    Paul

    No, that shouldn't be a problem at all as the serial number of the SSM-10 module does not get linked to the actual ASA appliance.

  • ASA SSM IPS module upgrade won't work

    Hello all,
    I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
    I followed these steps provided by Cisco.com:
    1. Log in to the ASA.
    2. Enter enable mode:
    asa# enable
    3. Configure the recovery settings for ASA-SSM:
    asa (enable)# hw-module module 1 recover configure
    NOTE: If you make an error in the recovery configuration, use the
    hw-module module 1 recover stop command to stop the system reimaging
    and then you can correct the configuration.
    4. Specify the TFTP URL for the system image:
    Image URL [tftp://0.0.0.0/]:
    Example:
    Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
    5. Specify the command and control interface of ASA-SSM:
    Port IP Address [0.0.0.0]:
    Example:
    Port IP Address [0.0.0.0]: 11.21.31.41
    6. Leave the VLAN ID at 0.
    VLAN ID [0]:
    7. Specify the default gateway of the ASA-SSM:
    Gateway IP Address [0.0.0.0]:
    Example:
    Gateway IP Address [0.0.0.0]: 11.22.33.44
    8. Execute the recovery:
    asa# hw-module module 1 recover boot
    9. Periodically check the recovery until it is complete.
    NOTE: The status reads "Recovery" during recovery and reads "Up" when
    reimaging is complete.
    AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
    I opened a Ciscop TAC on this and not receiving alot of help...
    Please help!!!:)
    Thanks
    Chris Serafin
    [email protected]

    The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
    How long have you left the SSM in the "recovery" state?
    There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
    Execute "debug module-boot" on the console of the ASA.
    The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
    If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
    Some typical problems I have seen:
    1) Wrong IP given for the sensor.
    2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
    3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
    4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
    5) The file name is wrong. Check the captialization especially.
    6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
    tftp://10.20.30.40/subdirectoryname/filename
    7) The tftp is timing out.
    There are 2 things that can cause this:
    a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
    b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
    If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
    It will stop the reboot cycle from happening.
    Let the module come up with the old image.
    Then correct your "recover configure" settings, and try the "recover boot" again.
    Another alternative:
    Stop the recovery "recover stop"
    Let it boot into the old image.
    If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
    The "recover" from the ASA will wipe the box clean and load a fresh image.
    The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
    5.1 upgrade file:
    IPS-K9-min-5.1-1g.pkg
    http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
    It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
    The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
    For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

  • Cisco ASA 5500x with FirePower logging & syslog Format/reference

    Hello everyone,
    Can anyone explain how Cisco ASA 5500x Firepower logging works?
    http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/white_paper_c11-532091.html
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/sbaSIEM_deployG.pdf
    I referred above links and found syslog for botnet filtering.
    ASA-4-338002: Dynamic filter permitted black listed TCP traffic from inside: 10.1.1.45/6798 (209.165.201.1/7890) to outside: 209.165.202.129/80 (209.165.202.129/80), destination 209.165.202.129 resolved from dynamic list: bad.example.com
    It is cisco asa 5500 log. is it same for Firepower? If yes, is Firepower generate syslog for all events like this?
    Please refer me syslog reference guide for Cisco ASA 5500x Firepower if exist.
    Thanks & Regards
    Revathi

    Firepower logging is to a Firesight management center (FMC) via https. It does not use SDEE.
    Just like the old IPS, syslog messages are only about the module status, not about actual IPS events.

  • IPS event log size

    Hi everyone,
    I have a very "interesting" que from my customer.
    He is asking me how much disk space is needed for an event log. Just one event log. Because I told him that IPS itself has limited space for logs and to archive it, please use IME installed on a server.
    Does anyone know how much disk space is taken up for a single event log? LOL
    Regards

    There is no fixed size. Different types of events will contain more or less data. If you turn on packet captures, the size will be much larger as well.
    - Bob

  • CISCO top 10 security events / logs for cisco aironet 3500? lan controller 5500

    As a sec analyst I'm tasked to monitor my Wireless enviroment which compromises of following components
    We are using cisco aironet 3500 series .
    Lan controller 5500
    MSE 3300 series
    WCS v 5.0
    Is there a top 10 sec events that i should be looking at? is there a thing like cisco top 10 sec events ? or do i have to follow external resource like SANS for this. I'm sure here are guys who have worked in this enviroment and probably can advise me the events I' should be concerned at?

    Reference:
    Cisco Wireless LAN Controller System Message Guide
    http://www.cisco.com/en/US/docs/wireless/controller/7.4/message/guide/sysmsg74.html
    http://www.cisco.com/en/US/docs/wireless/controller/message/guide/controller_smg.html

  • Cisco ASA SSM-10 Global Correlation critical

    Hello,
    I have a high value for Global Correlation parameter, which I generated my ips module is alarmed, how I can reset this value?
    Additionally, the automatical updates does not work properly in the module. What could be the problem?
    Thanks for you help.

    Ensure dns is configured on the sensor. It will need to communicate to receive updates. also ensure you have a valid license.
    Sent from Cisco Technical Support iPhone App

  • How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?

    Hello there!
    I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS  throughput), what main points I should consinder?

    If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
    Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
    - Bob

  • Cisco ASA 8.4 Command logging in ACS

    Hello,
    I have set up command authorisation on a ASA 8.4 firewall, and everything seems to work fine.
    The only problem is that the commands executed on the device such as ssh or asdm access does not show up in the TACACS+ Administration log on de ACS 4.2 server.
    While on switches and routers the commands executed does show up in the log.
    I googled the web, but did not find any similar item for this issue.
    Please help....

    You need to look at the latency between the initial connection after the pause and the beginning of when data is returned to the client. I will virtually guarantee the application is timing the user out before restarting the session.
    Sent from Cisco Technical Support iPad App

  • How to monitoring IPS event logs !

    Hi ,
    We have Some Cisco IPS and also juniper IDP sensors in our networks ,with juniper i use NSM for analyzing network logs,attacks,generating different kind of graphs and stuff like that,its so easy to work with and also its informative, but with cisco IPS devices i dont know what tools are available for online monitoring network logs, attacks and also generating graphs for my boss .I see IDM but it doesn't have the features that we need ,does any one know anything else for analyzing and monitoring logs ?
    Warm regards,
    Omid

    IME (IPS Manager Express) provides more information and reporting tool than IDM, and it can support up to 10 IPS devices/modules.
    Here is the URL for IME for your reference:
    http://www.cisco.com/en/US/products/ps9610/index.html
    Please check the system requirement for IME on the following release notes:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5715/ps9610/data_sheet_c78-459033.html
    Hope that helps.

  • CISCO ASA 5505 IPS CARD WILL NOT TAKE UPDATES

    Hey all.
    I'm trying to update my SSC-5 and it will not take any signature updates. I use ASDM and CLI and both times it will successfully download but it will not apply the update. It hangs on the "applying update" portion and then it just hangs. 
    I also tried the auto update and that did not work either. Any ideas??

    Yeah...I think I found that one out the hard way already. I'll cross that bridge when I get to it. I want to get this issue fixed before I start thinking about the license issue.
    ciscoasa#
    ciscoasa#
    ciscoasa#
    ciscoasa# sh flash
    --#--  --length--  -----date/time------  path
    2403  0           Apr 30 2008 02:00:56  test
    2285  196         Apr 30 2008 01:28:20  upgrade_startup_errors_200804300128.log
    2283  0           Apr 30 2008 01:28:20  coredumpinfo
    2284  59          Apr 30 2008 01:28:20  coredumpinfo/coredump.cfg
    2280  0           Apr 30 2008 01:27:56  crypto_archive
    2267  0           Apr 30 2008 01:27:38  log
    0 bytes total (0 bytes free)
    ciscoasa#
    ciscoasa#
    ciscoasa#
    ciscoasa# sh disk0
    --#--  --length--  -----date/time------  path
    2403  0           Apr 30 2008 02:00:56  test
    2285  196         Apr 30 2008 01:28:20  upgrade_startup_errors_200804300128.log
    2283  0           Apr 30 2008 01:28:20  coredumpinfo
    2284  59          Apr 30 2008 01:28:20  coredumpinfo/coredump.cfg
    2280  0           Apr 30 2008 01:27:56  crypto_archive
    2267  0           Apr 30 2008 01:27:38  log
    0 bytes total (0 bytes free)
    ciscoasa#

  • Cisco ASA IPS SSM-10

    Hello,
    I just upgraded one of my Cisco ASA IPS SSM-10 from version 7.0 (6) E4 to version 7.0 (7) E4 and the Radius authentication stopped working. I use Microsoft 2008 Radius and I still have 10 more of these working with version 7.0 (6) E4.
    I used to have the same Radius authentication issue with version 6 until we upgraded to ver 7.0 (6) E4 and this latest version screwed up again.
    Does anyone know if there is a Radius authentication bug in this latest version 7.0 (7) E4?
    Thank you
    Si

    There is a known issue CSCty46104. However a show-tech log can give more details as to why there was a failure in your case.
    Regards
    Sawan Gupta

  • Cisco IPS ASA SSM-10

    I am using an ASA SSM-10 IPS. Currently it keeps logging those event of alerts.
    Where does the IPS keeps all those event logs? In the disk space?
    Where can i see how much space i left?
    Will it went down if the space is full?

    This is from the post I linked earlier, and you don't have to worry the sensor will definitely not go 'down', the event-log data structure is circular and is over-written every time it is full.
    "The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a *circular* eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application (like IEV,IME etc.) that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events."
    I'm assuming since the event-store is only 30 MB, its a 'part' of one of the following parititions:
    application-data OR application-log
    Most probably the first one.
    Regards
    Farrukh

  • Proper ASA-SSM-20 IPS and MARS Intergration

    I?m trying to understand how to best manage my MARS and ASA-SSM-20 IPS implementation. I?ve been running this solution for about 2 months and have been experimenting with how to manage alert s from the blades to MARS.
    The MARS documentation says to configure 2 Event Action Override -Verbose Alerts and Log Pair Packets. However there seems to be a major drawback:
    1. The IPS generates alert for signatures that by default have no alert action configured. At first glance this seems ok, but over time I found that many false positives are generated for signatures that would otherwise remain quite.
    My question is, how should this be managed? I want verbose alerts and logged pair packets for signatures that produce alerts by default, but if I manually configure this, is there a performance consideration?

    You might be hitting the bug CSCuc34812.
    Please contact Cisco TAC to have the issue analyzed.
    Regards,
    Sawan Gupta

Maybe you are looking for

  • Looking for a DVD Player with same functionality as CyberPro Power DVD

    I have just converted from PC to Mac, and love it, but have a special requirement and need some guidance. I work in TV and need to be able to preview footage shot on site that has been converted onto a DVD. On my old PC using Power DVD, after hitting

  • How to update Assignment field in Accounting Document ? Any method

    Hello experts, i want to change Assignment field in already posted accounting document. The field is "GSBER". i think i can't do a BDC on transaction FB09 or FB02 because this field is no available to change.. any advice ? regards.

  • Logic with at new?

    Thanks to everyone. I wanna get this result: Material#1     PO1                PO2                PO3 Material#2     PO4                PO5                PO6                PO7 Any ideas? Message was edited by: Ol Pom Message was edited by: Ol Pom

  • Target "start replicat rep_1,aftercsn x" rep_1 can not recognize trail file

    SOURCE db: ORACLE10.2.0.5 SOURCE ogg: Oracle GoldenGate Command Interpreter for Oracle Version 11.2.1.0.1 OGGCORE_11.2.1.0.1_PLATFORMS_120423.0230_FBO Linux, x64, 64bit (optimized), Oracle 10g on Apr 23 2012 07:30:46 TARGET db:ORACLE11.2.3.0 TARGET o

  • Didn't deactivate CS4 on previous 2 MAC's... HELP?

    Hi guys, I stupidly just dragged and deleted on my previous macbook and assumed this would be ok. Since then I've just sold my imac and done the same thing, thinking it will be ok! Downloaded CS4 today on my new macbook pro, for it to tell me it is b