CS-MARS 4.3.1 and Cisco IPS 5.1(6)

Hello everyone,
I start this discussion as I think I'm experiencing something really strange with CS-MARS 4.3.1 (build 2600) and Cisco IPS 5.1(6).
I upgraded today our MARS box from 4.2.8 to 4.3.1. And a bit later, I decided to migrate one of our IPS from 4.1 to 5.1.
After all the upgrades, I deleted the old IDS 4.1 from MARS and recreated it. But I can't have MARS to communicate with the IPS! From the MARS box I can "telnet ... 443", I have a response, but MARS complains again and again of being not able to contact the IPS. "Try a telnet ... 443 from the MARS appliance to check if IP connectivity is present" is the message reported by the "View Error" after a "test connectivity" has been issued.
The problem is that I need that first connection to make MARS subscribes to the IPS in order to receive the logs.
I made a try with a 5.1 IPS already present before the upgrade : same result "Can't connect". But as the MARS box subscribed previously to the IPS, the logs are arriving.
Does someone else have this strange behaviour ?
Regards,
Jean-Fran?ois Gobin

hello,
When I upgrade the mars to 4.3.1. I've noticed that the mars doesn't received any logs from IPS,ASA and other reporting device. But when I check ASA and IPS, i'm pretty sure that the ASA and IPS were sending syslogs alerts to mars the only problem is the mars could not receive. I can ping the IPS / ASA in the mars console but failed when i test the connectivity/discover in Web Interface.
I also execute the pnstart and pnstatus command in the CLI console.
This is what i get:
[pnadmin]$ pnstart
[pnadmin]$ pnstatus
Configuration error: host name does not match janus.conf::janusBoxName.
Please contact Cisco for support.
[pnadmin]$
Any ideas about this?...
Carlou

Similar Messages

  • Bitcoin generator and Cisco IPS 4240

    I have a problem with Bitcoin generator installed somewhere in local network.
    I have IPS 4240 what connected as IPS (All traffic to internet passes through IPS.
    The software on IPS is very old.. and I can not upgade it.
    Version 6.0(6)E4
    Can I configure IPS tj detect and prevent bitcoin?

    Please any one can answer these questions...Your help is appreciable...Thse are blocking me...
    We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
    1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
    2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
    3) How many types of events will be generated by this IPS 4240 sensor.
    4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
    5) Can you provide me some Examples to generate different events.
    6) What is the difference between CLI, IDM and IME?
    7) How we can know that configured IPS system is in Inline mode?

  • What is the prerequisite for cisco ips exam

    Hello everyone
    What is the prerequisite  for cisco ips exam?
    I read 640-553 is required. and for 640-553 is ccna prerequisite?.  i am not sure please guide me as i am new to cisco world

    You can take the Cisco IPS exam, however, you will only get the Cisco IPS Specialist certificate if you pass both CCNA Security and the Cisco IPS exam.
    Here is the URL for your reference:
    http://www.cisco.com/web/learning/le3/le2/le41/le85/le58/learning_certification_type_home_extra_level.html
    However, you can take the Cisco IPS exam first prior to taking the CCNA Security. The order of exam does not matter, and you will only get the Cisco IPS Specialist certificate once you pass both CCNA Security and Cisco IPS exam.
    Hope that helps.

  • Cisco IPS Tech Tips: Data Center Protections and Platforms

    Hello Cisco Community Forum Members;
    Robert Albach invites you to attend a 30-45 minute Web seminar on the Cisco   IPS internal operations using WebEx. This event requires registration.
    Topic: Cisco IPS Tech Tips - Data Center Protections and Platforms
    Host: Robert Albach
    Date and Time:
    Thursday, July 19, 2012 10:00 am, Central Daylight Time (Chicago, GMT-05:00)
    To register for the online event
    1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=206048546&t=a&EA=ralbach%40cisco.com&ET=ade69a0aa29f279471b6a85feae46a71&ETR=5b39cf5f535442c1763f090845d7ddd3&RT=MiM3&p
    2. Click "Register".
    3. On the registration form, enter your information and then click   "Submit".
    Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
    For assistance
    http://www.webex.com
    IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation.

    The recordings and the presentation slides are placed here on the Cisco Support Community. I think if you roll the threads back some you will see the prior month's Tech Tips (then called Tech Talks) posted.
    This one will be posted a few days after the event.
    -Robert

  • Cisco IPS Concurrent session support in ips 4260 and 4270 sensor

    I am wondring that no document from Cisco IPS data sheets mention the concurrent session support in Cisco IPS 4200 series sensor. I am looking forward to any one who can advise about the subject.
    Thanks
    Nouman

    Hi.
    with IPS devices it's difficult to measure performance by # of connections per second since several factors count to the performance limit, including:
    1- packet size.
    2- object sizes per transaction
    3- transactions per second
    4- signatures enabled
    5- features enabled
    that why public documents try to make it more realistic by mentioning the transactional performance.
    here is a link mentioning concurrent connections for 4270:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e7283.html
    although the link mentiones 100k and 200k, but we've seen situations where we had a lot more connections with a smaller amount of signatures enabled.
    for the 4260 the public document only mentions the transactional performance.
    Regards,
    Fadi.
    If this answers your question please mark the thread as resolved.

  • CISCO IPS 4270 rebooting again and again

    Dear Experts,
    We are facing problem where Cisco IPS 4270 is keep rebooting, attached are the logs.
    after entering username and password it again goes into restart cycle
    Appreciate your help
    Muhammad Nasim

    You should try reimageing you sensor. If that doesn't;t fix this issue, you need to RMA the unit to Cisco.
    Cisco might just let you RMA the unit as is if you have a contract, but bringing it is faster.
    - Bob

  • Does Cisco IPS appliance 4200 and 4300 series have whitelist?

    Hi all,
    I am wondering if I can do whitelist on the Cisco IPS appliance itself. I understand for IPS module in ASA it is possible...hope anyone can enlighten me.
    Cyrus

    Cyrus,
    It kinda does, it is called Event action filters, where you can excempt host/subnets for triggering certain signatures.
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html
    Whatever you put on them, wont trigger the signatures you dont want it to trigger.
    Hope it helps.
    Mike

  • Mars box MARS box v4.3.5 (2838) IPS Signature Version 330 upgrade

    Hi, I have the software MARS box v4.3.5 (2838) IPS Signature Version 330
    Is there any upgrade available for it?
    Where can I found info for upgarding the software and IPS Signature on Cisco Web Site?
    I also want to integrate CiscoWorks, LMS 2.6 to sent SNMP Trap Notification to the MARS box v4.3.5 (2838) IPS Signature Version 330. Is it possible and what would be the port # on the MARS box?

    You are already running the latest software for the Generation 1 MARS appliances. You can find newer updates here:
    http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars
    For IPS, it is better to turn on automatic updates. Just go to:
    Admin >> System Setup >> IPS Signature Dynamic Update Settings
    The URL is already set there, just put your CCO username/password and click 'Update Now' then hit 'Submit'. I think the current Signature release is 352. You can manually downlaod them from here if you like:
    http://www.cisco.com/cgi-bin/tablebuild.pl/mars-ips-sigup
    Please rate if helpful.
    Regards
    Farrukh

  • Deployment of Cisco IPS 4240 devices

    I can't seem to find any information regarding mass rollouts of Cisco IPS 4240 devices. I have 6 devices I intend to roll out to several remote offices and tie into a centralized Cisco MARS appliance. Without using any CSM/LMS software, is there an quick and dirty way to pull this off? I'm thinking to configure a single IPS device then pull and distribute its configuration file to the remaining devices. Would like to see how others have accomplished this...

    If all of your sensors are the same type (all 4240s in your situation) and will all run the extact same configuration, then the copy command will help you out.
    There was a new feature added into the copy command in IPS 6.1 that will help you in copying config from one sensor to another.
    You full configure one sensor (use IME, IDM, or CLI). When you are happy with the configuration then use the copy command to copy it TO an SCP server.
    Now bringup a second sensor and configure the basic networking parameters through setup (ip address, gateway, etc...).
    Now use the copy command on the second to copy the first sensors configuration FROM the SCP server into the running config of the second sensor.
    It will prompt you whether to overwrite the second sensor's networking parameters.
    Answer NO.
    The rest of the first sensor's configuration will copied into the second sensor.
    The second sensor will keep it's own unique IP but will gain the rest of the configuration from the first sensor's config.
    Continue doing this with any additional sensors.
    The process can then be repeated anytime additional changes are made to the first sensor.
    Keep in mind though that this only works if the sensor's configuration will be exactly duplicated (including what interfaces would be monitored and how).
    If each sensor will have some unique tunings then you will need to either manage each sensor on it's own, or purchase CSM that can be used to share only certain portions of the configuration across multiple sensors.

  • Problem VOFR cisco 3810 and Cisco 1750

    -I have a network with equipment 3810 Cisco and Cisco 1750 in topology in stars.
    -The router central is a Cisco 3810 wthin a E1 connected to PBX
    - other router in the network, have fxs wthin two port
    - the network this working with vofr
    - the problem is: from an equipment 1750 I can call to a Cisco 3810 but from an equipment 3810 I can not to a cisco 1750.
    - but if I place debug in Cisco 1750 ( debug voice ccaip inout) I watch that the call this arriving
    - the configurations de routers is OK
    - please it can help me

    ---------------Debug voice ccaip inout-----------------------------------
    ARBORAL-R#
    ARBORAL-R#
    ARBORAL-R#ter moni
    ARBORAL-R#
    *Mar 4 00:01:59.358: cc_api_call_setup_ind (vdbPtr=0x810920C0, callInfo={called=6250,called_oct3=0x0,calling=,calling_oct3=0x0,subscriber_type_str=Unknown,
    fdest=1 peer_tag=0},callID=0x80FF6BB4)
    *Mar 4 00:01:59.358: cc_api_call_setup_ind type 0 , prot 11
    *Mar 4 00:01:59.362: cc_process_call_setup_ind (event=0x81093FA8) handed call to app "DEFAULT"
    *Mar 4 00:01:59.362: sess_appl: ev(23=CC_EV_CALL_SETUP_IND), cid(1), disp(0)
    *Mar 4 00:01:59.362: sess_appl: ev(SSA_EV_CALL_SETUP_IND), cid(1), disp(0)
    *Mar 4 00:01:59.362: ccCallSetContext (callID=0x1, context=0x81074A5C)
    *Mar 4 00:01:59.366: ssaCallSetupInd finalDest cllng(), clled(6250)
    *Mar 4 00:01:59.366: ssaSetupPeer cid(1) peer list: tag(6250) called number (6250) tag(1) called number (6250)
    *Mar 4 00:01:59.366: ssaSetupPeer rotary_dialpeer_status(1)
    *Mar 4 00:01:59.366: ssaSetupPeer cid(1), destPat(6250), matched(4), prefix(), peer(81213410), peer->encapType (1)
    *Mar 4 00:01:59.366: ccCallProceeding (callID=0x1, prog_ind=0x0)
    *Mar 4 00:01:59.366: ccCallSetupRequest (Inbound call = 0x1, outbound peer =6250, dest=, params=0x81074A70 mode=0, *callID=0x8109F780)
    *Mar 4 00:01:59.366: ccCallSetupRequest numbering_type 0x0
    *Mar 4 00:01:59.366: dest pattern 6250, called 6250, digit_strip 1
    *Mar 4 00:01:59.370: callingNumber=, calledNumber=6250, redirectNumber=
    *Mar 4 00:01:59.370: accountNumber=, pinNumber=
    *Mar 4 00:01:59.370: finalDestFlag=1, guid=06e4.bc49.8945.19b9.0000.0000.fdc3.ac59
    *Mar 4 00:01:59.370: peer_tag=6250
    *Mar 4 00:01:59.370: ccIFCallSetupRequestPrivate: (vdbPtr=0x81069AF4, dest=, callParams={called=6250,called_oct3=0x0, calling=,calling_oct3=0x0, subscriber_type_str=Unknown, fdest=1, voice_peer_tag=6250},mode=0x0) vdbPtr type = 6
    *Mar 4 00:01:59.370: ccIFCallSetupRequestPrivate: (vdbPtr=0x81069AF4, dest=, callParams={called=6250, called_oct3 0x0,
    calling=,calling_oct3 0x0,fdest=1, voice_peer_tag=6250}, mode=0x0)
    *Mar 4 00:01:59.370: ccSaveDialpeerTag (callID=0x1, dialpeer_tag=
    *Mar 4 00:01:59.370: ccCallSetContext (callID=0x2, context=0x810C043C)
    *Mar 4 00:01:59.378: cc_api_call_proceeding(vdbPtr=0x81069AF4, callID=0x2,
    prog_ind=0x0)
    *Mar 4 00:01:59.378: cc_api_call_alert(vdbPtr=0x81069AF4, callID=0x2, prog_ind=0x8, sig_ind=0x1)
    *Mar 4 00:01:59.378: sess_appl: ev(20=CC_EV_CALL_PROCEEDING), cid(2), disp(0)
    *Mar 4 00:01:59.378: cid(2)st(SSA_CS_CALL_SETTING)ev(SSA_EV_CALL_PROCEEDING)
    oldst(SSA_CS_MAPPING)cfid(-1)csize(0)in(0)fDest(0)
    *Mar 4 00:01:59.382: -cid2(1)st2(SSA_CS_CALL_SETTING)oldst2(SSA_CS_MAPPING)
    *Mar 4 00:01:59.382: ssaIgnore cid(2), st(SSA_CS_CALL_SETTING),oldst(1), ev(20)
    *Mar 4 00:01:59.382: sess_appl: ev(7=CC_EV_CALL_ALERT), cid(2), disp(0)
    *Mar 4 00:01:59.382: cid(2)st(SSA_CS_CALL_SETTING)ev(SSA_EV_CALL_ALERT)
    oldst(SSA_CS_CALL_SETTING)cfid(-1)csize(0)in(0)fDest(0)
    *Mar 4 00:01:59.382: -cid2(1)st2(SSA_CS_CALL_SETTING)oldst2(SSA_CS_MAPPING)
    *Mar 4 00:01:59.382: ccCallAlert (callID=0x1, prog_ind=0x8, sig_ind=0x1)
    *Mar 4 00:01:59.382: ccConferenceCreate (confID=0x8109F7F8, callID1=0x1, callID2=0x2, tag=0x0)
    *Mar 4 00:01:59.382: cc_api_bridge_done (confID=0x1, srcIF=0x810920C0, srcCallID=0x1, dstCallID=0x2, disposition=0, tag=0x0)
    *Mar 4 00:01:59.386: cc_api_bridge_done (confID=0x1, srcIF=0x81069AF4, srcCallID=0x2, dstCallID=0x1, disposition=0, tag=0x0)
    *Mar 4 00:01:59.386: cc_api_caps_ind (dstVdbPtr=0x810920C0, dstCallId=0x1, srcCallId=0x2,
    caps={codec=0xEBFB, fax_rate=0x7F, vad=0x3, modem=0x2
    codec_bytes=0, signal_type=3})
    *Mar 4 00:01:59.386: cc_api_caps_ind (Playout: mode 0, initial 56068,min 33034, max 5688)
    *Mar 4 00:01:59.386: cc_api_caps_ind (dstVdbPtr=0x81069AF4, dstCallId=0x2, srcCallId=0x1,
    caps={codec=0x8, fax_rate=0x2, vad=0x2, modem=0x1
    codec_bytes=30, signal_type=2})
    *Mar 4 00:01:59.386: cc_api_caps_ind (Playout: mode 0, initial 0,min 0, max 0)
    *Mar 4 00:01:59.386: cc_api_caps_ack (dstVdbPtr=0x81069AF4, dstCallId=0x2, srcCallId=0x1,
    caps={codec=0x8, fax_rate=0x2, vad=0x2, modem=0x1
    codec_bytes=30, signal_type=2})
    *Mar 4 00:01:59.386: cc_api_caps_ack (dstVdbPtr=0x810920C0, dstCallId=0x1, srcCallId=0x2,
    caps={codec=0x8, fax_rate=0x2, vad=0x2, modem=0x1
    codec_bytes=30, signal_type=2})
    *Mar 4 00:01:59.390: cc_api_call_disconnected(vdbPtr=0x81069AF4, callID=0x2, cause=0xAC)
    *Mar 4 00:01:59.390: sess_appl: ev(28=CC_EV_CONF_CREATE_DONE), cid(1), disp(0)
    *Mar 4 00:01:59.390: cid(1)st(SSA_CS_CONFERENCING_ALERT)ev(SSA_EV_CONF_CREATE_DONE)
    oldst(SSA_CS_MAPPING)cfid(1)csize(0)in(1)fDest(1)
    *Mar 4 00:01:59.390: -cid2(2)st2(SSA_CS_CONFERENCING_ALERT)oldst2(SSA_CS_CALL_SETTING)
    *Mar 4 00:01:59.390: sess_appl: ev(12=CC_EV_CALL_DISCONNECTED), cid(2), disp(0)
    *Mar 4 00:01:59.394: cid(2)st(SSA_CS_CONFERENCED_ALERT)ev(SSA_EV_CALL_DISCONNECTED)
    oldst(SSA_CS_CALL_SETTING)cfid(1)csize(0)in(0)fDest(0)
    *Mar 4 00:01:59.394: -cid2(1)st2(SSA_CS_CONFERENCED_ALERT)oldst2(SSA_CS_CONFERENCING_ALERT)
    *Mar 4 00:01:59.394: ssaDisconnectedAlert: redirect_numbers(0)
    *Mar 4 00:01:59.394: ccConferenceDestroy (confID=0x1, tag=0x0)
    *Mar 4 00:01:59.394: cc_api_bridge_drop_done (confID=0x1, srcIF=0x810920C0, srcCallID=0x1, dstCallID=0x2, disposition=0 tag=0x0)
    *Mar 4 00:01:59.394: cc_api_bridge_drop_done (confID=0x1, srcIF=0x81069AF4, srcCallID=0x2, dstCallID=0x1, disposition=0 tag=0x0)
    *Mar 4 00:01:59.394: sess_appl: ev(29=CC_EV_CONF_DESTROY_DONE), cid(1), disp(0)
    *Mar 4 00:01:59.394: cid(1)st(SSA_CS_ALERT_DISC_CONF_DESTROYING)ev(SSA_EV_CONF_DESTROY_DONE)
    oldst(SSA_CS_CONFERENCING_ALERT)cfid(1)csize(0)in(1)fDest(1)
    *Mar 4 00:01:59.398: -cid2(2)st2(SSA_CS_ALERT_DISC_CONF_DESTROYING)oldst2(SSA_CS_CONFERENCED_ALERT)
    *Mar 4 00:01:59.398: ssa: Disconnected cid(2) state(11) cause(0xAC)
    *Mar 4 00:01:59.398: ssaCallDisconnectAlert: cid(2), peer-cid(1)
    *Mar 4 00:01:59.398: ccCallDisconnect (callID=0x2, cause=0xAC tag=0x0)
    *Mar 4 00:01:59.402: cc_api_call_disconnect_done(vdbPtr=0x81069AF4, callID=0x2, disp=0, tag=0x0)
    *Mar 4 00:01:59.402: sess_appl: ev(13=CC_EV_CALL_DISCONNECT_DONE), cid(2), disp(0)
    *Mar 4 00:01:59.402: cid(2)st(SSA_CS_ALERT_DISC_DISCONNECTING)ev(SSA_EV_CALL_DISCONNECT_DONE)
    oldst(SSA_CS_CONFERENCED_ALERT)cfid(-1)csize(0)in(0)fDest(0)
    *Mar 4 00:01:59.402: -cid2(1)st2(SSA_CS_ALERT_DISC_DISCONNECTING)oldst2(SSA_CS_ALERT_DISC_CONF_DESTROYING)
    *Mar 4 00:01:59.406: ssaDisconnectDone: Rotary Retry cid(1) peer list: tag(1) called number (6250)
    *Mar 4 00:01:59.406: ssaSetupPeer cid(1) peer list: tag(1) called number (6250)
    *Mar 4 00:01:59.406: ssaSetupPeer rotary_dialpeer_status(2)
    *Mar 4 00:01:59.406: ssaSetupPeer cid(1), destPat(6250), matched(0), prefix(), peer(81211DC4), peer->encapType (5)
    *Mar 4 00:01:59.406: ccCallProceeding (callID=0x1, prog_ind=0x0)
    *Mar 4 00:01:59.406: ccCallSetupRequest (Inbound call = 0x1, outbound peer =1, dest=, params=0x81074A70 mode=0, *callID=0x8109F7C0)
    *Mar 4 00:01:59.406: ccCallSetupRequest numbering_type 0x0
    *Mar 4 00:01:59.406: dest pattern ...., called 6250, digit_strip 0
    *Mar 4 00:01:59.406: callingNumber=, calledNumber=6250, redirectNumber=
    *Mar 4 00:01:59.406: accountNumber=, pinNumber=
    *Mar 4 00:01:59.410: finalDestFlag=1, guid=06e4.bc49.8945.19b9.0000.0000.fdc3.ac59
    *Mar 4 00:01:59.410: peer_tag=1
    *Mar 4 00:01:59.410: ccIFCallSetupRequestPrivate: (vdbPtr=0x810920C0, dest=, callParams={called=6250,called_oct3=0x0, calling=,calling_oct3=0x0, subscriber_type_str=Unknown, fdest=1, voice_peer_tag=1},mode=0x0) vdbPtr type = 11
    *Mar 4 00:01:59.410: ccSaveDialpeerTag (callID=0x1, dialpeer_tag=
    *Mar 4 00:01:59.410: ccCallSetContext (callID=0x3, context=0x810C0D90)
    *Mar 4 00:01:59.458: cc_api_call_proceeding(vdbPtr=0x810920C0, callID=0x3,
    prog_ind=0x8)
    *Mar 4 00:01:59.462: sess_appl: ev(20=CC_EV_CALL_PROCEEDING), cid(3), disp(0)
    *Mar 4 00:01:59.462: cid(3)st(SSA_CS_CALL_SETTING)ev(SSA_EV_CALL_PROCEEDING)
    oldst(SSA_CS_MAPPING)cfid(-1)csize(0)in(0)fDest(0)
    *Mar 4 00:01:59.462: -cid2(1)st2(SSA_CS_CALL_SETTING)oldst2(SSA_CS_ALERT_DISC_CONF_DESTROYING)
    *Mar 4 00:01:59.462: ssaIgnore cid(3), st(SSA_CS_CALL_SETTING),oldst(1), ev(20)
    *Mar 4 00:01:59.466: cc_api_call_disconnected(vdbPtr=0x810920C0, callID=0x3, cause=0x3)
    *Mar 4 00:01:59.466: sess_appl: ev(12=CC_EV_CALL_DISCONNECTED), cid(3), disp(0)
    *Mar 4 00:01:59.466: cid(3)st(SSA_CS_CALL_SETTING)ev(SSA_EV_CALL_DISCONNECTED)
    oldst(SSA_CS_CALL_SETTING)cfid(-1)csize(0)in(0)fDest(0)
    *Mar 4 00:01:59.466: -cid2(1)st2(SSA_CS_CALL_SETTING)oldst2(SSA_CS_ALERT_DISC_CONF_DESTROYING)
    *Mar 4 00:01:59.466: ssa: Disconnected cid(3) state(1) cause(0x3)
    *Mar 4 00:01:59.470: ccCallDisconnect (callID=0x3, cause=0x3 tag=0x0)
    *Mar 4 00:01:59.470: ccCallDisconnect (callID=0x1, cause=0x3 tag=0x0)
    *Mar 4 00:01:59.470: cc_api_call_disconnect_done(vdbPtr=0x810920C0, callID=0x3, disp=0, tag=0x0)
    *Mar 4 00:01:59.470: sess_appl: ev(13=CC_EV_CALL_DISCONNECT_DONE), cid(3), disp(0)
    *Mar 4 00:01:59.474: cid(3)st(SSA_CS_DISCONNECTING)ev(SSA_EV_CALL_DISCONNECT_DONE)
    oldst(SSA_CS_CALL_SETTING)cfid(-1
    ARBORAL-R#
    ARBORAL-R#
    ARBORAL-R#

  • TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

    I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
    We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
    However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
    I am a beginner is IPS, Any inputs will be valuable for me.

    We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
    For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
    -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
    -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
    -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
    TCP resets are a best effort response, they aren't going to be a 100% effective stop

  • Cisco IPS 4240 stops file downloads at 90%

    Hi everybody. I have a Cisco IPS 4240 with version 7.0.4 installed and upgraded to the last signature. But since it was installed i have the issue with some file downloads because the IPS stops the file at 90-99% of download percentage (in some cases, not all), The ips is inline in front of firewall, some partner say me that i have to change the mode to promiscuous for the solution of the issue, but i think that if the IPS was designed for work inline, i dont have to change anything and maybe some expert of the forum have the correct answer.  Or this issue have solution with configuration changes.
    Sorry by my write english.... I try to find some signature that causes the issue but if i disabled the sensor, the issue occurs. The firewall is not the problem because if i connect a laptop in front of the firewall and behind of IPS the issue occurs too. Well i have now some months trying of find a solution. In the page of Cisco not find some similar.... [:-(
    Pd. An example of files that stop when downloads is Apple Itunes... or Microsoft Patch, or Vmware software by example.
    Thanks for your response are greatly appreciated.

    Thnaks for your help this is the last packets before freeze the download:
    The size of the download with problems is random, sometimes ocurrs with small size downloads sometimes ocurrs with large downloads. The download of the example have 47 MB, I think that the traffic is dropped and the tcp conn timeout. Do you see some anomalies in this traffic portion?.
    14:55:20.536119 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536122 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536420 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536718 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536820 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537123 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537125 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537517 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537520 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537522 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537821 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537823 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538116 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538118 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538415 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538418 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544207 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544307 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638362 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638365 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638463 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638862 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638866 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639164 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639166 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639560 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639564 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640263 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640568 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641958 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.642158 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742304 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742603 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742605 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742607 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742903 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743202 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743302 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743601 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745000 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745100 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845347 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845548 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845550 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845647 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845845 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846247 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846544 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.849040 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48010926 win 65335
    14:55:20.849439 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48012386 win 65335
    14:55:20.948787 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48015306 win 65335
    14:55:20.948789 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48018226 win 65335
    14:55:20.952982 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48021146 win 65335
    14:55:20.953679 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48024066 win 65335
    14:55:21.055723 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48029906 win 65335
    14:55:21.055725 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48032826 win 65335
    14:55:21.055930 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48035746 win 65178
    14:55:21.058919 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48037206 win 65335
    14:55:21.068809 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48040126 win 65335
    14:55:21.068812 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48043046 win 65335
    14:55:21.069006 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48045966 win 65335
    14:55:21.070103 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48048886 win 65335
    14:55:21.158967 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48051806 win 65335
    14:55:21.159265 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48054726 win 65335
    14:55:21.159465 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48057646 win 65335
    14:55:21.159864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48060566 win 65335
    14:55:21.159867 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48063486 win 64605
    14:55:21.162162 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 63875
    14:55:21.162260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 65335
    14:55:21.172245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48069326 win 65335
    14:55:21.172248 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48072246 win 65335
    14:55:21.172545 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48075166 win 65335
    14:55:21.172645 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 64605
    14:55:21.172744 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 65335
    14:55:21.172844 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48081006 win 65335
    14:55:21.173144 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 64605
    14:55:21.185225 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 65335
    14:55:21.572333 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48116046 win 65335
    14:55:21.585313 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585315 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585414 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585417 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585512 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.677172 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688654 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688657 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.688757 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.780613 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.883755 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.986998 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:22.090639 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335

  • Hi Friends,help in purchasing new cisco IPS

    Hi Friends,
                    I am working as a network admin in a telecom based company and we have two lease
                    line of of 2mb and 1 mb bandwidth resp.I have a cisco asa 5510 and i want to purchase a cisco IPS.
                    I am very fresh to this security field so pls kindly suggest me which series of
                    cisco IPS is suitable for my comp network.
    Any kind of help is appreciated.
                                                      Thankx a lot in advance.

    Hii Arghadip,
    i have given my friend user id,i checked in workplace,it was not ther friend...how can i rectify this problem..
    awaiting for your reply buddy.
    Regards
    Raju Aitha

  • CISCO IPS 4260 CPU USAGE 99%

    Hi guys
    I'm detecting something unusual on my CISCO IPS 4260. This device have 2 CPU's but only in one cpu is showing 99% of use, and the inspection load varies from 40 to 50, and sometimes 80, here's a screenshot of what I'm talking about.
    Where can I start to troubleshoot why is showing this values.?
    Regards.

    do you think is normal that the IPS signature with more hits is de SIGID 5575 (NBT NetBIOS Session Service Failed Login?
    After doing some research it seems to be normal for a windows enviroment.
    Here is the information I got
    Description
    When a client connects to a SMB server (WinNT, Win95, Samba, etc..) a TCP connection to port 139 is established. The client then provides the server with its NetBIOS name and the NetBIOS name it wishes to connect to. If the name does not exist on the server, the session setup attempt fails and an error message is sent to the client. This could be an indicator of an attack.
    Recommended Filter
    Exclude internal networks as sources.
    Benign Triggers
    The default alarm level for this is low because this happens during normal network activity within a Windows network. As an example, when mounting the C: drive from a Windows 95 system to a Windows NT system, numerous session setup failures can occur while browsing the file system.
    As you can see you could excluded to stop triggering that, this is an informational signature
    Regards,
    Remember to rate all of the helpful posts

  • Evaluating cisco IPS AIP-SSM-10 allong side Tipping Point S330

    Hello all,
    What are your thoughts on this matter?  I am also going to be looking at the Palo Alto solution for IPS as well.
    I'm probably going to use the cisco 4200 sensors if they offer multi segment like the tipping point does. 
    I'm looking at protecting the perimiter but NOT replacing my current firewall.  The current firewall is the Microsoft TMG.
    I like what I see on the Cisco IPS express.  I've also looked at the CSM for management.  It seems that Cisco is a lot more flexible when it comes to editing and managing the signatures.
    ARe there similar experiences out there that you would like to share?
    Thanks!
    Kurt

    Both products are pretty strong. But Tipping point have a much more comprehensive, promptly updated, and a well managed signature base. Both products can monitor multiple segements (terminologies are different).
    A good way to compare is to subsribe to their IPS signature updates and see the difference, I mean both from Cisco and DV labs
    BR
    Farrukh

Maybe you are looking for

  • Unable to create a subsite based on the generic template - save site as a template

    hi, am using a  save site as a template functionality to create a sub site. when i select the custom template, and click on ok button,am  getting server error in appln. in the site template i have 1) 2 document libraries with permissions broken[ stop

  • Tuxera NTFS Folder Copy Problem

    I have a strange problem copying files contained in folders to external USB devices. The problem occurs with both a 16 GB USB Stick formatted as MS-DOS Fat 32 and an external 1 TB drive formatted as NTFS. Within OS X I have Tuxera NTFS installed to m

  • CAN'T SEE BUSINESS AREA IN DISC DESKTOP

    Hello, I have recently created a new business area in discoverer administrator with user A. I have cheched under security and privleges and everthing seems to be as it should. After that I went to Desktop to create a new workbook, but when I would li

  • Book Issue

    I have created a book which consists of reports . This reports have some prompts say Entity dimension is in prompt but when i am running the book in "complete book in Pdf " mode Table of contents page does not have entry for entity which i have selec

  • Oracle10gR2-Data Guard

    I want to configure Oracle10gR2 Data Guard for the following scenario: •     In a Data Guard environment, we want to configure One Primary Server and Two Standby databases. •     The Primary server will be using the internal hard drives for storage (