CSM / ASA IPS -- upstream signature package includes hundreds of retired signatures

Similar Messages

• IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

  Hi,
  Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
  -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
  Thanks,

  IPS on ASA/PIX = just 50 or so common signatures
  AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
  Please rate if helpful.
  Regards
  Farrukh

• Cisco ASA IPS vs Bruteforce

  Who can help me, I need device that will block bruteforce attack to our webmail servers, 5 wrong password input = block for 10 min, for example.
  Can I use for this Cisco ASA IPS?

  Depending on how your specific webmail server works, perhaps you could use/tune:
  SIG 6256.0 (HTTP Authorization Failure)
  -or-
  SIG 20020.0 (HTTP Authentication Brute Force Attempt)
  Or, create a custom signature based off of one of the above.

• Need help with LAN Architecture - ASA/IPS, and ISR placement

  Dear friends, I am new to Cisco community, had no previous experience with managed networks and desperately need an advice setting up a LAN for my small business. Here is what I did so far:
  ASA w IPS is facing internet, has a webserver connected to DMZ and then ISR on the inside interface. ISR is used for running CCME/CUE VOIP and VLAN NAT. Switch is connected to the ISR with a trunk interface. I setup multiple VLANs with ACL to separate engineering/management/sales/fileserver. Inter VLAN routing is enabled on the switch to allow Gigabit routing from the Fileserver VLAN to the Engineering VLAN.
  I know this is probably overkill for a 4 people company, but my objective is to be ready for possible attacks form both outside and inside and to ensure business continuity and minimal service interruptions.
  My question, would it be more practical to connect ASA directly to the switch and do VLAN NAT on the ASA instead of the router? This way if router fails, I loose VOIP but not Internet and if ASA fails, I only loose internet, while phones will stay operational. This approach should also let me use ASA IPS to monitor inter VLAN traffic, so if 1 of the user PCs gets infected, hopefully IPS will contain the damage to a single VLAN.
  What would experienced network architect do in my case? Any suggestions?
  Please, forgive me if I misunderstood something or did something silly, as this is my first network setup (not including household grade routers)
  Thank you very much in advance!

  Thank you for your response!
  I still keep debating if it has any advantages to use a Router in between ASA and the switch, or should I connect switch directly to
  ASA, so the only function of the router is to run VOIP?
  I saw multiple network diagrams which all had a border router, then ASA then switches. In my case router runs VOIP and I would want it to be behind ASA. Any benefits of running internet traffic through both ASA and a router?
  For redundancy, we can’t really afford 2nd ASA at this time, for now I would want to make sure there is as little chance as possible that both phones and internet go out simultaneously. 

• I downloaded trial version of PS CC and then subscribed to the cloud package including PS and Lr. I cannot open PS, just keep telling me that trial has expired. Any suggetions?

  Can any one help?
  I have subscribed to the cloud package including Ps and Lr after previously downloading the Ps CC trial.
  Cannot open up a newly downloaded Ps, just keeps saying that my trial has expired.
  I have looked online for help but just keep going around in circles.

  Hi gavinjpriest,
  You can license the trial version software with your Adobe ID and activate the software.
  The subscription is linked to your Adobe ID.
  Regards,
  Rave

• Do packages include all source directory files?

  Simple question...I'm finding some of my images are getting too big. Do packages includes ALL files in the source directory? Is best practice to only include the exact file(s) being accessed by the package?
  Thanks!

  Hi,
  All files in the source directory including subfolders are included, yes. I normally leave everything in there as it is hard to determine exactly which files are used during an installation. It could also be that installing an application on different
  platforms use different files. so I would leave them in there.
  regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• WLC IPS custom signature file

  Hi,
  Where can I download the WLC IPS custom signature file? Is WLC support openLdap for user web or 802.1x authentication?
  Best Regards,
  Jackson Ku

  The documentation for 5.1 is located at:
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
  I believe the regex you want is:
  [Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
  The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

• I am deciding to get CC for photographers package. I already have Lightroom 5 (I bought this separately a few months ago) The photo package includes Photoshop and Lightroom but I only need Photoshop. Would I get a discount if I only need photoshop? Is thi

  I am deciding to get CC for photographers package. I already have Lightroom 5 (I bought this separately a few months ago) The photo package includes Photoshop and Lightroom but I only need Photoshop. Would I get a discount if I only need photoshop? Is this a possible option?

  There are no discounts. the package is already as cheap as it gets.
  Mylenium

• Websockets TCP RST through ASA+IPS and ACE

  Hello,
  We recently deployed a new websockets project within our existing web infrastructure. The websockets traffic (as all the rest of normal web traffic) is crossing an ASA + IPS module  where I do NAT and and then is forwarded to an ACE load balancer where two real server are configured in the server farm in active/standby mode (not load balancing) due the websockets nature. Everything seems to work fine but sometimes (once every 4 days or so) and based upon the server logs a TCP Reset gets the application server and bring down the whole application.
  It's clear that this application as a bug but I would like to avoid that TCP reset as a workaround while application team fix the ibug as the go-live is soon. Anybody faced this issue and can help me to find where that supposed TCP reset comes from? I didn't get IPS alerts.
  Server log:
  "Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.    at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)"
  Thanks,
  Miquel

  Hi Miquel,
  A packet capture on the server shall show the origin of TCP RST. If you are natting the source traffic then take front end pcaps at front end of firewall as well as at backend and similarly for ACE, to see what is the origin of TCP RST. Normally, it should be from client if it is received on the server. LB's just forward the traffic to the server but it depends and it could be loadbalancer resetting the connection. But we don't have any details to be sure. So packet captures would be our best friend here.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• I had iTunes on my last computer. It included hundreds of cd's I had downloaded. Is it gone? Can I retreve it from somewhere? I would like to get that info onto my new computer. Thx, dave.

  I had iTunes on my last computer. It included hundreds of my cd's that I had downloaded. I would like to get them onto my new computer. Thx, dave.

  No backup obviously, or you wouldn't need to ask.
  Do you still have the last computer? Even if it won't run it might be possible to extract the files from the hard drive.
  Do you have any of this media on an iDevice? If so see this post from forum regular Zevoneer for options on moving your iPod data back to your computer.
  Are you based in US? If so you should be able to redownload your music previously purchased from the iTunes store without being charged again.
  tt2

• Cisco ASA IPS SSM-10

  Hello,
  I just upgraded one of my Cisco ASA IPS SSM-10 from version 7.0 (6) E4 to version 7.0 (7) E4 and the Radius authentication stopped working. I use Microsoft 2008 Radius and I still have 10 more of these working with version 7.0 (6) E4.
  I used to have the same Radius authentication issue with version 6 until we upgraded to ver 7.0 (6) E4 and this latest version screwed up again.
  Does anyone know if there is a Radius authentication bug in this latest version 7.0 (7) E4?
  Thank you
  Si

  There is a known issue CSCty46104. However a show-tech log can give more details as to why there was a failure in your case.
  Regards
  Sawan Gupta

• OOB warning during IPS 4260 signature update via CSM

  Hi,
  During the recent IPS signatures updates via CSM, i have noticed that there was warning (below).
  >OOB change detected - Out of Band(OOB)and sensor configuration change happened on device. But you selected to continue deployment in case of OOB. Continuing...
  what is the cause & impact of such event?
  As i suspected there is a mismatch of configuration, my inline interfaces are no longer applied to the virtual sensor 'VS0'. Could it be due to the mis-synchronisation?
  Apprepriate for any advice.
  thanks
  cash

  CSM keeps an internal copy of the configuration it last pushed to the sensor.
  Each portion of the configuration has a configToken assigned to it by the sensor. The config token is a base 64 encoding of that configuration portion.
  Each time CSM goes to push a new configuration it will compare the configToken of it's previously saved configuration for that sensor against the configToken of the configuration currently on the sensor.
  If the 2 configTokens match, then no configuration change has been made since the last time that CSM pushed a configuration to the sensor. CSM can safely push the new configuration to the sensor.
  If the 2 configTokens do not match, then an Out Of Band (OOB) configuration change has been made to the sensor. This means that the sensor's configuration has been modified by something other than CSM. This may have been a user changing something through the CLI or IDM instead of using CSM.
  In these situations CSM gives you the option of either stopping the push of the new configuration so the detected changes can be imported and evaluated by the user, or to go ahead and push the changes to the sensor.
  If you decide to go ahead and push the changes to the sensor, the outcome of the configuration change is not guaranteed.
  The sensor may wind up merging the OOB changes in with the new configuration from CSM, or the CSM changes may wind up overwriting the OOB changes.
  So telling CSM to push the new configuration even when OOB changes have been detected can be risky and can cause loss of some of your configuration.
  I fyou will be making changes with CLI or IDM, then it is always best to import those changes into CSM before making further configuration changes in CSM.

• ASA-SSM-10 Signature Update Errors Messages

  Hello,
  I am getting error messages on ASA-SSM-10 IPS. It has following configuration:
  Model:   ASA-SSM-10
  Hardware version:   1.0
  Firmware version:   1.0(11)5
  Software version:   7.0(7)E4
  App. version:       7.0(7)E4
  Here are error messages:
  evError: eventId=1334244240891143986  vendor=Cisco  severity=error  
    originator:  
      hostId: sensor 
      appName: mainApp 
      appInstanceId: 357 
    errorMessage: No installable auto update package found on server  name=errSystemError 
  evError: eventId=1334244240891141857  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor 
      appName: mainApp 
      appInstanceId: 357 
    errorMessage: could not parse cisco-locator-server response  name=errSystemError 
  evError: eventId=1334244240891142089  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor 
      appName: collaborationApp 
      appInstanceId: 489 
    errorMessage: A global correlation update failed: Receive HTTP response failed [3,212]
  Messages, like this one, in the category - Reputation update failure - were logged 1 times in the last 105245 seconds.  name=errUnclassified 
  evError: eventId=1334244240891141325  vendor=Cisco  severity=error 
    originator:  
      hostId: sensor 
      appName: mainApp 
      appInstanceId: 357 
    errorMessage: could not parse cisco-locator-server response  name=errSystemError 
  Actually IPS is doing signature and Global Correlation updates, but form time to time I see  these error messages. Do you have any information what could it indicate.

  Hello Giorgi,
  Sometimes it may be server saturation, other connection problems proxy and so on. I recommend you to not put the hour for auto update to an exact time ie 2:00 PM or 1:00 AM try putting not even numbers like 9:17 or 10:41, and see if you continue getting these errors.
  Mike

• Cisco ASA IPS Monitor

  Hello
  I have configured IPS system in my ASA 5520 but I am unable find out my IPS is actually working or not. The only one thing i can see CPU utilization in IDM. Can you please assist me how I can view the IPS module activity? I have installed IDM & ASDM in my PC.
  thanks.
  Regards
  Mannan

  Please check the Inspection Load via IDM or IPS CLI (show stats virtual-sensor).
  Using the "show stats virtual-sensor", it also shows, how many packets are being processed, which signatures are firing, etc.
  Regards,
  Sawan Gupta

• IOS IPS Automatic Signature Update

  I will use cisco1941w.
  I'd like to know, how to configure at CLI and where is the URL.
  Is the bellow correct?
  CLI
  Router(config)# ip ips auto-update
  Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
  Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
  Router(config-ips-auto-update)# username XXX password XXX
  URL
  https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

  Hello,
  A. Hete is what the six files do:
  • ios-ips-sigdef-default.xml: contains all the factory default signature definitions
  • ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default
  • ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions
  • ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced
  • ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters
  • ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions
  B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.
  Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.
  You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:
  We do not have one single file that contains all the signatures.  The signature package is installed in a certain way.
  Hence we will need atleast first 4 files to copy of signature database from one router to the other.
  C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.
  But I am guessing it will look for a .pkg file and decompress it.
  With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.
  D. Hence there is no one single configuration file that you copy off the external ftp server.
  I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.
  It is also not necessary to check for signature updates every hour.
  Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.
  Sid Chandrachud
  TAC Security Solutions
  Customer support engineer