Custom IPS sigs on NGFW (ASA-CX) IPS solution?
Hi folks,
I am trying to determine if it is possible to create custom IPS sigs on the ASA-CX module? Not the ASA + Legacy IPS combo, but the ASA + ASA-CX (Application Detection, Web Filtering, IPS) combo.
I couldn't find anything in the docs that said this was possible.
Thanks!
Neil
Thank you for your response. However my question was targeted towards Intrusion Prevention signatures such as the ones found on the traditional IPS units. I would want the ability to use the various IPS engines such as Atomic IP, HTTP, etc and create sigs that match on things inside the packet, URL string, etc.
Thanks!
Similar Messages
-
I just upgraded my network backbone to the 4507r switch using sup IV and netflow cards. I also upgraded my Internet and core routers to the 2821 and 2851 respectively.
I will also be installing a ASA-5520 w/ csc-ssm-20 module.
How should I proceed with implementing an IPS solution that will protect my network from the outside world, as well as from other devices on our LAN/WAN environ.
Our company has 3 remote sites. Two of which are connected to corp via a MPLS network and one is connected to corp via a point-to-point T1.
What is the Cisco solution to do this?
Can I use non-Cisco IPS solutions along with Cisco equipment, such as Lancope's StealthWatch XE for Cisco's Netflow?Hi ...there are several sensors that could cater for your environment based on the ammount of traffic you are planning to inspect. As per the location I suggest placing a sensor behind the firewall ( in in-line between the inside interface of your ASA and the LAN ). In that way traffic to/from the LAN will be inspected. Also .. if you have cisco devices such as routers or firewalls at the remote sites ,you could further protect them by using the sensor as device manager .. in other words you can configure the sensor so that in the event of an attack it can push down access-list entries to your remote cisco devices as well.
I suggest to check the sensor portfolio which will provide you with detailed information.
http://cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd801eeea5.html
I hope it helps ... please rate it if it does !!! -
ASA5510-AIP10 as Dedicated IPS solution?
Current setup is: Internet drop-point -> 2 ASA5505-SEC-BUN (primary/failover) -> Switch (multiple VLANs) -> machines
Can I use an ASA5510-AIP10-K9 as a dedicated IPS solution?
Can I use it in all modes? (Promiscuous, Inline, Hybrid)
I created a few images demonstrating the different setups. Can I do each setup? If not, can you briefly explain why?Hello Matt!
To be honest I am not fully understand what do you mean under "dedicated solution".
In my mind "dedicated solution" is something that stands alone of ASA and is independet from it (like 42xx/43xx/45xx appliances).
AIP module is rather "built-in" solution rather than "dedicated"
Judging by your schemas your main aim is to inspect traffic between internet edge and internal network.
All your scenarios are easy to implement: you will need to use virtual sensors feature on AIM to create two sensors for promiscuous and inline modes.
On ASA you will need to use MPF to tell ASA which traffic should go to which sensor.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/modules_ips.html#wp1088096
If you want to inspect traffic between VLANs that are behind the switch you will need to force traffic flow through the ASA (for example ASA can perform inter-vlan routing).
PS: Keep in mind that you will need two AIP modules when you use two ASA in failover. Modules also should be identical. -
How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?
Hello there!
I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS throughput), what main points I should consinder?If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
- Bob -
How to use custom IPs in Embedded Linux
Hello,
I have designed and implemented two IP cores in Vivado.
The first is a HLS implemented block (realized with the Vivado HLS video libraries(, with AXI interfaces and connected with a Video DMA. I should send cv::Mat objects to it somehow.
The second one is a custom designed block which also uses streaming AXI interfaces which is connected with a normal AXI DMA.
In both cases, I know how to interact with those units on a bare-metal application, using the BSP provided drivers. But, when it comes to Linux/Petalinux? Where do I find headers and functions like the one provided automatically by the standalone (bare-metal) os?
Thanks a lot for your help.
Giorgiogiorgio.lopez wrote:
The first is a HLS implemented block (realized with the Vivado HLS video libraries(, with AXI interfaces and connected with a Video DMA. I should send cv::Mat objects to it somehow.
Compile the VDMA kernel module, which you can find right there
https://github.com/Xilinx/linux-xlnx/tree/master/drivers/dma/xilinx
then you need to write your own module to map to this new dma channel, this has been mentionned on several topics.
Finally you write a userspace program which opens this channel and send some data over it.
giorgio.lopez wrote:
The second one is a custom designed block which also uses streaming AXI interfaces which is connected with a normal AXI DMA.
basically the same thing, I have never used VDMA but I think it handles 2D data compared to regular DMA module.
giorgio.lopez wrote:
In both cases, I know how to interact with those units on a bare-metal application, using the BSP provided drivers.
If you are not familiar with kernel modules, you need the hardware address to address the DMA module.
In bare-metal you accessed those addresses directly, in Linux you address them through virtual addresses mapped to physical addresses.
A DMA transaction is a little different than regular bus transactions in the sense it allows you not to address each word, the CPU sets the destination address, waits for an end of transfer interrupt, the DMA controller handles the transfer.
giorgio.lopez wrote:
Where do I find headers and functions like the one provided automatically by the standalone (bare-metal) os?
you need to use the Linux kernel APIs, in this project you will need the DMA API basically
#include <linux/dmaengine.h>
#include <linux/dma-mapping.h>
plus learn how to memory map and handle interrupts.
Relevant Docs:
The Bible - heavy but I seriously recommend reading it a couple of times to understand key chapters
Linux DMA API
Might be of some interests
DMA from user space (Xilinx) - great
DMA in kernel space (Xilinx) - great
-
ARP Poisoning & Cisco IDS/IPS Solutions
I am trying to find out if someone familiar with Cisco's IDS/IPS (network and/or host-based) solutions can tell me if the product(s) can identify and/or prevent ARP poison routing attacks. If so, does it require customizing signatures or is there out of the box detection signatures?
Thanks for any informationThere are some. Go here and do a search for "arp":
http://tools.cisco.com/security/center/search.x?search=Signature
Perhaps it goes without saying, but remember that the sensor has to see the relevant layer 2 traffic for these to work. -
I need some help on customizing sig 3171, FTP priviledged login. I would like once this sig fires a certain number of times it will block the host. I have my device setup for blocking and I thought I had this sig cloned correctly to block the host after a certain number events, but this sig is still firing from the same host well past the desired number. I don't really want to block this after the first event in case their is any legitimate traffic.
Any advice or direction is appreciated.
ThanksOn this signature, you need to look at following fields-
Event Count
Event Count Key
Alert Interval
Event Action
By configuring the following event counter fields, you specify how many instances of the signature's traffic are required to cause an alert:
Event Count - Here you can specify lets say 5.
Event Count Key - Here You can specify Attacker Address.
Alert Interval - You may leave this blank or lets say specify 20 seconds.
Event Action - Specify Produce Alert+Request Block Host
The Event Count field identifies how many instances of the signature's traffic need to occur before an alert is generated. So with above values defined, if a specific host hits the command 5 times within 20 seconds, alert will be generated and host will be blocked on the blocking device.
By specifying an Alert Interval, you indicate the time period (in seconds) over which the sensor must see the number of instances of the intrusive traffic equal to the Event Count in order to generate an alert. For instance, if the Alert Interval is set to 20 and the Event Count is 5, then the sensor must see five instances of the signature's traffic in 20 seconds before it generates an alert. At the end of the alert interval, the instance count is reset to 0.
You can also configure a signature without an Alert Interval parameter. In that situation, an alert is generated when the instances of the signature's traffic reach the Event Count, regardless of the time interval.
Please make sure that signature is configured accordingly. If it is then we need to start looking into other domains.
Regards,
Vibhor. -
Hi All,
We are trying to deploy IPS inline on Software in 2821 routers. The objective of this is to demonstrate ourself on deploying IPS functionality on this routers and testing the same to verify its working.
We are thinking,if we could understand ourself well ,it may be deployed in our network wherever appropriate.
If somebody would help us in pointing to valid resource and even suggesting the way to proceed would be greatly appreciated.
Currently we tried enabling IPS in-line on this router and configured to send any trigger logs to a syslog server. We want to test the same, whether it works and also whenever we reboot the router,the signature associated to the interface get removed.Any suggestion on this would be hugely appreciated.
Thanks
Regards
Anantha Subramanian NatarajanPlease have a look at this:
http://www.cisco.com/en/US/products/ps6634/products_configuration_example09186a008097dbe8.shtml
Regards
Farrukh -
Need a lot of custom JComponents, but Java just too 'slow', other Solution?
Hi folks,
first of all i'll try to explain my problem (although my english is quite bad)
We're programming a tool for visualising graph algorithms (df search, strong connected components, transitive reduction etc.) For that, we got a drawing area (derived from JLayeredPane) which contains the Nodes and the Edges of a graph (for all that don't know what a graphs is, just imagine these nodes as numbered circles, and the edges as directed lines from one node to another).
Both parts (Nodes and Edges) are derived from JComponent, because a) need MouseEvents on these Components and b) we need the ability to add them to a container (like JLayeredPane)
An absolute requirement is that you can directly click on the edges (to mark them, or delete them etc)
Another point which needs to be mentioned, the edges maintain a (invisible) polygon which lies around their line, this polygon is sensitive for mouseEvents.
Now there are two main problems:
* all these edges have (due to JComponent) (possibly) huge invisible rectangles (the only thing that really matters is the line from one corner of this rect. to the other) ...so if i got lets say a graph with 10.000 edges, there are a lot of edges that overlap (nearly 10.000 :) ) ... but only the Edge-object on top receives the MouseEvent (but perhaps the user wanted to cklick a edge that lies below the top-edge!) .. at the moment, the program looks at all edges below that which received the MouseEvent and checks wether the 'mouse'click' hits a polygon, If it does, the top edge dispatches the MouseEvent to that edge. (furthermore, due to the depth-order in a Layer of a JLayeredPane, we only need to look at all edges that are really below the egde that received the mouseEvent)
This all works great for 'small' numbers of edges (approximately 1000-2000) but with a rising number of edges this attempt gets slower and slower (it takes 1-3 seconds to evaluate a single mouseclick on a Sun Ultra 5/333)
* the bigger problem is, that if i got 10k+ JComponents in a Container Java gets really slow, just adding these 10k JComps. (to the JLayeredPane) takes some minutes?! Furthermore java consumes up to 200+ MB main memory in this situation.
One solution we are currently thinking about is to implement these edges as 'pure graphics'-objects (for example the Container just draws all edges).. this probably solves problem # 2 but # 1 gets even worse (no depth-order, some more coordinates hassle)
So, i hope someone can give me a hint for this problem or someone has had a similar problem before and has a good solution? (if the problem isnt clear, just ask)I worked on an application once that had a similar structure as yours, but we were only scaling up to about 1000-2000 components. The problem that we identified (and that you have, no doubt, also identified) is that you are searching all of the child components on every hit test/overlap test. What we did was to subdivide out outermost container so that it had a couple of dozen children, each of which then parented some of the original child components: this cut our search space for every hit test dramatically. We had the advantage of having collections of child componenents that we knew would not overlap so our first level containers did not overlap -- you may need your first level containers to overlap, but even with this, you'll still be able to much more quickly identify components in the immediate region that should be checked individuall.
-
IOS IPS - Sig 4050 UDP Bomb apparent false alarms?
Hi,
I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
1) Do you find that IOS IPS sig 4050 false alarms are common?
2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
3) Does Cisco have any recommendations on what to do with this built in signature?
Thanks,
KEPOn the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary. -
Cisco IPS - IOS vs Appliance vs ASA vs IDSM2
Hello CSC
I am trying to find information on performance of the various IPS implementation options.
In short I've been asked to enable IPS on our 2 ISP routers 7206VXR (NPE-G1), 1 with 45Mbps connection, the other with 100mbps; LAN int for both 1Gbps. In addition, we have some internal WAN networks so would like to secure on this perimeter using ISDM2 in a 6509.
I have some doubts that using IOS IPS on each device will be able to cope with the load, with efficient throughput.
I found this info:
ASA - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps4077_Products_Data_Sheet.html
IPS Appliance - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html
Does anyone have any similar stats for IOS IPS and IDSM2, or better still a comparison of all IPS solutions.
Help appreciated.
Thanks all
PhilHere is a little info.
http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/prod_presentation0900aecd806ccf26.pdf -
Using IPS 6.3 customized signatures in CS MARS
A client has a Cisco IPS 6.3 module installed in a Catalyst 6500, *with fully customized signatures* which generate thousands of alerts clearly visible in its IPS Event Viewer.
MARS is pulling info from that IPS, but the customized signatures do not appear in any Incident. Is it possible for MARS to pull all those customized signatures??
Thanks in advanceThe first step is to get MARS to parse the event. The next step is to create the necessary inspection rules.
You can start here:
http://ciscomars.blogspot.com/2008/03/custom-ips-signatures-with-cisco-mars.html -
It seems like whenever there is an IDS sensor/appliance update for defending against the latest virus/worm but there is no update for IOS IPS signatures.
Case in point - on June 3 there was an IDS update for W32/Bobax.worm.o S174. The IOS IPS zip file as of today is S169 from May 25, What gives?
Also, why isn't their any release notes for the IOS IPS zip files to document what was added? That way we can read it to judge if we need to download the zip file or not.There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
SC -
IOS IPS SIG Updates via IDSMDC
When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
SHMThere are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
SC -
How to order IPS Svc for ASA5515-K8 and L-ASA5515-IPS-SSP=?
Hello!
I have got ASA5515-K8 and IPS license L-ASA5515-IPS-SSP= ordered separately.
What smartnet should I order to enable IPS singnature updates?
I tried to order SU1 smartnet for ASA5515-K8, but Product ID ASA5515-K8 is not mapped to SU1 service.
Thank you!Hello Andy,
Here is the information you are looking for:
Cisco Services for IPS
Cisco Services for IPS is an integral part of the Cisco ASA 5500-X Series IPS Solution and enables operators to
receive time-critical signature file updates and alerts. Part of the Cisco Technical Support Services portfolio, Cisco
Services for IPS allows your Cisco ASA 5500-X Series IPS Solution to stay current on the latest threats so that
malicious or damaging traffic is accurately identified, classified, and stopped. Cisco Services for IPS features
include:
● Signature file updates and alerts
● Registered access to Cisco.com for online tools and technical assistance
● Access to the Cisco Technical Assistance Center
● Cisco IPS software updates
● Advance replacement of failed hardware
For more information about Cisco Services for IPS, visit
http://www.cisco.com/en/US/products/ps6076/serv_group_home.html.
Maybe you are looking for
-
I, work on dell laptop latitudes version 7, win 7 64 bit, ssd disk, 16 gb ram. i receive the error 12 This device cannot find enough free resources that it can use. please help
-
Hi there! When I am listening to music on my notebook, I do not really need the display. So I was currently thinking about turning it off. Is there an easy way to completely blank out the display? I am running a Zepot Znote 6214w with an nvidia7600 w
-
Message Mapping - Initialize counter every context change
Hi all, is there any way to develop a counter customer function in a graphical message mapping so every context change of a field the counter initializes? Imagine i have the following structure: 1 DATA 1.1 DETAIL 1.2 DETAIL 2 DATA 2.1 DETAIL 2.2 DETA
-
How to get which fields are currently displayed by ALV?
Hi , I have a program which displays list in the form of ALV . I have a parameter on the screen which takes the layout name from the user. At the same time I have the parameter which takes the filename from the user. Now the program should write only
-
How to use regular expressions to generate test data ?
Hi Someone can help me on what I have to do in order to create test data with regular expressions ? For example, I want to introduce a random telephone number (XXX-XXXX) in the phone number Form Field, I want to create the phone number using regular