IDS-4210 picks up what IPS-4240 misses, strange duplex/interface problems

I just installed a IPS-4240 inline on our primary internet inbound connection. I decided to leave the 4210 in place for a week or two while I tuned the signatures. It is receiving a span of the same traffic that the 4240 is receiving.
I noticed today that the 4210 is picking up sig 3250 and the 4240 is no. The first thing I checked to make sure that the 4240 has this signature enabled, and it is. Anyone have any thoughts? BTW, All sensors are on the same version 5.1.1 and running s211 and managed through VMS.
I would also like to mention that I had issues on the 4240 and its interfaces. Management only runs at half duplex and the interfaces that connect to our PIX. I ended up having to put a switch between the 4240 and the Pix 515e to solve the duplex issues.
Anyone have any thoughts on this part

I had the same duplex problem with my 4240 sensor connecting to my PIX. The only way I could get it to work without errors is to set both the sensor and the PIX interfaces to auto/auto. I worked with Cisco on this problem. No resolution, just the workaround. As far as sig 3250, IPS and IDS signatures may be a little different. I assume you span from the inside and run your in-line outside your firewall? If this is the case, then the 4240 sensor may see different traffic than the 4210.

Similar Messages

  • Upgrading IDS 4210 from 4.1 to 5.2

    I received the S253 sig update notification yesterday and for the first time it appears the text indicates that I can upgrade my IDS 4210 to the 5.2 version needed to have continued sig support. What is the upgrade path? What do I need to order? Everytime I use the PUT it only shows me the upgrade package for my current 4.1 version. I think I would much rather upgrade my current sensor than spend $$$ on purchasing a whole new one. Thanks.

    Just to add a little more information.
    The IDS-4210 has been End of Saled, but not yet End Of life.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_eol_notice09186a008032d508.html
    The IDS-4210 IS capable of running IPS version 5.1 software and will continue to receive signature updates as long as IPS 5.1 signature updates continue to be created.
    No date has yet been announced for when IPS 5.1 signature updates will stop, but I would expect no less that 18 months from now.
    An IPS Service Contract and associated Signature Update License is required for installing signature updates in IPS 5.1.
    If you already have an IPS Service Contract then you can upgrade to 5.1 and request the associated License for your sensor.
    (NOTE: A Service Contract has always been required for the installation of signature updates, but was previously not enforced by software. It is now being enforced by the IPS 5.1 software through the use of the License received through the Service Contract)
    As for memory requirements. The following is stated in the 5.0(1e) Readme file:
    - 512 MB of RAM memory on the IDS-4210, IDS-4210-K9, and IDS-4210-NFR (NOTE: this upgrade is no longer available as the IDS-4210-MEM-U= part has been end-of-saled).
    If you previously upgraded to 512MB then you are fine.
    If not, you would need to open the IDS-4210 and determine what the memory part number is and attempt to purchase additional memory matching that part number from any vendor that you can find (does not have to have been specifically sold by Cisco, but should match the part number of the memory already in the system). The memory is longer being manufactured so Cisco was no longer able to sell that part.
    You should NOT attempt to install 5.0 or 5.1 on a sensor running only 256MB of memory. The sensor will never run properly.
    Specific upgrade files to use:
    http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
    IPS-K9-maj-5.0-1e-S149.rpm.pkg
    IPS-K9-min-5.1-1g.pkg
    IPS-K9-sp-5.1-3.pkg
    If you do not already have an IPS Service Contract for your sensor, then you need to contact your Cisco Sales Representative. The last day you could have purchased a new service contract for the IDS-4210 was back on December 6, 2004.
    Yoru Cisco Sales Representative may be able to give you a discount on upgrading your IDS-4210 to a newer IDS-4215.

  • IPS 4240 - additional card

    Hi,
    Does anybody know, when will be available 4xFE cards for IPS 4240 (for total 8 interfaces)?
    Regards,
    Krzysztof

    Cisco IDS 4250 is supported in version 5.0 Inline if the 4FE, Gig TX PCI card, two of the SX PCI cards, or the XL card is installed. Cisco IPS 4240 is supported in version 5.0, Inline supported (it has four sensing interfaces). IPS 4255 is supported in version 5.0, Inline is supported (it has four sensing interfaces). IDSM-2 is supported in version 5.0, Inline supported (it has two sensing interfaces).
    http://www.cisco.com/en/US/netsol/ns498/netqa0900aecd8029e8de.html

  • I think I found a bug/bad design - what am i missing?

    Hi Edwin and the team,
    This is my first post as I'm sinking my teeth into the PM Server and Designer. We're considering to use the BPEL technology in the BIG way. And I think it's very cool as the Web Services-based EAI delivers a cost-effective and not proprietary solution!
    Let me describe to you what I believe is a bug or a dubious design. In the Designer, File>New>Oracle BPEL Project creates a new project with a file bpel.xml. For example, look at your CreditFlow sample. In that file there is <partnerLinkBinding name="..." <property name=wsdlLocation"> http://<host name of the WSDL host server>/....
    when the partner WSDL is hosted on the localhost that <host name> in the line above is the name of my machine instead of 'localhost'. Then, <project name>.bpel validation crashes when you're in the off-line (disconnected) mode or connected via VPN gateway (since obviously you think you don't need a proxy because everything is local). But, even if it works inside the LAN I think it's a bad design; since it's generated automatically by Designer the developer doesn't have a clue what's wrog when he/she needs to debug your code. The Designer should stick there 'localhost' instead of the the name of my computer on the network.
    Here how I spotted it. I generated you CreditFlow sample in the Quick Start Tutorial. I went by the book, Compiled the CreditFlow.bpel and it crashed! The book did not say it was supposed to crash. The book said everything should be honky dory. The Validator printed a message: "connection timeout...." Since I'm new to the BPEL it took me awhile to figure out and once I stick 'localhost' in the right place in bpel.xml everything worked. Again, I was running everything on localhost.
    If I helped you guys - great or what am I missing here?
    The problem is that if my company decides to convert the Biz Analysts into BPEL modelers how could a BA figure out the solution to the problem like this? He/She would just give up and tell the Technologists (us) that this is a bad product.
    Thanks,
    Greg
    P.S. What happened to Doron Sherman (CTO) and the old Collaxa folks? He is not listed in the ORCL directory. For those who don't know BPEL Server and Designer were developed by Collaxa and ORCL bought that company last year.

    Hi Gregory,
    I think that the problem you are reporting is a proxy configuration error. There are 2 places where you need to configure the proxy: in the obsetenv.bat and in the eclipse>windows>preferences>BPEL Designer.
    If the server is up and the proxy configuration is correct, you should not receive a timeout error.
    Let me try to explain why it is not possible/desirable to have localhost: the url is generated by the server when it generates a WSIL list of the processes deployed on the server. The server does not know if the client requesting this list is local or remote, this is why he uses the real host name (otherwise remote client would not be able to connect to the service).
    One additional note: the tool is not currently targeted at business analyst (unless they have some development background). BPEL entails some inherent complexity: parallel processing, async interactions, exception management, WSDL, XML Schema, transformation. So although we are working hard on continuously simplifying the implementation and increasing the productivity, we are still targeting application developers.
    I hope this helps.
    Edwin

  • TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

    I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
    We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
    However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
    I am a beginner is IPS, Any inputs will be valuable for me.

    We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
    For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
    -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
    -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
    -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
    TCP resets are a best effort response, they aren't going to be a 100% effective stop

  • I cannot pick up Mail on my IPad2 from my Virginmedia account. My IPhone works fine. What am I missing?

    I cannot pick up Mail on my IPad 2 from my Virginmedia account, but my wife's IPhone (set up the same way) works fine. What am I missing?

    more specific it says it cannot communicate with the outgoing mail server.

  • New to IPS 4240 - What else can I use to manage it?

    I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.
    My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.
    I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.
    Thanks!

    The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.
    My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:
    The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.
    the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.
    Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.
    Matt

  • IPS 4240 Inline deployment.

    Hi,
    I am trying to deploy IPS 4240 with Software version 4.1. My query is, will this version support inline prevention? If yes, what are the deployment & sensor interface configuration considerations. I believe the new 5.0 version supports this feature. But the documentation on v4.x is not clear.
    Thanks in advance.
    Ajay Dand

    Inline is implemented in software version 5.0.
    The upgrade image is available at:
    http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
    All IPS software is available at:
    http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/

  • IPS 4240 software 6.2(3)E4

    Hello!
    I have a sensor IPS-4240 which holds IPS software 6.2(3)E4. Right now we havn't got a license.
    With the device wh have almost 100% cpu usage all the time:
    show statistics host
    General Statistics
       Last Change To Host Config (UTC) = 27-Dec-2010 14:51:19
       Command Control Port Device = Management0/0
    Network Statistics
    Memory Usage
       usedBytes = 1426128896
       freeBytes = 558419968
       totalBytes = 1984548864
    Summertime Statistics
       start = 02:00:00 UTC Sun Mar 27 2011
       end = 03:00:00 UTC Sun Oct 30 2011
    CPU Statistics
       Usage over last 5 seconds = 100
       Usage over last minute = 100
       Usage over last 5 minutes = 100
    Memory Statistics
       Memory usage (bytes) = 1426128896
       Memory free (bytes) = 558419968
    From service accont I see that only one process eats CPU - mainApp.
    I even created addition virtual sensor vs1 where I have disabled all signatures. It gave me no result.
    Situation can be changed for a while after the sensor's reboot, but not for long time.
    show interfaces doesn't show a lot of input traffic too.
    Event log contains only following warnings:
    evError: eventId=1293461883161643337 severity=warning vendor=Cisco
      originator:
        hostId: XXXXXX
        appName: notification
        appInstanceId: 409
      time: 2011/01/19 15:22:56 2011/01/19 21:22:56 GMT+06:00
      errorMessage: name=errWarning - the subscription lost data [IdsEventStore::readSubscription()]
    What can be a problem? How can I reduce CPU usage?
    With hope to resolve the issue

    It would be difficult to pin point what the exact issue is with the high CPU just by the information provided in the post. It seems that the mainApp is causing the high CPU, however, it is worth investigating further. I would suggest that you log a Cisco TAC case so further investigation can be performed.
    Alternatively, you can try to upgrade the software to the latest version of 7.0.4(E4) which has engine improvement.

  • CSS experts, please show me what I'm missing... [SOLVED]

    I want to know how Firefox knows the difference between certain code surrounding Arch's stuff. For instance, the time and date stamp above every post here. This is an example:
    <h2><span><span class="conr">#1 </span><a href="viewtopic.php?pid=674509#p674509">2009-12-19 12:26:19</a></span></h2>
    and from the wiki:
    <a name="Getting_Started" id="Getting_Started"></a><h2> <span class="mw-headline"><a href="/index.php/Getting_Started" title="Getting Started">Getting Started</a></span></h2>
    Both of these pick up on the h2 settings I have in a CSS file that I'm putting together:
    h1,h2 {
    font-family:"DejaVu Sans" !important;
    font-weight:bold !important;
    font-size:14px !important;
    Firefox doesn't apply the bold settings to the first example but does to the second. This is exactly what I want. If I add another entry:
    h2 span {
    font-family:"DejaVu Sans" !important;
    font-weight:normal !important;
    font-size:13px !important;
    Then the bold goes off on both of them. I want a generic CSS file that has the time and date normal and the wiki entries bold. Firefox does this automatically. What am I missing?
    ... be back in 20 hours ...

    Mh, I'm sure you know about the tree structure of HTML. Please excuse if tell you things you already know, but allow me to talk about how CSS rules are applied.
    <h2>
    <span>
    <span class="conr">#1 </span>
    <a href="viewtopic.php?pid=674509#p674509">2009-12-19 12:26:19</a>
    </span>
    </h2>
    What CSS does is applying the CSS rules for each element/selector. This means first it will apply the rules for h2, then the rules for span and at last the rules for the class conr or the element a respectively. If any properties already exists, they will be overwritten when applying the rules of a more specific element. If multiple rules apply (for instance multiple classes with conflicting properties), the !important will help the browser to decide which rule to apply.
    In your case I guess that there are rules for the class conr or the span element which conflict with your desired setting. Since you only change the rules for h2, the rules of those more inner elements/attributes take precedence.

  • Upgrading IPS-4240-K9

    Hi,
         I have an IPS-4240-K9 with system Version 5.1(8)E2 and I need to upgrade to the last version Release 7.1(7)E4, I need to know if there is some way to do this without jumping from all the old versions (6.0 E2, 6.0 E3, 6.0E4, etc) do i need to make a reimage?? what is the process?? what files needs to download?
    Thanks,

    Hello Salvador,
    The upgrade path is: 5.1(8) >  6.0(6) > 7.1
    If you want to do it directly you will need to re-image the sensor.
    For upgrade use teh .pkg file and for re-image use the .img file.
    Download from:
    http://software.cisco.com/download/type.html?mdfid=278810718&flowid=4425
    For re-image:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_system_images.html#wp1060091
    Hope it helps,
    Regards,
    Felipe.

  • IPS 4240 Design Question

    I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
    Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
    Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
    Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
    Thanks!

    A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.
    A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.
    A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

  • IPS 4240 even backup/retrewals

    Hi,
    We having IPS three number of 4240 placed on different segments of our network. We having following querries about collecting IPS logs;
    1) We need to collect IPS events/logs to external server
    2) is there any other application that we can retriew IPS logs other than Cisco IME
    3) can cisco IME retriew logs taken from a backup server in the same manner that it retriew in current logs (with colored, graphs etc).
    4) what is the correct logs storage capacity of the IPS 4240 appliance, when I see TAC IPS media Series, Episode 2 - IPS Hardware
       its mentioned as 2GB DDR RAM and 512MB flash. (https://supportforums.cisco.com/docs/DOC-13565) 
       However when I checked my IPS Total memory 1984MB and Total Data Storage 788MB. what are these figures..?
    5) where exactly save the IPS logs, will the event goes off once we do power recrycle?.
    Appreciate if some one can answer with correct solutions to above questions

    yes you are right, and it is clear for me, but i think using ASDM-IDM launcher can
    be used for both ASA and IPS.
    but in my case currently, i am upgrading only the IPS to 7.0(2)E4 from version 7.0(2)E3. so i don't want to loose the ability to access both ASA and IPS(with new version).
    in addition, when i do Access the IPS through Https, it do not create any shortcut on my screen. moreover, when i do try and click on "You can also install DM Launcher to run IDM." i got the DM Laucnher with version 1.5(37) and not with version 1.5(49)
    PS:
    - i rebooted the sensor, same issue.
    - i cleared the cache folder in the path "C:\Users\Administrator\.asdm\cache" & "C:\Users\Administrator\.idm\cache" also same issue
    problem persists.
    Please Advice

  • Bitcoin generator and Cisco IPS 4240

    I have a problem with Bitcoin generator installed somewhere in local network.
    I have IPS 4240 what connected as IPS (All traffic to internet passes through IPS.
    The software on IPS is very old.. and I can not upgade it.
    Version 6.0(6)E4
    Can I configure IPS tj detect and prevent bitcoin?

    Please any one can answer these questions...Your help is appreciable...Thse are blocking me...
    We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
    1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
    2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
    3) How many types of events will be generated by this IPS 4240 sensor.
    4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
    5) Can you provide me some Examples to generate different events.
    6) What is the difference between CLI, IDM and IME?
    7) How we can know that configured IPS system is in Inline mode?

  • IPS 4240.. and hardware bypass

    Hi everyone.. please kindly help. We are using 4240 as a IDS at the moment and are looking to enable the IPS capability in near future.   However we only have one IPS on our site. For resiliancy we have 2 entry/exit points with 1 asa at each entry point as a firewall. 
    My concern is that if we enable IPS capabilites in inline mode and IPS falls over due to hw problem we will end up with primary link failure.  Is there some sort of module available for 4240 to enable the hardware bypass?   Thanks Regards.

    Thank you Bob... I think you are refering to this document. http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718  I read it and I think I am now clear about the issue of 2 separate vlans..  However I still have some confusion about my own setup.
    Currently there is one vlan -  Vlan 100 between ASA and our internal router.  If I place the IPS with inline interface pair configured between ASA and our internal router, I am not sure if I need any special configuration with reagrds to vlans..  As far as I can see I will have vlan 100 between ASA and IPS and vlan 100 again between IPS and internal router.  But I have a feeling that my assumption is incorrect and when IPS receives the packets on one interface from the internal router, it will not forward it out of the paired interface as IPS may not understand the Vlan tag.   Unfortunately I am not in position to try this on a live IPS device as our IPS is already in a production environment but being used as an IDS. 
    Would I be better off adding a switch to the mix between the internal router and the ASA and then follow the "inline vlan pair"  route?.  Bit similar to diagram below.

Maybe you are looking for

  • Hi There, I have a problem when trying to print either Email or from a web page.

    Hi There, I have a problem when trying to print contents fro either Email's or from web pages, the problem started after i opened Google earth and it down loaded Google Chrome i do not like Google chrome so i removed it from my pc via add and remove

  • FDM Check PDF Validation Report

    Hi all I'm currently using validation rules in FDM but when I get de PDF report it comes out all messy, I supposed it's becuase of the text size been shown but this "lenght" seems to change between Validation Groups. For example my first validation g

  • URGENT-MUSIC VIDEO WILL NOT PLAY

    Ok, i know this sound desperate, but technically it is. I have to know the entire dance section of "Thriller" by Michael Jackson by Monday. So i bought the music video and it works just fine on iTunes, but when i play it on my iPod, it goes to the bl

  • Roles and authorization

    Hello We are having a problem in the roles in which the user is not able to acess the reports. We checked on the trace and find out the user is not having authorzation to the info cube which is sending data to the report. But the user never had this

  • My i devices stopped to be recognized after last iTunes update

    I am using soem third parties applications on my W7 64bit OS to access my i devices (2 iphones4s, ipad air, ipad mini retina).. All of them were correctly recognized by them until yesterday when i updated iTunes. After that iTunes seem to work ok and