IDS-4210 picks up what IPS-4240 misses, strange duplex/interface problems

Similar Messages

• Upgrading IDS 4210 from 4.1 to 5.2

  I received the S253 sig update notification yesterday and for the first time it appears the text indicates that I can upgrade my IDS 4210 to the 5.2 version needed to have continued sig support. What is the upgrade path? What do I need to order? Everytime I use the PUT it only shows me the upgrade package for my current 4.1 version. I think I would much rather upgrade my current sensor than spend $$$ on purchasing a whole new one. Thanks.

  Just to add a little more information.
  The IDS-4210 has been End of Saled, but not yet End Of life.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_eol_notice09186a008032d508.html
  The IDS-4210 IS capable of running IPS version 5.1 software and will continue to receive signature updates as long as IPS 5.1 signature updates continue to be created.
  No date has yet been announced for when IPS 5.1 signature updates will stop, but I would expect no less that 18 months from now.
  An IPS Service Contract and associated Signature Update License is required for installing signature updates in IPS 5.1.
  If you already have an IPS Service Contract then you can upgrade to 5.1 and request the associated License for your sensor.
  (NOTE: A Service Contract has always been required for the installation of signature updates, but was previously not enforced by software. It is now being enforced by the IPS 5.1 software through the use of the License received through the Service Contract)
  As for memory requirements. The following is stated in the 5.0(1e) Readme file:
  - 512 MB of RAM memory on the IDS-4210, IDS-4210-K9, and IDS-4210-NFR (NOTE: this upgrade is no longer available as the IDS-4210-MEM-U= part has been end-of-saled).
  If you previously upgraded to 512MB then you are fine.
  If not, you would need to open the IDS-4210 and determine what the memory part number is and attempt to purchase additional memory matching that part number from any vendor that you can find (does not have to have been specifically sold by Cisco, but should match the part number of the memory already in the system). The memory is longer being manufactured so Cisco was no longer able to sell that part.
  You should NOT attempt to install 5.0 or 5.1 on a sensor running only 256MB of memory. The sensor will never run properly.
  Specific upgrade files to use:
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  IPS-K9-maj-5.0-1e-S149.rpm.pkg
  IPS-K9-min-5.1-1g.pkg
  IPS-K9-sp-5.1-3.pkg
  If you do not already have an IPS Service Contract for your sensor, then you need to contact your Cisco Sales Representative. The last day you could have purchased a new service contract for the IDS-4210 was back on December 6, 2004.
  Yoru Cisco Sales Representative may be able to give you a discount on upgrading your IDS-4210 to a newer IDS-4215.

• IPS 4240 - additional card

  Hi,
  Does anybody know, when will be available 4xFE cards for IPS 4240 (for total 8 interfaces)?
  Regards,
  Krzysztof

  Cisco IDS 4250 is supported in version 5.0 Inline if the 4FE, Gig TX PCI card, two of the SX PCI cards, or the XL card is installed. Cisco IPS 4240 is supported in version 5.0, Inline supported (it has four sensing interfaces). IPS 4255 is supported in version 5.0, Inline is supported (it has four sensing interfaces). IDSM-2 is supported in version 5.0, Inline supported (it has two sensing interfaces).
  http://www.cisco.com/en/US/netsol/ns498/netqa0900aecd8029e8de.html

• I think I found a bug/bad design - what am i missing?

  Hi Edwin and the team,
  This is my first post as I'm sinking my teeth into the PM Server and Designer. We're considering to use the BPEL technology in the BIG way. And I think it's very cool as the Web Services-based EAI delivers a cost-effective and not proprietary solution!
  Let me describe to you what I believe is a bug or a dubious design. In the Designer, File>New>Oracle BPEL Project creates a new project with a file bpel.xml. For example, look at your CreditFlow sample. In that file there is <partnerLinkBinding name="..." <property name=wsdlLocation"> http://<host name of the WSDL host server>/....
  when the partner WSDL is hosted on the localhost that <host name> in the line above is the name of my machine instead of 'localhost'. Then, <project name>.bpel validation crashes when you're in the off-line (disconnected) mode or connected via VPN gateway (since obviously you think you don't need a proxy because everything is local). But, even if it works inside the LAN I think it's a bad design; since it's generated automatically by Designer the developer doesn't have a clue what's wrog when he/she needs to debug your code. The Designer should stick there 'localhost' instead of the the name of my computer on the network.
  Here how I spotted it. I generated you CreditFlow sample in the Quick Start Tutorial. I went by the book, Compiled the CreditFlow.bpel and it crashed! The book did not say it was supposed to crash. The book said everything should be honky dory. The Validator printed a message: "connection timeout...." Since I'm new to the BPEL it took me awhile to figure out and once I stick 'localhost' in the right place in bpel.xml everything worked. Again, I was running everything on localhost.
  If I helped you guys - great or what am I missing here?
  The problem is that if my company decides to convert the Biz Analysts into BPEL modelers how could a BA figure out the solution to the problem like this? He/She would just give up and tell the Technologists (us) that this is a bad product.
  Thanks,
  Greg
  P.S. What happened to Doron Sherman (CTO) and the old Collaxa folks? He is not listed in the ORCL directory. For those who don't know BPEL Server and Designer were developed by Collaxa and ORCL bought that company last year.

  Hi Gregory,
  I think that the problem you are reporting is a proxy configuration error. There are 2 places where you need to configure the proxy: in the obsetenv.bat and in the eclipse>windows>preferences>BPEL Designer.
  If the server is up and the proxy configuration is correct, you should not receive a timeout error.
  Let me try to explain why it is not possible/desirable to have localhost: the url is generated by the server when it generates a WSIL list of the processes deployed on the server. The server does not know if the client requesting this list is local or remote, this is why he uses the real host name (otherwise remote client would not be able to connect to the service).
  One additional note: the tool is not currently targeted at business analyst (unless they have some development background). BPEL entails some inherent complexity: parallel processing, async interactions, exception management, WSDL, XML Schema, transformation. So although we are working hard on continuously simplifying the implementation and increasing the productivity, we are still targeting application developers.
  I hope this helps.
  Edwin

• TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

  I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
  We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
  However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
  I am a beginner is IPS, Any inputs will be valuable for me.

  We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
  For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
  -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
  -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
  -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
  TCP resets are a best effort response, they aren't going to be a 100% effective stop

• I cannot pick up Mail on my IPad2 from my Virginmedia account. My IPhone works fine. What am I missing?

  I cannot pick up Mail on my IPad 2 from my Virginmedia account, but my wife's IPhone (set up the same way) works fine. What am I missing?

  more specific it says it cannot communicate with the outgoing mail server.

• New to IPS 4240 - What else can I use to manage it?

  I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.
  My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.
  I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.
  Thanks!

  The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.
  My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:
  The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.
  the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.
  Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.
  Matt

• IPS 4240 Inline deployment.

  Hi,
  I am trying to deploy IPS 4240 with Software version 4.1. My query is, will this version support inline prevention? If yes, what are the deployment & sensor interface configuration considerations. I believe the new 5.0 version supports this feature. But the documentation on v4.x is not clear.
  Thanks in advance.
  Ajay Dand

  Inline is implemented in software version 5.0.
  The upgrade image is available at:
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  All IPS software is available at:
  http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/

• IPS 4240 software 6.2(3)E4

  Hello!
  I have a sensor IPS-4240 which holds IPS software 6.2(3)E4. Right now we havn't got a license.
  With the device wh have almost 100% cpu usage all the time:
  show statistics host
  General Statistics
     Last Change To Host Config (UTC) = 27-Dec-2010 14:51:19
     Command Control Port Device = Management0/0
  Network Statistics
  Memory Usage
     usedBytes = 1426128896
     freeBytes = 558419968
     totalBytes = 1984548864
  Summertime Statistics
     start = 02:00:00 UTC Sun Mar 27 2011
     end = 03:00:00 UTC Sun Oct 30 2011
  CPU Statistics
     Usage over last 5 seconds = 100
     Usage over last minute = 100
     Usage over last 5 minutes = 100
  Memory Statistics
     Memory usage (bytes) = 1426128896
     Memory free (bytes) = 558419968
  From service accont I see that only one process eats CPU - mainApp.
  I even created addition virtual sensor vs1 where I have disabled all signatures. It gave me no result.
  Situation can be changed for a while after the sensor's reboot, but not for long time.
  show interfaces doesn't show a lot of input traffic too.
  Event log contains only following warnings:
  evError: eventId=1293461883161643337 severity=warning vendor=Cisco
    originator:
      hostId: XXXXXX
      appName: notification
      appInstanceId: 409
    time: 2011/01/19 15:22:56 2011/01/19 21:22:56 GMT+06:00
    errorMessage: name=errWarning - the subscription lost data [IdsEventStore::readSubscription()]
  What can be a problem? How can I reduce CPU usage?
  With hope to resolve the issue

  It would be difficult to pin point what the exact issue is with the high CPU just by the information provided in the post. It seems that the mainApp is causing the high CPU, however, it is worth investigating further. I would suggest that you log a Cisco TAC case so further investigation can be performed.
  Alternatively, you can try to upgrade the software to the latest version of 7.0.4(E4) which has engine improvement.

• CSS experts, please show me what I'm missing... [SOLVED]

  I want to know how Firefox knows the difference between certain code surrounding Arch's stuff. For instance, the time and date stamp above every post here. This is an example:
  <h2><span><span class="conr">#1 </span><a href="viewtopic.php?pid=674509#p674509">2009-12-19 12:26:19</a></span></h2>
  and from the wiki:
  <a name="Getting_Started" id="Getting_Started"></a><h2> <span class="mw-headline"><a href="/index.php/Getting_Started" title="Getting Started">Getting Started</a></span></h2>
  Both of these pick up on the h2 settings I have in a CSS file that I'm putting together:
  h1,h2 {
  font-family:"DejaVu Sans" !important;
  font-weight:bold !important;
  font-size:14px !important;
  Firefox doesn't apply the bold settings to the first example but does to the second. This is exactly what I want. If I add another entry:
  h2 span {
  font-family:"DejaVu Sans" !important;
  font-weight:normal !important;
  font-size:13px !important;
  Then the bold goes off on both of them. I want a generic CSS file that has the time and date normal and the wiki entries bold. Firefox does this automatically. What am I missing?
  ... be back in 20 hours ...

  Mh, I'm sure you know about the tree structure of HTML. Please excuse if tell you things you already know, but allow me to talk about how CSS rules are applied.
  <h2>
  <span>
  <span class="conr">#1 </span>
  <a href="viewtopic.php?pid=674509#p674509">2009-12-19 12:26:19</a>
  </span>
  </h2>
  What CSS does is applying the CSS rules for each element/selector. This means first it will apply the rules for h2, then the rules for span and at last the rules for the class conr or the element a respectively. If any properties already exists, they will be overwritten when applying the rules of a more specific element. If multiple rules apply (for instance multiple classes with conflicting properties), the !important will help the browser to decide which rule to apply.
  In your case I guess that there are rules for the class conr or the span element which conflict with your desired setting. Since you only change the rules for h2, the rules of those more inner elements/attributes take precedence.

• Upgrading IPS-4240-K9

  Hi,
       I have an IPS-4240-K9 with system Version 5.1(8)E2 and I need to upgrade to the last version Release 7.1(7)E4, I need to know if there is some way to do this without jumping from all the old versions (6.0 E2, 6.0 E3, 6.0E4, etc) do i need to make a reimage?? what is the process?? what files needs to download?
  Thanks,

  Hello Salvador,
  The upgrade path is: 5.1(8) >  6.0(6) > 7.1
  If you want to do it directly you will need to re-image the sensor.
  For upgrade use teh .pkg file and for re-image use the .img file.
  Download from:
  http://software.cisco.com/download/type.html?mdfid=278810718&flowid=4425
  For re-image:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_system_images.html#wp1060091
  Hope it helps,
  Regards,
  Felipe.

• IPS 4240 Design Question

  I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
  Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
  Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
  Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
  Thanks!

  A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.
  A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.
  A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

• IPS 4240 even backup/retrewals

  Hi,
  We having IPS three number of 4240 placed on different segments of our network. We having following querries about collecting IPS logs;
  1) We need to collect IPS events/logs to external server
  2) is there any other application that we can retriew IPS logs other than Cisco IME
  3) can cisco IME retriew logs taken from a backup server in the same manner that it retriew in current logs (with colored, graphs etc).
  4) what is the correct logs storage capacity of the IPS 4240 appliance, when I see TAC IPS media Series, Episode 2 - IPS Hardware
     its mentioned as 2GB DDR RAM and 512MB flash. (https://supportforums.cisco.com/docs/DOC-13565) 
     However when I checked my IPS Total memory 1984MB and Total Data Storage 788MB. what are these figures..?
  5) where exactly save the IPS logs, will the event goes off once we do power recrycle?.
  Appreciate if some one can answer with correct solutions to above questions

  yes you are right, and it is clear for me, but i think using ASDM-IDM launcher can
  be used for both ASA and IPS.
  but in my case currently, i am upgrading only the IPS to 7.0(2)E4 from version 7.0(2)E3. so i don't want to loose the ability to access both ASA and IPS(with new version).
  in addition, when i do Access the IPS through Https, it do not create any shortcut on my screen. moreover, when i do try and click on "You can also install DM Launcher to run IDM." i got the DM Laucnher with version 1.5(37) and not with version 1.5(49)
  PS:
  - i rebooted the sensor, same issue.
  - i cleared the cache folder in the path "C:\Users\Administrator\.asdm\cache" & "C:\Users\Administrator\.idm\cache" also same issue
  problem persists.
  Please Advice

• Bitcoin generator and Cisco IPS 4240

  I have a problem with Bitcoin generator installed somewhere in local network.
  I have IPS 4240 what connected as IPS (All traffic to internet passes through IPS.
  The software on IPS is very old.. and I can not upgade it.
  Version 6.0(6)E4
  Can I configure IPS tj detect and prevent bitcoin?

  Please any one can answer these questions...Your help is appreciable...Thse are blocking me...
  We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
  1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
  2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
  3) How many types of events will be generated by this IPS 4240 sensor.
  4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
  5) Can you provide me some Examples to generate different events.
  6) What is the difference between CLI, IDM and IME?
  7) How we can know that configured IPS system is in Inline mode?

• IPS 4240.. and hardware bypass

  Hi everyone.. please kindly help. We are using 4240 as a IDS at the moment and are looking to enable the IPS capability in near future.   However we only have one IPS on our site. For resiliancy we have 2 entry/exit points with 1 asa at each entry point as a firewall. 
  My concern is that if we enable IPS capabilites in inline mode and IPS falls over due to hw problem we will end up with primary link failure.  Is there some sort of module available for 4240 to enable the hardware bypass?   Thanks Regards.

  Thank you Bob... I think you are refering to this document. http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718  I read it and I think I am now clear about the issue of 2 separate vlans..  However I still have some confusion about my own setup.
  Currently there is one vlan -  Vlan 100 between ASA and our internal router.  If I place the IPS with inline interface pair configured between ASA and our internal router, I am not sure if I need any special configuration with reagrds to vlans..  As far as I can see I will have vlan 100 between ASA and IPS and vlan 100 again between IPS and internal router.  But I have a feeling that my assumption is incorrect and when IPS receives the packets on one interface from the internal router, it will not forward it out of the paired interface as IPS may not understand the Vlan tag.   Unfortunately I am not in position to try this on a live IPS device as our IPS is already in a production environment but being used as an IDS. 
  Would I be better off adding a switch to the mix between the internal router and the ASA and then follow the "inline vlan pair"  route?.  Bit similar to diagram below.