IOS-IPS alarm reporting tool

Similar Messages

• IOS IPS and VMS and shunning

  Installed 12.3.14T2 (advanced security) on 2811 router with new
  VMS update to the IDS Management Center (2.1) to support IOS IPS SDEE event monitoring. When I configure a specific signature, there is no option to shun. Only alert, block or reset. Where do you configure the dynamic shuning or "local shun action" that seems to be in all the "new features" of the IOS IPS.
  Configuring the signature to block, alert or reset works fine. Just no options to shun. Also the IPS device does not show up in the device list under Monitoring on VMS, even though it shows up as a device in Monitoring Center Device Page.
  Maybe this is where the problem may lie.

  IOS versions before 12.3(14)T support the following
  actions for IOS IPS:
  - alarm
  - drop (drop just the offending packet)
  - reset (reset tcp connection - works for tcp only)
  Version 12.3(14)T and later (including 12.4 versions) added support for the "local shunning" through two different actions:
  - denyFlowInline
  - denyAttackerInline
  DenyFlowInline creates an ACL that drops all traffic on that connection for a certain idle-timeout.
  DenyAttackerInline creates an ACL that drops all traffic from that source address (including other connections from that source address) for a certain idle-timeout.

• IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

  Hi,
  I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
  All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
  Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
  Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
  Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
  1) Do you find that IOS IPS sig 4050 false alarms are common?
  2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
  3) Does Cisco have any recommendations on what to do with this built in signature?
  Thanks,
  KEP

  On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
  You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
  I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
  Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.

• Cisco IOS IPS - How to manage signatures?

  Hello everyone,
  I'd like to efficiently tune signatures in IOS IPS on one router, a 1941. Available options I found are:
  CLI: not efficient to tune a group of signatures (example: Windows OS)
  CCP 2.7 (Windows GUI): best tool I know, but not efficient, since:
  a bit bugged (sometimes won't work on some computers)
  needs IE9 to work fine, thus excluding its use on W8/W8.1
  turnaround to use onIE10/IE11 won't always work (one computer refuses to keep compatibility view settings, for example)
  not able to efficiently sort signatures, using several criteria (main drawback)
  not able to exclude sets of signatures - like compile failed signatures
  CCP 2.8: only available in express version. I installed it, but did not see a tab about signature tuning ...
  Cisco Security Manager is complete overkill, since it needs a license and a server. Not simple to tune IPS on only one router ;-)
  IPS Manager Express: seems a nice tool, but mainly designed for IPS sensors and firewalls, and not able to tune signatures for a router.
  So, if one of you has an idea about a tool, whether Cisco or 3rd party, running preferably on Windows, it is very velcome!
  Thanks!

  Hello Will,
  I have only played with the CLI and with that I was able to selective enable the signatures I wanted (even using the sub-id intentifier), changed the action,compile the ones required, etc.
  If this is what you are looking for when refering to tune signatures CLI will be fine, if more than that is needed well you have all of the software that you could use.
  No other software available
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• Compare reporting tools

  Hi,
  Could some one point in the right direction - we are trying to finalize the reporting tool.
  We have worked with BI-Publisher(not as dynamic) and Discoverer(formatting a big issue) - trying to find a tool that would overcome the limitations that these 2 tools have.
  We want to be able to use Oracle Db, VPD, set client_id using OPD.Net, integrate with web application as key requirements. By same token would like to be able to create dynamic reports which allows a great deal of flexibility. Is there such a reporting tool?
  Any ideas much appreciated.
  Thanks!

  Hi
  I'll try and answer your questions.
  1. Xml, Sql(either a view or stored proc) as input
  data sourceYou can base an Apex report on a view or mod/plsql procedure, or use xmldb.
  2. support odp.net providerAs I understand it odp.net is a tool used by .net to access Oracle. Apex is a database tool so all the data and code, everything is in the database.
  3. Work with VPD - virtual private database Yes.
  4. single-sign-on, and setting client_identifier on
  connection.Yes
  5. Integrate with existing web application(asp.net
  2.0)Not sure what integration you want.
  6. This tool is free right, to be used with Oracle
  10g database.Free and can be used with 10g or 9i databases.
  Rod West

• Reporting Tools

  I'm relatively new to BW...I've been supporting it internally for our company for the last year+, but I come from a .NET background.  My questions are in regards to the reporting tools that people use at different implementations.  We use the BEx Analyzer with BW 3.5, but have been relatively disappointed with the user interface and the performance of the queries.  We'll be upgrading to Netweaver BI after the first of the year.
  1.  What other reporting tools (3rd party, web tools, etc.) have people used and how have they performed with BW/BI?
  2.  How much of an improvement, either in performance or the user interface, is there with the upgrade to BI?
  I appreciate any help.
  Thanks,
  Tony

  1. There are few third party reporting tools you can integrate with BW data like Business Object, Cognos Reporting sofware, Hyperion etc. All are pretty good.
  2. If you are upgrading to BI 7.0, there are lots of new features added to BW/BI reporting tools and one new tool added is Report Designer.
  If you are really upgrading to BI 7.0, I don't think you need any third party tools but again it depends on totally what tool you are comfortable with.
  Regards,
  Ashok

• Reporting tools and SAP BW

  Dear Sirs,
  We have Business Objects BI 4.0 and SAP BW 7.3.
  Actually we are using Web Intelligence and BEx Query to reporting.
  We have not Business Layer (Universe) between BW and BO because BO it's not supported to create universe (unx) on BW. So we create document in WEBI using BEx Query.
  We want to use Xcelsius (Dashboard Design) 2011 and I was thinking that we can use query from universe to connect with BW (new functionality in version 2011). Can we? Or maybe we should to connect to BW using "Connecttion to SAP BW"?
  We want to use Explorer (on iPad and iPhone), but Explorer requires universe (unx).
  Is not possible to create universe (unx, because unv is not supported via Explorer) based on SAP BW, is it true?
  We should we do, when we want to use Explorer with SAP BW?
  Do I understand connection between reporting tools and SAP BW:
  Crystal Reports - can I use cubes or BEx queries
  Xcelsius - using "Connection to SAP BW"
  WEBI - BExqueries or universe (but only UNV - old version).
  Explorer - in my opinion is not possible
  Analysis for OLAP - drirect to cube in SAP BW
  Could you please comment.

  Hi
  With the current version of the BI 4.0 SP2 BI Platform, one cannot create a universe (.UNX format) against BW using the OLAP connection. However you can create a universe (.UNX format) using the Relational connection (see OSS note: 1656905 - How to create UNX universe based on Business Warehourse InfoCubes). One limitation is the use of hierarchies with the relational connection.
  Then you can create the Information spaces based on the universe (.UNX format) that the Explorer can use.
  BO Reporting tools:
  1. Crystal Reports for Enterprise = you can use the OLAP connection (BICS) directly against the BW InfoCubes or Queries, if queries already exist in the BW system then you can leverage these directly (less time spent recreating the entire query in Crystal)
  2. Xcelsius = you can use the BICS or Web Service or Universe to access the data
  3. Web Intelligence = you can use the OLAP Connection (BICS)
  4. Explorer = you can use a universe (.UNX format) via a Relational Connection
  5. Analysis for OLAP = you can use the OLAP connection (BICS) to either a query or InfoCube.
  It is hoped that in Feature Pack 3 which will be released later this year, that missing functionalities will be delivered for BI 4.0.
  Regards
  Derek

• BW (BEx) and BOBJ Reporting-Tools

  Hi All,
  I'm looking for an article or anything, that describes the difference between SAP BW (BEx) and Business Objects- Reporting tools .
  which tools is suitable for what purpose?
  thanks
  brad

  This isn't mine - it may even be yours - but just in case anyone looks at this thread, here it is
  BO vs BEx 
  Ease of use:
  BO - Very user friendly interface, Minimal requirement for MDX code, Some queries take more time in BO analysis, when compared to BEx Analyzer
  BEx - Difficult self service reporting and analytics, Being Excel based, it needs extensive VBA or Macro programming for a great UI
  Features:
  BO - Export functionality (PDF, MSOffice etc), More chart types, Has more advanced features, Design and Preview Tab in the same page, Provides offline capabilities
  BEx - Is mostly for SAP only but With integration can access BEx query from BO, Web App Designer is effort intensive, Build and preview are separate views
  Support from SAP:
  BO - Part of SAP integration roadmap, All current and future dev. in the BI front-end is focused on the SAP BO BI solutions, Crystal Reports is now main reporting tool, replacing BEx Report Designer
  BEx - BEx is no longer the strategic direction, BEx product line will be phased out completely by 2016
  Compatibility with other data source:
  BO - Able to merge data from various sources in the same report, Can connect to any Database, very flexible in design
  BEx - Gets data from BI
  Implementation effort and ownership cost:
  BO - Longer deployment period compared to BEx, Additional server needed, May require additional components setup for BW, May need separate license for Business Objects Enterprise (BOE) platform, BO uses OLEDB for OLAP API via BEx query, may cause an overhead, BW Accelerator may be needed to improve query response time, scalability and visibility.
  BEx - Only MS office and BEx client are needed for installation, BEx is bundled with NetWeaver

• Time taken to replicate campaigns from Eloqua into the Insight reporting tool

  I have found there seems to be a delay in the campaign metrics for active campaigns getting into the reporting tool so that I can extract them for sales follow up.  Does anyone know how long this is supposed to take?

  Hello,
  For Insight Reporting it can take up to 24 hours for metrics to show up in reporting found in Insight. For more "real time" data try clicking in the asset (ie campaign or email etc) and click on the gear-cog --> settings --> Operational Reporting. These reports show the most up to date data. The down side to this data is it is only able to show you up to the last 3 months worth of data.
  I hope this helps!
  Stephanie

• Best Usage reporting tool for SharePoint 2013 (onpremises)

  Please suggest me best reporting tool for SharePoint 2013 on premises.
  Need to get site usage summary for any time in last one year.
  Need to get library/list usage summary for any time in last one year. etc.
  How many peak hits and unique no of users across all levels.
  Thanks, Ram Ch

  Hi Ram
  We have two links “Popularity Trends” and “Popularity and Search Reports” in the site settings. By Clicking on the two links we can view the usage reports in SharePoint 2013.
  More references:
  http://technet.microsoft.com/en-us/library/jj715890(v=office.15).aspx
  http://sureshpydi.blogspot.com/2013/06/usage-reports-and-popularity-trends-in.html
  http://blogs.msdn.com/b/chandru/archive/2013/08/31/sharepoint-2013-web-analytics-report-where-is-it.aspx
  http://www.prweb.com/releases/2012/8/prweb9821144.htm
  Amit Kotha

• Why can't I print to a Zebra 2746e using the report tool kit?

  I have read on here how peoople have printed barcodes from LV by sending commands directly to a zebra printer. I am using LV8.2.1 on a windows xp computer. I am sending EPL2 messages to the printer using the report tool kit, but all I get is a couple of line feeds. If I send the commands from a command prompt by coping a test file to the printer port it prints fine. Any thoughts. I have attached my program.
  Attachments:
  zebra tester.vi ‏22 KB

  I tried your code against my printer and it works as advertised. Can you print to other printers with it?
  By the way, when assembling a string you should use the Format Into String function instead of a string concatenator with a bunch of inputs. It takes up less room and is easier to interpret when troubleshooting.
  Mike...
  Certified Professional Instructor
  Certified LabVIEW Architect
  LabVIEW Champion
  "... after all, He's not a tame lion..."
  Be thinking ahead and mark your dance card for NI Week 2015 now: TS 6139 - Object Oriented First Steps

• Using AE(htmldb 2.0)  as for reporting tool for other oracle databases.

  Maybe I was mistaken, but when I first saw the HTMLDB demo's I saw this as a slick way to build a browser based reporting tool for the masses for quasi-ad-hoc reporting on some of our larger databases that currently have limited reporting capability, and also as a possible replacement for the many MSAccess applets we have.
  I just got 2.0 installed and working on a 9i database and went through the basic tutorials, but I can't find much info on how to connect to other oracle databases.
  Are my options as follows?:
  create dblinks from the local database that houses htmldb to all the other databases?
  or
  install htmldb schemas on each database I want to access from htmldb?
  or
  I'll keep looking, but if any of you have any pointers or know of a tutorial that explains the best way to do this it would be greatly appreciated!
  tia

  As for question 1, yep, that's what I mean. Example:
  In a schema in the App Express instance, create a user called "APP1_USER", and then
  create view app1_user.people as select * from people@link_user@remotedb
  As for the next question, using the built-in insert/update/delete processes will give you
  ORA-01461: can bind a LONG value only for insert into a LONG column
  among other errors. Apparently version 2.1 will fix this. See Cannot Update VARCHAR column in Remote DB
  We address this problem by creating pl/sql APIs for DML, and then writing our own insert/update processes. Slows us down a little, but even with that, App Express remains a productive choice for us.
  Another weird problem: auto-row fetch (built-in to HTML DB) doesn't work over db links when you have two columns for a primary key. Many ways around this, e.g. create sequence-populated primary key, create a view with single column that concatenates primary key column values (key1|key2)
  Hope this helps!
  -John

• SAP CRM 7.0 - Interactive reporting tool enhancing reports with new fields

  Hi Everyone,
  I am a BW Professional, currently working on evaluating the true benefits of implementing Interactive Reporting tool for our company. As I understand the Interactive reporting tool restricts us to report on individual reporting areas like Activities, Leads, Opportunties etc.
  But according to our business it is very important for us to be able to report on cross reporting areas real time i.e. activities & leads together or activties, leads & opportunties together etc.
  I learned about the enhancement work bench in interactive reporting tool where we can add SAP fields to individual reporting areas, so I thought of adding leads & opportunties to activities. This is where the fun part starts.
  Here I learned that all activty ID, Lead ID and Oppo ID are all fed from one single field from SAP CRM i.e. OBJECT_ID, which means the system is dividing this data into individual reporting areas based on type of data i.e. leads or oppor's etc. and may be based on some key like account etc. So here is a technical question, for me to add a new field to a reporting area I have to give a field name but we already have OBJECT_ID from where I am pulling activties data, so if I want to include leads also in activties then I will have to add some logic manually to get that and can't use enhancement workbench because it is for missing fields from SAP CRM whereas in my case I already have OBJECT_ID from where I am getting Activity data.
  Sorry if I am driving you guys crazy but I am just trying to think loud to make myself clear with concepts.
  Also I have seen that a reporting area in Interactive reporting tool is based on a BW query, but I am not sure why not all the fields in BW query are available for reporting in Interactive reporting tool?
  Any help or commets will be greatly appreciated.
  Thanks & Regards,
  SRV

  Hello,
  checking with the config wizard is always a good idea since it's the only supported way to configure this scenario
  The secret is that you apparently did not activate the report areas. It is a bit missleading that the queries are checked before the report areas are checked, therefore you see the errors concerning the queries first. Below those errors you should find some lines like
      Report areas: delivered 15, active <?>
      CRM interactive reports: delivered 20, active <?>
      Activation of report areas checked
  The last line offers some documentation and the actual link to activate the report areas.
  Best regards

• What are the reporting tools available for Java applications??

  hi..
  please tell me some reporting tools available for java applications.... if there are some, please mention how to find their documentation????

  http://jasperreports.sourceforge.net is a nice one, there is also a link to a graphical design tool.