IPS-4240-K9 IDM 6.2 Monitoring Events issue

Similar Messages

• Monitoring IPS 4240 for positives

  A customer has purchased from us a IPS 4240 box.
  I recently configured the box. It will monitor the customers Network in the following configuration:
  1 Inline Interface pair created from G0/0 and G0/1. Traffic from the customers edge moves in on the IN (G0/0) interface and then in turn exits out to our Outside Perimeter Firewall which guards the customer DMZ.
  We have scheduled the Inline Interfaces to be connected this evening.
  I have a question regarding this installation:
  1) We have the default "vs0" Virtual Sensor assigned to the Inline Interface Pair. If in fact any Positives are identified, where in IDM would I be able to see what is happening...(very important as in case of False Positives, I have to be able to get traffic moving again.
  Kevin Melton

  The sensor has a limited size event store that will wrap around when it fills up and overwrite previous alerts. SecMon was intended to be the long term storage for the alerts. In looking at the summary numbers, SecMon always has more alerts than the IDM. You can login using CLI and use command "show events alerts".

• Event time issue - IPS 4240, v5.0, VMS.

  Hi,
  I am having this unique issue. Whereas the IPS system time is correct, and I have set a UTC offset of 330 min (being in the GMT +5.30 hrs time zone.), I am still seeing the event time on the IEV as UTC, and not the system time. This is kinda tedious trying to keep track of the actual local time the event occcurred. The system clock on the IPS shows correct local time.
  Also, on the VMS server, the system time is the same as the IPS. However, whenever I open up the SecMon, to view the event, it gives me a funny default start & end time, which is about 3 beyond the system time (I expect the time range reflected in the SecMon, should correspont the system time of the VMS machine, when the SecMon->Monitor->Events link was clicked.) For e.g. if I click on the SecMon->Monitor->Events link at say 10.00 am, on 13th April, I expect the fetch events time range to show from 13-April-2005 10:00:00 hrs to 13-Aril-2005 10:00:00 hrs. However, what it actually displays is 13:00:00 hrs to 13:00:00 hrs. I am at a loss where this time difference is creeping up from. Also, if instead of the time range, I specify, say last 1 or 2 hrs, it wont show me any events. (This I suspect is because of the funny 3 hr time difference that has crept in.) I can only see the events, if I ask the events of beyond last 3 hrs.
  Any suggestions how to resolve the same? I am not using any NTP servers currently. Would that help?
  Thanks in advance.
  Ajay.

  Hi Ajay
  Its not a major problem either in your CISCO IDS and CISCO VMS. It is time synchronizing factor involved in this mismatch time view on your Sec Mon.
  What version of VMS you deployed?
  If it is not updated version then download the PERL script Workaround files from Download Center then run on it.
  After that, the problem will be resolve.
  If it will not resolve then pls reply.
  Thanks

• IPS monitoring Events Notes

  Dear all,
  I have a group of IPS/IDS installed in our network monitoring multiple segments.
  Usually, and for years I do find always events with matching severity high or medium in addition to low and informational.
  From around two months and till now, while monitoring those IPS/IDS I noticed that I am not finding any event with severity High or Medium although before there was daily logs with the high & Medium Severity and all the group of IPS / IDS is affected with the same behavior not only on one device.
  I will be happy if everything is running normally with no matching severity, but I am afraid that there is something wrong with the monitoring of our IPS /IDS Systems.
  I find logs with low and informational severity only.
  Please advise if I can do any troubleshooting
  Regards,

  I will assume you have not changed anything on your sensors to explain this difference. It can be accounted for by the normal signature update process. Cisco will phase out (retire) or modify old or poorly performing signatures (prone to false positives) over time. In order to test this idea, take some of the old medium and high severity signature that used to fire and check what their current setting are in your sensors. If they're retired or have been updated, this may account for the difference.
  - Bob

• New to IPS 4240 - What else can I use to manage it?

  I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.
  My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.
  I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.
  Thanks!

  The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.
  My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:
  The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.
  the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.
  Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.
  Matt

• IPS 4240 even backup/retrewals

  Hi,
  We having IPS three number of 4240 placed on different segments of our network. We having following querries about collecting IPS logs;
  1) We need to collect IPS events/logs to external server
  2) is there any other application that we can retriew IPS logs other than Cisco IME
  3) can cisco IME retriew logs taken from a backup server in the same manner that it retriew in current logs (with colored, graphs etc).
  4) what is the correct logs storage capacity of the IPS 4240 appliance, when I see TAC IPS media Series, Episode 2 - IPS Hardware
     its mentioned as 2GB DDR RAM and 512MB flash. (https://supportforums.cisco.com/docs/DOC-13565) 
     However when I checked my IPS Total memory 1984MB and Total Data Storage 788MB. what are these figures..?
  5) where exactly save the IPS logs, will the event goes off once we do power recrycle?.
  Appreciate if some one can answer with correct solutions to above questions

  yes you are right, and it is clear for me, but i think using ASDM-IDM launcher can
  be used for both ASA and IPS.
  but in my case currently, i am upgrading only the IPS to 7.0(2)E4 from version 7.0(2)E3. so i don't want to loose the ability to access both ASA and IPS(with new version).
  in addition, when i do Access the IPS through Https, it do not create any shortcut on my screen. moreover, when i do try and click on "You can also install DM Launcher to run IDM." i got the DM Laucnher with version 1.5(37) and not with version 1.5(49)
  PS:
  - i rebooted the sensor, same issue.
  - i cleared the cache folder in the path "C:\Users\Administrator\.asdm\cache" & "C:\Users\Administrator\.idm\cache" also same issue
  problem persists.
  Please Advice

• Bitcoin generator and Cisco IPS 4240

  I have a problem with Bitcoin generator installed somewhere in local network.
  I have IPS 4240 what connected as IPS (All traffic to internet passes through IPS.
  The software on IPS is very old.. and I can not upgade it.
  Version 6.0(6)E4
  Can I configure IPS tj detect and prevent bitcoin?

  Please any one can answer these questions...Your help is appreciable...Thse are blocking me...
  We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
  1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
  2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
  3) How many types of events will be generated by this IPS 4240 sensor.
  4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
  5) Can you provide me some Examples to generate different events.
  6) What is the difference between CLI, IDM and IME?
  7) How we can know that configured IPS system is in Inline mode?

• IPS 4240 configuration question

  I have a 4240 that is physically sitting in between my edge router and my ASA - One interface is connected to router and the other is connected to ASA. I have confiured Inline Interface pair. My question is to manage 4240, what option do I have? I know using management interface is one option. However, due to security concern, they don't want to use management interface. I was wondering if there is any other way I can manage.
  Thanks.

  The only way to communicate to your 4240 is via the management interface (ethernet) or via the console port (serial). The management interface allows you a lot more flexibility, ssh, IDM (the GUI interface), event feeds to a SIM platform (via SDEE protocol), and most importantly; software and signature updates.
  Why would you want to place your IPS sensors OUTSIDE your firewall?

• IPS 4240 problem

  Hi All,
  we've installed IPS 4240 since 6 months ago and everything worked fine. Then I noticed time in IPS was not correct, then in the IDM, I've changed summer time to 60 minutes offset to get the right time from NTP. then reboot the IPS, since that time users inside the network are not able to connect to internet, and basically traffic from inside to outside is blocked. But traffic from outside to inside is fine and outside users are able to hit to the web server in DMZ zone.
  any idea would be very appreciated.
  thanks
  Alex

  Changing your time offset should not cause this type of problem. Check for any non-running processes with a "sh ver", reboot your sensor and check the system log for some signs of trouble or blocking with "sh events past 01:00".
  Open a TAC case to get additional help.

• Deployment of Cisco IPS 4240 devices

  I can't seem to find any information regarding mass rollouts of Cisco IPS 4240 devices. I have 6 devices I intend to roll out to several remote offices and tie into a centralized Cisco MARS appliance. Without using any CSM/LMS software, is there an quick and dirty way to pull this off? I'm thinking to configure a single IPS device then pull and distribute its configuration file to the remaining devices. Would like to see how others have accomplished this...

  If all of your sensors are the same type (all 4240s in your situation) and will all run the extact same configuration, then the copy command will help you out.
  There was a new feature added into the copy command in IPS 6.1 that will help you in copying config from one sensor to another.
  You full configure one sensor (use IME, IDM, or CLI). When you are happy with the configuration then use the copy command to copy it TO an SCP server.
  Now bringup a second sensor and configure the basic networking parameters through setup (ip address, gateway, etc...).
  Now use the copy command on the second to copy the first sensors configuration FROM the SCP server into the running config of the second sensor.
  It will prompt you whether to overwrite the second sensor's networking parameters.
  Answer NO.
  The rest of the first sensor's configuration will copied into the second sensor.
  The second sensor will keep it's own unique IP but will gain the rest of the configuration from the first sensor's config.
  Continue doing this with any additional sensors.
  The process can then be repeated anytime additional changes are made to the first sensor.
  Keep in mind though that this only works if the sensor's configuration will be exactly duplicated (including what interfaces would be monitored and how).
  If each sensor will have some unique tunings then you will need to either manage each sensor on it's own, or purchase CSM that can be used to share only certain portions of the configuration across multiple sensors.

• IPS 4240 software 6.2(3)E4

  Hello!
  I have a sensor IPS-4240 which holds IPS software 6.2(3)E4. Right now we havn't got a license.
  With the device wh have almost 100% cpu usage all the time:
  show statistics host
  General Statistics
     Last Change To Host Config (UTC) = 27-Dec-2010 14:51:19
     Command Control Port Device = Management0/0
  Network Statistics
  Memory Usage
     usedBytes = 1426128896
     freeBytes = 558419968
     totalBytes = 1984548864
  Summertime Statistics
     start = 02:00:00 UTC Sun Mar 27 2011
     end = 03:00:00 UTC Sun Oct 30 2011
  CPU Statistics
     Usage over last 5 seconds = 100
     Usage over last minute = 100
     Usage over last 5 minutes = 100
  Memory Statistics
     Memory usage (bytes) = 1426128896
     Memory free (bytes) = 558419968
  From service accont I see that only one process eats CPU - mainApp.
  I even created addition virtual sensor vs1 where I have disabled all signatures. It gave me no result.
  Situation can be changed for a while after the sensor's reboot, but not for long time.
  show interfaces doesn't show a lot of input traffic too.
  Event log contains only following warnings:
  evError: eventId=1293461883161643337 severity=warning vendor=Cisco
    originator:
      hostId: XXXXXX
      appName: notification
      appInstanceId: 409
    time: 2011/01/19 15:22:56 2011/01/19 21:22:56 GMT+06:00
    errorMessage: name=errWarning - the subscription lost data [IdsEventStore::readSubscription()]
  What can be a problem? How can I reduce CPU usage?
  With hope to resolve the issue

  It would be difficult to pin point what the exact issue is with the high CPU just by the information provided in the post. It seems that the mainApp is causing the high CPU, however, it is worth investigating further. I would suggest that you log a Cisco TAC case so further investigation can be performed.
  Alternatively, you can try to upgrade the software to the latest version of 7.0.4(E4) which has engine improvement.

• How to configure IPS 4240 - K9 to send log file to syslog server

  I am looking for the commands in how to configure IPS 4240-k9 to send log file to SYSLOG server. If anybody has or came across similer issue please advice.
  Thanks in advanced.

  Ali -
  I am sorry to tell you, but the Cisco IPS Sensors do not send Syslog messages. Your only options for sending signature event information are:
  SDEE (an TLS Encrypted XML formatted message) the sensor is the SDEE Host and your event receiver (MARS, IME, Intelitactics, etc) is the client.
  SNMP Traps - You need to set the "Action" on each signature you want the sensor to send a trap.
  - Bob

• Upgrading IPS-4240-K9

  Hi,
       I have an IPS-4240-K9 with system Version 5.1(8)E2 and I need to upgrade to the last version Release 7.1(7)E4, I need to know if there is some way to do this without jumping from all the old versions (6.0 E2, 6.0 E3, 6.0E4, etc) do i need to make a reimage?? what is the process?? what files needs to download?
  Thanks,

  Hello Salvador,
  The upgrade path is: 5.1(8) >  6.0(6) > 7.1
  If you want to do it directly you will need to re-image the sensor.
  For upgrade use teh .pkg file and for re-image use the .img file.
  Download from:
  http://software.cisco.com/download/type.html?mdfid=278810718&flowid=4425
  For re-image:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_system_images.html#wp1060091
  Hope it helps,
  Regards,
  Felipe.

• IPS 4240 Design Question

  I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
  Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
  Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
  Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
  Thanks!

  A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.
  A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.
  A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

• IPS 4240 upgrade

  hi,
  i am running version 6.2 on ips 4240. could please someone let me have the procedure to upgrade the OS to 7.1.8 please? is this upgrade same as cisco IOS using tftp ?
  what is the procedure to upgrade ? is it first os and then sensor ? cold you please post the commands ?
  Thanks                  

  Get the 7.18 upgrade pkg file from here:
  http://software.cisco.com/download/release.html?mdfid=283674966&flowid=24482&softwareid=282549759&release=7.1(8)E4&relind=AVAILABLE&rellifecycle=&reltype=latest
  The readme is available from the same link.
  In order to apply 7.1(8), the minimum required running version is 6.0(6) on 42xx series sensors, which you have, so you can simply apply the upgrade pkg. Apply it via IDM is probably the easiest way - or check the readme for CLI instructions.
  7.1(8) is packaged with signature level s735 - if you have a more recent level, that will be preserved, if not, you will end up @ s735. Then you can update the signature package to the most current level from here:
  http://software.cisco.com/download/type.html?mdfid=283674966&flowid=24482