IPS sensor event reporting showing source ip 10.5.5.5 victim ip 0.0.0.0- does 0.0.0.0 mean a broadcast?

Similar Messages

• IPS Sensor - Event Notification via Email?

  Good day all.
  I have been asked to re-create some functionality that was lost after the customer upgraded from VMS to CSM but without CS-MARS or any other event monitor. The user had the system set to generate an email when an event was fired. It apparently was noisy in the begining but after tuning was not a bad solution. No one knows how it was originally set up but I can only assume it was the method described in the Cisco document at: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_example09186a00801fc770.shtml#fivesensor
  Now, however, since the CSM does not recieve event data is it possible to recreate this 'notification' process?
  The are using CSM 3.02 and the Sensors are still at 5.14. The Sensors will be updated to 5.17 later today. I will then either be upgrading the customer to the latest revisions and service packs for CSM or rolling them back to VMS depending on whether I can get the notifications to work with CSM.
  NOTE: They are ordering a CS-MARS appliance with the belief that it will resolve the issue but as last word it will be several months at least before they could get it in. I am concerned that CS-MARS will NOT give them back this functionality. Can anyone confirm/deny?
  Lastly - Since CSM does not include a Security Monitor like VMS did, and CS-MARS does not really recreate that sort of view or management of the events - what solution(s) are there to replicate the Security Monitor functionality? Is there? Is CS-MARS the new bully on the block?

  Since customer is staying at a 5.1(x) version then you have 3 options:
  1) downgrade to VMS and continue using Security Monitor
  2) Stay with CSM and purchase CS-MARS for the event monitoring. CS-MARS should provide email notification capability.
  3) Stay with CSM and install and use IEV 5.2(1).
  IEV 5.2(1) can either be installed on a separate machine from CSM as a standalone utility:
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev
  IEV 5.2(1) contains the new feature for email notification for alerts.
  OR IEV 5.2(1) can be installed as part of the CSM installation (I know it is in CSM 3.1, but not sure about earlier CSM versions).
  Here is some documentation on running IEV 5.2(1) within the CSM framework:
  http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/monidiag.html#wp1203768
  NOTE: IEV 5.2(1) is targeted for use in networks with 5 or less sensors. When running with 5 or more sensors then CS-MARS would be the recommened veiwer.
  When the user later upgrades to version 6.x, then option 1 (downgrading to VMS) is no longer an option and either option 2 or 3 would be required.

• 5585X-IPS SSM40 Event alert

  Hello,
  ASA Firewall is running in Active/Active mode. Below is the configuration of the firewall and IPS SSM module.
  We are not getting event on IPS sensor when we type "show event alerts".
  IPS configuration:
  ++++++++++++++++++++++
  IPS1#
  IPS1# sh configuration
  ! Current configuration last modified Tue Jul 02 07:19:13 2013
  ! Version 7.1(1)
  ! Host:
  !     Realm Keys          key1.0
  ! Signature Definition:
  !     Signature Update    S552.0   2011-03-07
  service interface
  exit
  service authentication
  exit
  service event-action-rules rules0
  exit
  service host
  network-settings
  host-ip 10.15.1.58/28,10.15.1.57
  host-name IPS1
  telnet-option disabled
  access-list 0.0.0.0/0
  dns-primary-server disabled
  dns-secondary-server disabled
  dns-tertiary-server disabled
  exit
  time-zone-settings
  offset 60
  standard-time-zone-name GMT+03:00
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  exit
  service web-server
  exit
  service anomaly-detection ad0
  exit
  service external-product-interface
  exit
  service health-monitor
  exit
  service global-correlation
  exit
  service analysis-engine
  virtual-sensor vs1
  description virtual-sensor-1
  anomaly-detection
  operational-mode learn
  exit
  physical-interface PortChannel0/0
  exit
  exit
  IPS1#
  ASA in system mode
  +++++++++++++++++++++++++++++++++++++++
  ASA-1/act/pri# sh run
  : Saved
  ASA Version 9.1(1) <system>
  hostname ASA-1
  enable password u14FkAnxI.kNNH7a encrypted
  no mac-address auto
  interface GigabitEthernet0/0
  description LAN Failover Interface
  interface GigabitEthernet0/1
  description STATE Failover Interface
  interface GigabitEthernet0/2
  interface GigabitEthernet0/3
  interface GigabitEthernet0/4
  shutdown
  interface GigabitEthernet0/5
  shutdown
  interface Management0/0
  interface Management0/1
  interface TenGigabitEthernet0/6
  channel-group 20 mode active
  interface TenGigabitEthernet0/7
  channel-group 20 mode active
  interface TenGigabitEthernet0/8
  channel-group 10 mode active
  interface TenGigabitEthernet0/9
  channel-group 10 mode active
  interface GigabitEthernet1/0
  shutdown
  interface GigabitEthernet1/1
  shutdown
  interface GigabitEthernet1/2
  shutdown
  interface GigabitEthernet1/3
  shutdown
  interface GigabitEthernet1/4
  shutdown
  interface GigabitEthernet1/5
  shutdown
  interface TenGigabitEthernet1/6
  shutdown
  interface TenGigabitEthernet1/7
  shutdown
  interface TenGigabitEthernet1/8
  shutdown
  interface TenGigabitEthernet1/9
  shutdown
  interface Port-channel10
  interface Port-channel10.96
  description "Inside-CTX-1"
  vlan 96
  interface Port-channel10.97
  description "Inside-CTX-2"
  vlan 97
  interface Port-channel20
  interface Port-channel20.98
  description "Outside-CTX-1"
  vlan 98
  interface Port-channel20.99
  description "Outside-CTX-2"
  vlan 99
  class default
    limit-resource All 0
    limit-resource Mac-addresses 65535
    limit-resource ASDM 5
    limit-resource SSH 5
    limit-resource Telnet 5
  boot system disk0:/asa911-smp-k8.bin
  ftp mode passive
  pager lines 24
  failover
  failover lan unit primary
  failover lan interface FOL GigabitEthernet0/0
  failover link STATEFULL-LINK GigabitEthernet0/1
  failover interface ip FOL 10.15.1.33 255.255.255.252 standby 10.15.1.34
  failover interface ip STATEFULL-LINK 10.15.1.37 255.255.255.252 standby 10.15.1.38
  failover group 1
    preempt
  failover group 2
    secondary
    preempt
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  console timeout 0
  tls-proxy maximum-session 1000
  admin-context admin
  context admin
    allocate-ips vs0 adminvs0
    config-url disk0:/admin.cfg
  context arm-1
    description ARM-1
    allocate-interface Management0/0 MGT
    allocate-interface Port-channel10.96 inside
    allocate-interface Port-channel20.98 outside
    allocate-ips vs1 arm-1vs1
    config-url disk0:/arm-1_Context.cfg
    join-failover-group 1
  context arm-2
    description ARM-2
    allocate-interface Management0/1 MGT
    allocate-interface Port-channel10.97 inside
    allocate-interface Port-channel20.99 outside
    allocate-ips vs1 arm-2vs1
    config-url disk0:/arm-2_Context.cfg
    join-failover-group 2
  prompt hostname context state priority
  no call-home reporting anonymous
  Cryptochecksum:ad532251aad3ca65f6da8f1ff0762816
  ASA in one arm context mode
  +++++++++++++++++++++++++++++++++++++++
  ASA-1/arm-1/act/pri# sh run
  : Saved
  ASA Version 9.1(1) <context>
  firewall transparent
  hostname arm-1
  enable password u14FkAnxI.kNNH7a encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface BVI1
  ip address 10.15.1.57 255.255.255.240
  interface MGT
  management-only
  nameif management
  security-level 0
  ip address 10.14.1.9 255.255.255.0 standby 10.14.1.10
  interface inside
  nameif inside
  bridge-group 1
  security-level 100
  interface outside
  nameif outside
  bridge-group 1
  security-level 0
  access-list global extended permit ip any any
  access-list out extended permit ip any any
  access-list in extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  monitor-interface inside
  monitor-interface outside
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  access-group in in interface inside
  access-group out in interface outside
  route inside 10.0.0.0 255.255.0.0 10.15.1.51 1
  route inside 10.0.10.45 255.255.255.255 10.15.1.51 1
  route outside 10.11.0.0 255.255.0.0 10.15.1.53 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  crypto ipsec security-association pmtu-aging infinite
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 30
  no threat-detection statistics tcp-intercept
  username admin password fMQ/rjnxl9Vwe9mv encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  class-map any
  match access-list global
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map IPS
  class any
    ips promiscuous fail-open sensor arm-1vs1
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  service-policy IPS interface outside
  Cryptochecksum:00b87b7c25f21d91cf5b90cb18c4d745
  : end
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++
  Why we are not able to see any event on IPS. As MPF is configured on ASA and that ACL is gettin hit count?
  Regards,

  In the CLI enter the following command to see if any signatures are triggering, it could just be that you haven't had the right combination of signatures trigger to cause an actual event:
  show stat virtual-sensor | begin Per-Signature
  You could also enable Signature 2000 and that will usually generate events in a short time to ensure you have traffic configured correctly for inspection by the IDS.

• CSM IPS Manager doesn't display IPS sensors.

  I am doing inital configuration of the CSM v3.0 The IPS sensor 4250xl that I have added to CSM doesn't show up in the IPS Manager. Moreover, the Devices->Sensor window doesn't appear to be displayed correctly - there is a browser icon indicating missing content.
  Any ideas what may be the issue. Thanks.

  You might be running into a bug here. The bug-Id is:CSCsa83631

• How to monitor IPS sensor heath by emails?

  Hi All,
  Is there any way to configure e-mail notifications about IPS sensor health monitoring results?
  I have tried to install IPS supported MIBs to my SNMP management station (actually, it is HP SIM). Cisco supported MIBs have not been installed successfully to HP SIM yet.
  Also, I have been searching such a monitoring tool over cisco.com web site. And tools like LAN Monitoring Solution (or Device Fault Manager) requires licensing, so in my case it is not suitable.
  Does somebody know SNMP management station (monitoring) tool which could monitor the sensor health without additional MIB installation?
  There is one more practical question: Is there any way to send a test trap from IPS sensor to SNMP management station?
  Thanks in advance,
  Maksim

  Hello Maksim,
  This functionality is not yet available, but will be included in IPS 7.1. This enhancement is being tracked via CSCsu08529.
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• My machine got restarted with event 1074 and source user32

  Hi Expert,
  One of our employee's computer got restarted while working. While checking the event log's under SYSTEM i found only this sustable event for restart.
  Event ID - 1074
  Source - USer32
  The process setup.exe has initiated the restart of computer PTD09487 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
  Reason Code: 0x2
  Shutdown Type: restart
  Comment:
  1. How can i find out what set.exe was runned or who initiated it ?
  2. What does this event id means other than restart ?
  3. what more option should i check to know why this restart took place ?
  4. If this has happend due to Windows update. How can confirm that there was a message show to user for restart ? Because normally in our GPO we have configured to display restarting msg to user before 30 mins .
  Please Let me know if i posted in wrong forum.

  Hi,
  If this situation occur for Windows Update, user will receive a restart message.
  If it's not this situation, please create a new user to see if it occur.
  If yes, please fix your corrupted user profile:
  Fix a corrupted user profile
  http://windows.microsoft.com/en-in/windows/fix-corrupted-user-profile#1TC=windows-7
  If no, please repair the system using your installation media:
  Create a system repair disc
  http://windows.microsoft.com/en-in/windows7/create-a-system-repair-disc
  Karen Hu
  TechNet Community Support

• Filtering P2P programs by IPS sensor

  Hi,
  I tried to stop P2P programs by enabling all signatures of P2P. some programs were stopped like Kaza but may other programs like lime-wire and others were still working. I tried to modify the signatures to add ports of regex to it but I couldn't find any information about this programs. can any one help me with that issue.
  Thanks.

  You could get some help from the regex built-in the ASA firewall and try to add them in IPS. Also looking at the signature definitions of the open source snort IPS might also help.
  show run all regex (for the ASA)
  Regards
  Farrukh

• Event reports fail to execute (ora-00942, new install, database error?)

  This is my first time working with Oracle software, and I am trying to use the Sensor Edge Server to test an RFID implementation. I am using OAS and SES 10.1.3.1 with Database 10.2.0. I followed many guides, I believe the database install instructions were from the database documentation library, and the OAS/SES instructions from the flash demo found here:
  http://www.oracle.com/technology/products/sensor_edge_server/tutorials.html
  My initial installation did not link to the Data repository, so I used manual configuration instructions from here:
  http://www.oracle.com/technology/obe/1013/fusion_middleware/integration/ses/manualconfig/manualconfig.htm
  At certain points I had to enter the SQL commands manually to ensure the Edge user's password was set, but all the outputs were as expected.
  Now that all this was done, I used the simulator with a simple xml file (as in the example) and confirmed it was loading via the "Monitor Events" tab in the SES. When I went to the "Event Reports" tab, the "Fetch Results" button caused an error message reading "Unable to Process Request / The query failed to execute: ORA-00942: table or view does not exist"
  In the log, sometimes I catch "OracleArchiverWorkerImpl: Cannot insert event into SDR:>>"
  and "java.sql.SQLException: ORA-06550: Line 1 Column 7: PLS-00201: identifier 'EDG_SDA.ON_EVENT" must be declared"
  I've done a fair bit of searching through the whole forum (not just the RFID area), checked on the 00942 error and so on, but what I've done wrong isn't jumping out at me. Anyone care to give input?
  Thanks sincerely,
  Andrew

  To clarify, I used the sql*plus instructions:
     sqlplus edge/<password>@<service_name>
     select count(*) from edg_event_vw
     select count(*) from sda_observationsfrom the server guide and both inititally returned "2", and made no updates, despite resetting devices (causing events in the "monitor events" tab)
  Andrew
  Message was edited by:
  user582280

• Events list on Source

        Can anyone hlep me to show the list of events on the Source list on the left?                            

  Thanks for that
  Sorry to be thick but how does someone else open my library please?
  Do you know someone with Aperture 3.6, who could do that for you?
  Then drag your iPhoto library to an external drive or memory stick, large enough to hold your library plus some working space.
  The drive needs to be formatted MacOS Extended (Journaled), with the "Ignore Ownership" flag enabled, like described in this document.
  Your friend would connect this drive with the library to her/his mac and launch Aperture. Then use the command "File >Switch to library" and select your library. Now import one new photo to the library, to force Aperture to update the events.
  Then quit Aperture and eject the drive.
  Connect the drive to your mac and test the copied library in iPhoto (use "File > Switch to Library"), if it still works well, before you replace your regular library by it.

• Error while creating a new report data source in Sharepoint Document library

  I installed SSRS(sql server 2012 SP1) in my sharepoint 2013 farm(single server installation).
  I have installed SSRS addin for report also. 
  I created a document library and included the report data source content type, report builder report and report builder model content types. On click of any of these content types i get the below error. 
  "new Document requires a Microsoft SharePoint Foundation-compatible application and web browser. To add document to document library, click on the 'Upload' button."
  I am using windows 7 64-bit operation system with Google chrome and IE 8 64 bit.
  Any help would be appreciated. 

  Rakesh, is this an SSRS question?
  This doesn't look like Power View.
  Thanks!
  Ed Price, Azure & Power BI Customer Program Manager (Blog,
  Small Basic,
  Wiki Ninjas,
  Wiki)
  Answer an interesting question?
  Create a wiki article about it!

• Getting 401 error while creating a Report Data Source with MOSS 2010 Foundation

  I have setup SQL Server 2008 R2 Reporting Services with SharePoint 2010 Foundation in SharePoint integrated mode. SharePoint Foundation is in machine 1 whereas SQL Server 2008 R2 and SSRS Report Server are in machine 2. While configuring Reporting
  Services - Sharepoint integration, I have used Authentication Mode as "Windows Authentication" (I need to use Kerberos).
  My objective is to setup a Data Connection Library, a Report Model Library, and a Reports Library so that I can upload a Report Data Source, some SMDLs, and a few Reports onto their respective libraries.
  While creating the top level site, "Business Intelligence Center" was not available for template selection since SharePoint Foundation is being used. I therefore selected "Blank Site" as the template.
  While creating a SharePoint Site under the top level site, for template selection I again had to select "Blank Site".
  I then proceeded to create a library for the data connection. Towards this, I created a new document library and selected "Basic page" as the document template. I then went to Library Settings for this newly created library and clicked on
  Advanced Settings. In the Advanced Settings page, for "Allow management of content types?" I selected "Yes". Then I clicked on "Add from existing content types" and selected "Report Data Source". I deleted the existing
  "Document" content type for this library.
  Now I wanted to created a Data Connection in the above Data Connection library. For this when I clicked on "New Document" under "Documents" of "Library Tools" and selected "Report Data Source", I got the error "The
  request failed with HTTP status
  401: Unauthorized.".
  Can anybody tell me why I am getting this error?
  Note: I have created the site and the library using SharePoint Admin account.

  Hi,
  Thank you for your detailed description. According to the description, I noticed that the report server was not part of the
  SharePoint farm. Add the report server to the
  SharePoint farm and see how it works.
  To join a report server to a SharePoint farm, the report server must be installed on a computer that has an instance of a SharePoint product or technology. You can install the report server before or after installing the SharePoint product
  or technology instance.
  More information, see
  http://msdn.microsoft.com/en-us/library/bb283190.aspx
  Thanks.
  Tracy Cai
  TechNet Community Support

• Iphone ical events wont show up in ical

  I have had an iphone for a few months now and recently got a imac G5 with OS X 10.4.11. I am trying to sync my iphone calendar with my imac ical software, but none of my events will show up on the imac. All of my contacts have synced, but not the calendar events. I selected the ical in itunes when i synced, but still nothing! What am I doing wrong?

  corrupted files cant download if you can help me with this thanks

• "Invoice History Report "show wrong balance for supplier invoice with USD

  Invoice History Report show wrong balance for supplier invoice with USD Currency
  After I run this report i see in the last of this report there is difference between the supplier total
  USD (Currency ) and the open Balance USD , it is decreased the open balance
  for supplier with 2300 USD with out any reasons
  bellow is some data copy of the report
  ======================================================
  Supplier Site Total: SAR 34,700.00
  Supplier Site Total: USD 39,000.00
  Supplier Total: SAR 34,700.00
  Supplier Total: USD 39,000.00
  Open Balance: SAR 34,700.00
  Open Balance: USD 36,700.00
  *** End of Report ***
  ==============================================
  please advise me from where can this differenc ( 39000 - 36,700=2300 )COMMING
  or it is bug in this report , becuase i compare this report with other report in account payable like
  -supplier open balance letter
  -invoice register report
  -invoice aging report
  all this report give me the amount for supplier USD =39000
  BUT AGIN FROM WHERE THE SYSTEM DECREASED THE AMOUNT TO 36,700
  thanks

  Can you try running Create Accounting For payments just before you run the Invoice History Report and re-check .
  Thanks

• Help me in  'AR Details ' report shows total open invoices by customer

  hi friends,
  please  help me in  'AR Details ' report shows total open invoices by customer and PO number over selected time range.
  any thing related to open invoices please send me as early as possible.
  Thanks,
  Regards,
  Yogesh

  Hi,
  Find the T.code VF05. You will get the list of open billing docs. Its SIS report. Please find whether the SIS is active or not in your system
  Regards,

• Update before a report shows with bind variable

  I need to update a table before a report shows. This report have bind variable and I need bind variable value for clause where in update, how can I do that?
  I would thank so much any idea

  Mery,
  If I understand correctly your application should display a report when it is called.
  But first, before the report is displayed, you want to update a table, using a bind variable passed into the report when it is called. Do I understand correctly so far?
  So while editing the report, in the last tab option you have (Additional PL/SQL Code), you need to put some pl/sql code into section titled '...before displaying the page.'
  declare
  begin
  update table_x
  set column_x = somevalue
  where column_y = bind_variable;
  end;
  I haven't yet passed bind variables into reports so I'm not quite sure how to retrieve them, but I'm sure there are other postings here about that.
  I'm mostly just trying to clarify if this is what your asking, and maybe somebody else can answer the rest of your questions.
  Good luck.
  Kurt