IPS sensor event reporting showing source ip 10.5.5.5 victim ip 0.0.0.0- does 0.0.0.0 mean a broadcast?
We have a internal node in the environment and our IPS is catching in the event logs stating it is sending traffic to victim ip 0.0.0.0. I am assuming that 0.0.0.0 means a broadcast, is this correct?
No, 0.0.0.0 is used as a summary address. If the signature was a port scan for example, the victim IP addresses may be too numerous to list, so Cisco uses the 0.0.0.0 address to indicate that is has summarized multiple addresses into that field.
- Bob
Similar Messages
-
IPS Sensor - Event Notification via Email?
Good day all.
I have been asked to re-create some functionality that was lost after the customer upgraded from VMS to CSM but without CS-MARS or any other event monitor. The user had the system set to generate an email when an event was fired. It apparently was noisy in the begining but after tuning was not a bad solution. No one knows how it was originally set up but I can only assume it was the method described in the Cisco document at: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_example09186a00801fc770.shtml#fivesensor
Now, however, since the CSM does not recieve event data is it possible to recreate this 'notification' process?
The are using CSM 3.02 and the Sensors are still at 5.14. The Sensors will be updated to 5.17 later today. I will then either be upgrading the customer to the latest revisions and service packs for CSM or rolling them back to VMS depending on whether I can get the notifications to work with CSM.
NOTE: They are ordering a CS-MARS appliance with the belief that it will resolve the issue but as last word it will be several months at least before they could get it in. I am concerned that CS-MARS will NOT give them back this functionality. Can anyone confirm/deny?
Lastly - Since CSM does not include a Security Monitor like VMS did, and CS-MARS does not really recreate that sort of view or management of the events - what solution(s) are there to replicate the Security Monitor functionality? Is there? Is CS-MARS the new bully on the block?Since customer is staying at a 5.1(x) version then you have 3 options:
1) downgrade to VMS and continue using Security Monitor
2) Stay with CSM and purchase CS-MARS for the event monitoring. CS-MARS should provide email notification capability.
3) Stay with CSM and install and use IEV 5.2(1).
IEV 5.2(1) can either be installed on a separate machine from CSM as a standalone utility:
http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev
IEV 5.2(1) contains the new feature for email notification for alerts.
OR IEV 5.2(1) can be installed as part of the CSM installation (I know it is in CSM 3.1, but not sure about earlier CSM versions).
Here is some documentation on running IEV 5.2(1) within the CSM framework:
http://www.cisco.com/en/US/partner/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/monidiag.html#wp1203768
NOTE: IEV 5.2(1) is targeted for use in networks with 5 or less sensors. When running with 5 or more sensors then CS-MARS would be the recommened veiwer.
When the user later upgrades to version 6.x, then option 1 (downgrading to VMS) is no longer an option and either option 2 or 3 would be required. -
Hello,
ASA Firewall is running in Active/Active mode. Below is the configuration of the firewall and IPS SSM module.
We are not getting event on IPS sensor when we type "show event alerts".
IPS configuration:
++++++++++++++++++++++
IPS1#
IPS1# sh configuration
! Current configuration last modified Tue Jul 02 07:19:13 2013
! Version 7.1(1)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S552.0 2011-03-07
service interface
exit
service authentication
exit
service event-action-rules rules0
exit
service host
network-settings
host-ip 10.15.1.58/28,10.15.1.57
host-name IPS1
telnet-option disabled
access-list 0.0.0.0/0
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset 60
standard-time-zone-name GMT+03:00
exit
exit
service logger
exit
service network-access
exit
service notification
exit
service signature-definition sig0
exit
service ssh-known-hosts
exit
service trusted-certificates
exit
service web-server
exit
service anomaly-detection ad0
exit
service external-product-interface
exit
service health-monitor
exit
service global-correlation
exit
service analysis-engine
virtual-sensor vs1
description virtual-sensor-1
anomaly-detection
operational-mode learn
exit
physical-interface PortChannel0/0
exit
exit
IPS1#
ASA in system mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/act/pri# sh run
: Saved
ASA Version 9.1(1) <system>
hostname ASA-1
enable password u14FkAnxI.kNNH7a encrypted
no mac-address auto
interface GigabitEthernet0/0
description LAN Failover Interface
interface GigabitEthernet0/1
description STATE Failover Interface
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
shutdown
interface GigabitEthernet0/5
shutdown
interface Management0/0
interface Management0/1
interface TenGigabitEthernet0/6
channel-group 20 mode active
interface TenGigabitEthernet0/7
channel-group 20 mode active
interface TenGigabitEthernet0/8
channel-group 10 mode active
interface TenGigabitEthernet0/9
channel-group 10 mode active
interface GigabitEthernet1/0
shutdown
interface GigabitEthernet1/1
shutdown
interface GigabitEthernet1/2
shutdown
interface GigabitEthernet1/3
shutdown
interface GigabitEthernet1/4
shutdown
interface GigabitEthernet1/5
shutdown
interface TenGigabitEthernet1/6
shutdown
interface TenGigabitEthernet1/7
shutdown
interface TenGigabitEthernet1/8
shutdown
interface TenGigabitEthernet1/9
shutdown
interface Port-channel10
interface Port-channel10.96
description "Inside-CTX-1"
vlan 96
interface Port-channel10.97
description "Inside-CTX-2"
vlan 97
interface Port-channel20
interface Port-channel20.98
description "Outside-CTX-1"
vlan 98
interface Port-channel20.99
description "Outside-CTX-2"
vlan 99
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface FOL GigabitEthernet0/0
failover link STATEFULL-LINK GigabitEthernet0/1
failover interface ip FOL 10.15.1.33 255.255.255.252 standby 10.15.1.34
failover interface ip STATEFULL-LINK 10.15.1.37 255.255.255.252 standby 10.15.1.38
failover group 1
preempt
failover group 2
secondary
preempt
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
console timeout 0
tls-proxy maximum-session 1000
admin-context admin
context admin
allocate-ips vs0 adminvs0
config-url disk0:/admin.cfg
context arm-1
description ARM-1
allocate-interface Management0/0 MGT
allocate-interface Port-channel10.96 inside
allocate-interface Port-channel20.98 outside
allocate-ips vs1 arm-1vs1
config-url disk0:/arm-1_Context.cfg
join-failover-group 1
context arm-2
description ARM-2
allocate-interface Management0/1 MGT
allocate-interface Port-channel10.97 inside
allocate-interface Port-channel20.99 outside
allocate-ips vs1 arm-2vs1
config-url disk0:/arm-2_Context.cfg
join-failover-group 2
prompt hostname context state priority
no call-home reporting anonymous
Cryptochecksum:ad532251aad3ca65f6da8f1ff0762816
ASA in one arm context mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/arm-1/act/pri# sh run
: Saved
ASA Version 9.1(1) <context>
firewall transparent
hostname arm-1
enable password u14FkAnxI.kNNH7a encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface BVI1
ip address 10.15.1.57 255.255.255.240
interface MGT
management-only
nameif management
security-level 0
ip address 10.14.1.9 255.255.255.0 standby 10.14.1.10
interface inside
nameif inside
bridge-group 1
security-level 100
interface outside
nameif outside
bridge-group 1
security-level 0
access-list global extended permit ip any any
access-list out extended permit ip any any
access-list in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group in in interface inside
access-group out in interface outside
route inside 10.0.0.0 255.255.0.0 10.15.1.51 1
route inside 10.0.10.45 255.255.255.255 10.15.1.51 1
route outside 10.11.0.0 255.255.0.0 10.15.1.53 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
no threat-detection statistics tcp-intercept
username admin password fMQ/rjnxl9Vwe9mv encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
class-map any
match access-list global
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map IPS
class any
ips promiscuous fail-open sensor arm-1vs1
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
service-policy IPS interface outside
Cryptochecksum:00b87b7c25f21d91cf5b90cb18c4d745
: end
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why we are not able to see any event on IPS. As MPF is configured on ASA and that ACL is gettin hit count?
Regards,In the CLI enter the following command to see if any signatures are triggering, it could just be that you haven't had the right combination of signatures trigger to cause an actual event:
show stat virtual-sensor | begin Per-Signature
You could also enable Signature 2000 and that will usually generate events in a short time to ensure you have traffic configured correctly for inspection by the IDS. -
CSM IPS Manager doesn't display IPS sensors.
I am doing inital configuration of the CSM v3.0 The IPS sensor 4250xl that I have added to CSM doesn't show up in the IPS Manager. Moreover, the Devices->Sensor window doesn't appear to be displayed correctly - there is a browser icon indicating missing content.
Any ideas what may be the issue. Thanks.You might be running into a bug here. The bug-Id is:CSCsa83631
-
How to monitor IPS sensor heath by emails?
Hi All,
Is there any way to configure e-mail notifications about IPS sensor health monitoring results?
I have tried to install IPS supported MIBs to my SNMP management station (actually, it is HP SIM). Cisco supported MIBs have not been installed successfully to HP SIM yet.
Also, I have been searching such a monitoring tool over cisco.com web site. And tools like LAN Monitoring Solution (or Device Fault Manager) requires licensing, so in my case it is not suitable.
Does somebody know SNMP management station (monitoring) tool which could monitor the sensor health without additional MIB installation?
There is one more practical question: Is there any way to send a test trap from IPS sensor to SNMP management station?
Thanks in advance,
MaksimHello Maksim,
This functionality is not yet available, but will be included in IPS 7.1. This enhancement is being tracked via CSCsu08529.
Thank you,
Blayne Dreier
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast -
My machine got restarted with event 1074 and source user32
Hi Expert,
One of our employee's computer got restarted while working. While checking the event log's under SYSTEM i found only this sustable event for restart.
Event ID - 1074
Source - USer32
The process setup.exe has initiated the restart of computer PTD09487 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x2
Shutdown Type: restart
Comment:
1. How can i find out what set.exe was runned or who initiated it ?
2. What does this event id means other than restart ?
3. what more option should i check to know why this restart took place ?
4. If this has happend due to Windows update. How can confirm that there was a message show to user for restart ? Because normally in our GPO we have configured to display restarting msg to user before 30 mins .
Please Let me know if i posted in wrong forum.Hi,
If this situation occur for Windows Update, user will receive a restart message.
If it's not this situation, please create a new user to see if it occur.
If yes, please fix your corrupted user profile:
Fix a corrupted user profile
http://windows.microsoft.com/en-in/windows/fix-corrupted-user-profile#1TC=windows-7
If no, please repair the system using your installation media:
Create a system repair disc
http://windows.microsoft.com/en-in/windows7/create-a-system-repair-disc
Karen Hu
TechNet Community Support -
Filtering P2P programs by IPS sensor
Hi,
I tried to stop P2P programs by enabling all signatures of P2P. some programs were stopped like Kaza but may other programs like lime-wire and others were still working. I tried to modify the signatures to add ports of regex to it but I couldn't find any information about this programs. can any one help me with that issue.
Thanks.You could get some help from the regex built-in the ASA firewall and try to add them in IPS. Also looking at the signature definitions of the open source snort IPS might also help.
show run all regex (for the ASA)
Regards
Farrukh -
Event reports fail to execute (ora-00942, new install, database error?)
This is my first time working with Oracle software, and I am trying to use the Sensor Edge Server to test an RFID implementation. I am using OAS and SES 10.1.3.1 with Database 10.2.0. I followed many guides, I believe the database install instructions were from the database documentation library, and the OAS/SES instructions from the flash demo found here:
http://www.oracle.com/technology/products/sensor_edge_server/tutorials.html
My initial installation did not link to the Data repository, so I used manual configuration instructions from here:
http://www.oracle.com/technology/obe/1013/fusion_middleware/integration/ses/manualconfig/manualconfig.htm
At certain points I had to enter the SQL commands manually to ensure the Edge user's password was set, but all the outputs were as expected.
Now that all this was done, I used the simulator with a simple xml file (as in the example) and confirmed it was loading via the "Monitor Events" tab in the SES. When I went to the "Event Reports" tab, the "Fetch Results" button caused an error message reading "Unable to Process Request / The query failed to execute: ORA-00942: table or view does not exist"
In the log, sometimes I catch "OracleArchiverWorkerImpl: Cannot insert event into SDR:>>"
and "java.sql.SQLException: ORA-06550: Line 1 Column 7: PLS-00201: identifier 'EDG_SDA.ON_EVENT" must be declared"
I've done a fair bit of searching through the whole forum (not just the RFID area), checked on the 00942 error and so on, but what I've done wrong isn't jumping out at me. Anyone care to give input?
Thanks sincerely,
AndrewTo clarify, I used the sql*plus instructions:
sqlplus edge/<password>@<service_name>
select count(*) from edg_event_vw
select count(*) from sda_observationsfrom the server guide and both inititally returned "2", and made no updates, despite resetting devices (causing events in the "monitor events" tab)
Andrew
Message was edited by:
user582280 -
Can anyone hlep me to show the list of events on the Source list on the left?
Thanks for that
Sorry to be thick but how does someone else open my library please?
Do you know someone with Aperture 3.6, who could do that for you?
Then drag your iPhoto library to an external drive or memory stick, large enough to hold your library plus some working space.
The drive needs to be formatted MacOS Extended (Journaled), with the "Ignore Ownership" flag enabled, like described in this document.
Your friend would connect this drive with the library to her/his mac and launch Aperture. Then use the command "File >Switch to library" and select your library. Now import one new photo to the library, to force Aperture to update the events.
Then quit Aperture and eject the drive.
Connect the drive to your mac and test the copied library in iPhoto (use "File > Switch to Library"), if it still works well, before you replace your regular library by it. -
Error while creating a new report data source in Sharepoint Document library
I installed SSRS(sql server 2012 SP1) in my sharepoint 2013 farm(single server installation).
I have installed SSRS addin for report also.
I created a document library and included the report data source content type, report builder report and report builder model content types. On click of any of these content types i get the below error.
"new Document requires a Microsoft SharePoint Foundation-compatible application and web browser. To add document to document library, click on the 'Upload' button."
I am using windows 7 64-bit operation system with Google chrome and IE 8 64 bit.
Any help would be appreciated.Rakesh, is this an SSRS question?
This doesn't look like Power View.
Thanks!
Ed Price, Azure & Power BI Customer Program Manager (Blog,
Small Basic,
Wiki Ninjas,
Wiki)
Answer an interesting question?
Create a wiki article about it! -
Getting 401 error while creating a Report Data Source with MOSS 2010 Foundation
I have setup SQL Server 2008 R2 Reporting Services with SharePoint 2010 Foundation in SharePoint integrated mode. SharePoint Foundation is in machine 1 whereas SQL Server 2008 R2 and SSRS Report Server are in machine 2. While configuring Reporting
Services - Sharepoint integration, I have used Authentication Mode as "Windows Authentication" (I need to use Kerberos).
My objective is to setup a Data Connection Library, a Report Model Library, and a Reports Library so that I can upload a Report Data Source, some SMDLs, and a few Reports onto their respective libraries.
While creating the top level site, "Business Intelligence Center" was not available for template selection since SharePoint Foundation is being used. I therefore selected "Blank Site" as the template.
While creating a SharePoint Site under the top level site, for template selection I again had to select "Blank Site".
I then proceeded to create a library for the data connection. Towards this, I created a new document library and selected "Basic page" as the document template. I then went to Library Settings for this newly created library and clicked on
Advanced Settings. In the Advanced Settings page, for "Allow management of content types?" I selected "Yes". Then I clicked on "Add from existing content types" and selected "Report Data Source". I deleted the existing
"Document" content type for this library.
Now I wanted to created a Data Connection in the above Data Connection library. For this when I clicked on "New Document" under "Documents" of "Library Tools" and selected "Report Data Source", I got the error "The
request failed with HTTP status
401: Unauthorized.".
Can anybody tell me why I am getting this error?
Note: I have created the site and the library using SharePoint Admin account.Hi,
Thank you for your detailed description. According to the description, I noticed that the report server was not part of the
SharePoint farm. Add the report server to the
SharePoint farm and see how it works.
To join a report server to a SharePoint farm, the report server must be installed on a computer that has an instance of a SharePoint product or technology. You can install the report server before or after installing the SharePoint product
or technology instance.
More information, see
http://msdn.microsoft.com/en-us/library/bb283190.aspx
Thanks.
Tracy Cai
TechNet Community Support -
Iphone ical events wont show up in ical
I have had an iphone for a few months now and recently got a imac G5 with OS X 10.4.11. I am trying to sync my iphone calendar with my imac ical software, but none of my events will show up on the imac. All of my contacts have synced, but not the calendar events. I selected the ical in itunes when i synced, but still nothing! What am I doing wrong?
corrupted files cant download if you can help me with this thanks
-
"Invoice History Report "show wrong balance for supplier invoice with USD
Invoice History Report show wrong balance for supplier invoice with USD Currency
After I run this report i see in the last of this report there is difference between the supplier total
USD (Currency ) and the open Balance USD , it is decreased the open balance
for supplier with 2300 USD with out any reasons
bellow is some data copy of the report
======================================================
Supplier Site Total: SAR 34,700.00
Supplier Site Total: USD 39,000.00
Supplier Total: SAR 34,700.00
Supplier Total: USD 39,000.00
Open Balance: SAR 34,700.00
Open Balance: USD 36,700.00
*** End of Report ***
==============================================
please advise me from where can this differenc ( 39000 - 36,700=2300 )COMMING
or it is bug in this report , becuase i compare this report with other report in account payable like
-supplier open balance letter
-invoice register report
-invoice aging report
all this report give me the amount for supplier USD =39000
BUT AGIN FROM WHERE THE SYSTEM DECREASED THE AMOUNT TO 36,700
thanksCan you try running Create Accounting For payments just before you run the Invoice History Report and re-check .
Thanks -
Help me in 'AR Details ' report shows total open invoices by customer
hi friends,
please help me in 'AR Details ' report shows total open invoices by customer and PO number over selected time range.
any thing related to open invoices please send me as early as possible.
Thanks,
Regards,
YogeshHi,
Find the T.code VF05. You will get the list of open billing docs. Its SIS report. Please find whether the SIS is active or not in your system
Regards, -
Update before a report shows with bind variable
I need to update a table before a report shows. This report have bind variable and I need bind variable value for clause where in update, how can I do that?
I would thank so much any ideaMery,
If I understand correctly your application should display a report when it is called.
But first, before the report is displayed, you want to update a table, using a bind variable passed into the report when it is called. Do I understand correctly so far?
So while editing the report, in the last tab option you have (Additional PL/SQL Code), you need to put some pl/sql code into section titled '...before displaying the page.'
declare
begin
update table_x
set column_x = somevalue
where column_y = bind_variable;
end;
I haven't yet passed bind variables into reports so I'm not quite sure how to retrieve them, but I'm sure there are other postings here about that.
I'm mostly just trying to clarify if this is what your asking, and maybe somebody else can answer the rest of your questions.
Good luck.
Kurt
Maybe you are looking for
-
Since installing Yosemite my Photoshop CS4 crashes. Why?
I have installed the suggested Java and unpadded to the latest CS4 update. Still crashes constantly.
-
Newbie - Can't Change a PDF File
Hi All... Newbie here... I got a PDF file from a friend and I'm trying to make minor changes to text. I open the tools pane, select the Edit Document Text, highlight some text, and select right-click | properties. It shows all the information, but
-
Export Flexibility of Custom Shapes & Layer Styles?
Over the past few years I've developed a workflow for icon creation that involves purely custom shapes and layer styles. This has been fantastic from a number of points of view - Vector based workflow for easy scaling, resizing - Easy maintenance of
-
Dear All, I need to Block the Vendor Payment .But I need to do MIGO,and MIRO Transaction.Without payment block .I want that while doing miro it automatically block for payment without any manual intervention. Thanks & Regards Meruta
-
Macbook pro wont start up and clicking sound
Hi everyone My girlfriend spilled a coke on my computer couple days ago and my MBP shut down immediately. After all i took it to the apple store in Turkey and they said the problem is from the battery and they took it off and I started to use it on c