[ISA570][router212c52]IPS Alert

Hi all.
Last night I set up my new Playstation 4 and after some messing around my ISA570 sent me this email. (see attached Text file) The destination address is my PS4. and I did recall having some trouble with some of the services. Question is this. Can I disable this problem signature since it is blocking some services on my new PS4 and I don't have an apache web server in my residence. Since this vulnerability is for Apache web servers before 2.2.21 correct?
Thanks
John
ps I just saw this info in the router
Message was edited by: John Emrick
Rule ID: 1055101
Affected OS: Windows, Linux, FreeBSD, Solaris, Other Unix
Name: WEB Apache HTTPD mod_proxy_ajp Denial Of Service (CVE-2011-3348)
Alias:
Impact: Remote attackers can exploit this issue to execute arbitrary machine code in the context of a user running the application.
Description: A denial of service vulnerability has been identified in Apache httpd. The vulnerability is due to an error while processing crafted HTTP requests by mod_proxy_ajp when used with mod_proxy_balancer.
False Positive: None
False Negative: None
Recommend: Update the software from vendors to the latest version
Reference: CVE-2011-3348
Authority: Built-In
Issue Date: 2011/10/28
Update Date: 2012/12/11
Category: DoS/DDoS
Behavior: undefined
Severity: 4

Hi,
How long does the High CPU last before you get the message that it's back down? Is it possible to gather the System Diagnostics while the High CPU is seen? The System Diagnostics contains a file called 'debugSystem.log' and the bottom of that file should contain information on CPU Utilization.
Thanks,
Brandon

Similar Messages

Problems IPS alert reporting

My IPS is not reporting scanning alerts to either the console or syslog. IPS appears to be configured & working correctly. When I started using the router with the built-in signatures, alerts were seen on the console/syslog. Could the problem be with the logging level (see config)? I've reported this to TAC, they have been unable to resolve the issue. Any help would be appreciated. Thanks

IOS IPS will send alert messages to SDEE and syslog. Syslog is enabled by default (use CLI 'ip ips notify log') and SDEE is disabled by default ('ip ips notify sdee).
To see the ips alert messages in console:
1. make sure logging console is enabled
2. make sure syslog level is set to information and above.
To see the ips alert message in syslog:
1. make sure logging is enabled
2. make sure syslog level is set to information and above.
And after all, the signature has to be triggered by certain traffic in your network. Once that happens, it should send alert message to syslog/sdee.
Thanks,
-Chris

MARS not pulling IPS alerts

For some reason, our MARS has stopped pulling alerts from the IPS modules in the ASA's. The IPS modules are SSM-20's running version 7.0(8)E4. I removed and re-added the one IPS module without any luck. If I go into IME, the IPS has alerts, but none are getting to the MARS. This was working last week. I do see this one error in the IPS modules:
evError: eventId=1339001763298281005 vendor=Cisco severity=error
originator:
    hostId: ips
    appName: collaborationApp
    appInstanceId: 516
time: Jun 25, 2012 14:26:07 UTC offset=0 timeZone=UTC
errorMessage: Failed to upload data name=errUnclassified evError: eventId=1339001763298281005 vendor=Cisco severity=error
originator:
    hostId: ascips
    appName: collaborationApp
    appInstanceId: 516
time: Jun 25, 2012 14:26:07 UTC offset=0 timeZone=UTC
errorMessage: Failed to upload data name=errUnclassified
However, I cannot find anything on if this is relavent to my issue and if so, how to fix it.
TIA for any suggestions/help.
Dan

No, there is not. There is a new XML message format that allows you to more easily parse using an external program though.

Network 0.0.0.0 in IPS alerts

Good afternoon:
I have a Cisco IPS 4240 sensor. This appliance is generating alerts with the network 0.0.0.0 as attacker and victim.
Example:
Severity informational
Application Name sensorApp
Event Time 02/20/2009 12:26:19
Sensor Local Time 01/20/2009 12:26:19
Signature ID 1330
Signature Sub-ID 16
Signature Name TCP Drop - PAWS check failed
Signature Version S248
Signature Details TCP Packet segment failed PAWS check
Attacker IP 0.0.0.0
Target IP 0.0.0.0
Target Port 0
Target Locality OUT
Someone can tell me. What can say this.
Thank's in advanced.

This generally happens when in Summary Mode the alerts
are coming from a large number of Attacker or are directed to large number of Victim IPs.
So instead of trying to show perhaps thousands of IPs in the attacker and/or victim address fields, the field will be populated with only 0.0.0.0.
If you want to see an alert for each time it is triggered, you
can reconfigure the signature and set it to FireAll mode with no Summary
Threshold.
Syed

E-mail alerting CSM 4.1 and IPS 4240

Hello,
I have recently migrated from CSM 3.3 to CSM 4.1 on a new server. I have everything configured and working correctly, but the thing that I am missing is how to configure E-mail alerts based on attack severity. I had this configured on the old CSM 3.3 server, but it appears that this is not available under CSM 4.1??I have read through the documentation and compared my old configuration with the new and it is not obvious to me how to get this functionality back on 4.1.
CSM 4.1 that I have is the standard version, if that matters.
Any tips or assistance on this will be greatly appreciated!
Frank

Hello,
Unfortunately, CSM 4.x does not have the capability to send e-mail notifications for IPS alerts. An enhancement request has been filed for this feature, you can view the request here:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn59300
The workaround would be to set up Cisco IPS Manager Express and use the e-mail notification feature within IME.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5715/ps9610/data_sheet_c78-459033.html
IME is available for download here:
http://tinyurl.com/3lmwj5w
Hope this helps.

Websockets TCP RST through ASA+IPS and ACE

Hello,
We recently deployed a new websockets project within our existing web infrastructure. The websockets traffic (as all the rest of normal web traffic) is crossing an ASA + IPS module where I do NAT and and then is forwarded to an ACE load balancer where two real server are configured in the server farm in active/standby mode (not load balancing) due the websockets nature. Everything seems to work fine but sometimes (once every 4 days or so) and based upon the server logs a TCP Reset gets the application server and bring down the whole application.
It's clear that this application as a bug but I would like to avoid that TCP reset as a workaround while application team fix the ibug as the go-live is soon. Anybody faced this issue and can help me to find where that supposed TCP reset comes from? I didn't get IPS alerts.
Server log:
"Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. at System.Net.Sockets.NetworkStream.EndRead(IAsyncResult asyncResult)"
Thanks,
Miquel

Hi Miquel,
A packet capture on the server shall show the origin of TCP RST. If you are natting the source traffic then take front end pcaps at front end of firewall as well as at backend and similarly for ACE, to see what is the origin of TCP RST. Normally, it should be from client if it is received on the server. LB's just forward the traffic to the server but it depends and it could be loadbalancer resetting the connection. But we don't have any details to be sure. So packet captures would be our best friend here.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

IPS 4240 -email arlert configuration and Which mode

hi
My topology
1)
Internet-router(2ISP terminated in Single Router-two different Firewall-(ASA5510 and PIX 515e)-->inside interface connected in IPS4240--->From IPS to L33750 Switch.
Is right place to put IPS4240 and tell me IPS in which mode(inline or Promiscous).
2) I am able to see log in IPS 4240, i want to configure IPS alert to my mail id , where i need to start the configuration.? pl advise
thanks
Karthik

Email alert configuration is not supported in IPS/IDS.
I think you can configure in promiscuous mode as Customers requiring promiscuous mode (non-inline) deployments are encouraged to migrate to the Cisco IPS 4240 Sensor, which supports up to 250 Mbps of IPS throughput.
The below URL helps to configure IPS 4240 in promiscuous mode:
http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliInter.html#wp1033699

Important! Can IDS 4.1x Send event messages to a syslog server??

I know IDS event view and MC can pull the IDS event from IDS sensors and IDSM. But our company is think to collect all the security message in a syslog server. firewall can send syslog to this server. But for IDS and IDSM 4.1, I can't find a way to send the IDS event to syslog server. Is there any way to do that????
I am really appreciate if you can help me,thanks.

You comment is an easy statement to make, but IMHO unfair.
If you look at the Cisco IDS/IPS product line's history, you'll realize that the current RDEP/SDEE communications model is infinitely more secure, while remaining easy to use, than any other method one could propose.
Initially, the sensors pushed events to the centrally monitoring console via UDP (port 45000), with most of the data in the clear (the source and destination IP address were obfuscated). This is obviously not very safe because, even though the communications were pseudo connection-oriented due to checking by the application daemons at each end, it is possible to intercept and modify the IDS alert to inject false data.
This same problem exists with stock syslog, since everything goes on the wire as a UDP packet and there is no data obfuscation or encryption what so ever.
The distinct advantage to the current communications model is the fact that RDEP/SDEE use cryptography to protect your IDS/IPS alerts, and that is also uses a standards-based structure in XML-based forms to pass the data.
Finally, since Cisco has released an SDK for RDEP/SDEE, and many 3rd party vendors have software that can act as RDEP/SDEE clients, I disagree that youre stuck with the CiscoWorks-based VMS suite. Besides, you only have to buy the suite if you need to manage more than 5 sensors, but I digress...
Alex Arndt

BEA WebLogic Cookie JSESSIONID Value Overflow

Can someone help me discipher this IPS Alert Please. I have a series of these alerts along some other Alerts but I don't know how to interpret them.
*DROP*[1:1001429:1] BEA WebLogic JSESSIONID Cookie Value Overflow
[ Reference: http://tools.cisco.com/go/redirect/viewS BIPSSignature.x?sigID=2010-000206 ]
{TCP} 192.168.75.xxx:64682 -> 209.225.8.224:80
Component: IPS
Thanks in advance for any help you can provide.

The details are the link withing this alert.
http://tools.cisco.com/security/center/viewIpsLiteSignature.x?signatureId=2010-000206
Within this link, there will be another hyperlink which describes this sig in detail.
http://tools.cisco.com/security/center/viewAlert.x?alertId=17420
Paps

11g 데이타베이스 문제 원인 분석을 위한 정보 수집 방법 (동영상 포함)

</br><li>목적 : </li></br>
Oracle 11g 부터 Alert.log 와 trace file 은 새로운 형식으로 생성이 되며, 이는 ADR (Automatic Diagnotic Repository) 에 생성이 된다.
본 문서에서는 Database 에 심각한 에러가 발생한 경우, ADRCI 명령어를 이용하여 에러를 확인하고 관련된 alert.log 및 trace file 을 오라클 고객지원센터로 전송하는 방법에 대해서 설명한다.
<li>IPS 사용법 : </li></br>
ORACLE 11g 는 problem (Database 에서 발생한 에러코드)과 incident (에러가 발생한 기록)에 관련된 trace file 들을 자동으로 수집해주는 기능을 제공한다.
이 기능을 IPS (Incident Packaging Service) 라고 하며, 인터페이스로 GUI 환경과 ADRCI command 를 제공한다.
Database 에 발생한 모든 심각한 에러들은 각각의 incident 를 생성한다.
IPS 를 통해서 생성된 압축 파일은 에러에 대한 alert.log file, 모든 trace file 과 진단 정보를 포함하고 있기 때문에, 해당 error 에 대한 정보수집을 간편히 수행할 수 있다.
Database 의 에러 확인 및 관련 file을 오라클 고객지원센터로 전송하는 방법 :
1. Database 에서 발생한 심각한 에러 발생
SQL> select * from atab;
select * from atab
ERROR at line 1:
ORA-01578: ORACLE data block corrupted (file # 6, block # 11)
ORA-01110: data file 6: '/opt/oracle/oradata/db11g/tt.dbf'
2. ADR과 Alert.log 에서 에러를 확인한다.
ADR에서 에러를 확인하기 위하여 11g 환경의 OS prompt에서 adrci를 실행한다.
*%] adrci*
ADR 홈 경로를 확인한다.
adrci> show home
--> 모든 ADR HOME 을 보여준다. 확인하고자 하는 ADR HOME 을 지정한다.
adrci> set homepath <ADR HOME>
에러 코드를 problem 이라고 하며, 이를 확인하기 위해서 다음을 실행한다.
adrci> show problem
ADR Home = /opt/oracle/diag/rdbms/db11g/db11g:
PROBLEM_ID PROBLEM_KEY LAST_INCIDENT LASTINC_TIME
1 ORA 1578 18104 2009-06-01 22:06:19.501207 +10:00
1 rows fetched
Database 에 문제가 되고 있는 에러 코드를 확인할 수 있다.
이 중, 분석이 필요한 에러코드에 대하여 압축파일을 생성할 수 있다.
3. 분석이 필요한 에러의 발생 기록을 확인한다.
에러의 발생 기록들은 Incident 라고 하며, 모든 incident 는 Alert.log 에 기록된다.
각각의 incident 는 유일한 incident ID 를 가진다.
ADR 에서 'show incident' 명령을 수행하여 에러 발생 기록을 확인할 수가 있으며,
에러에 대한 problem key를 확인하기 위해서는 'show problem' 을 수행한다.
adrci> show incident -p "problem_key='ORA 1578'"
ADR Home = /opt/oracle/diag/rdbms/db11g/db11g:
INCIDENT_ID PROBLEM_KEY CREATE_TIME
18147 ORA 1578 2009-06-01 22:02:08.805002 +10:00
동일한 problem에 대한 incidnet는 여러 건이 발생할 수 있다.
4. IPS (incident packaging service) 를 수행하여 alert.log , trace file 및 diag 정보에 대한 압축 파일 생성.
압축 파일을 생성하기 위해서는 특정 경로를 포함한 'IPS pack' 명령을 사용한다.
다음의 예는 incident 관련 file들을 /tmp directory 에 압축 파일로 생성하는 방법이다.
adrci> ips pack incident 18147 in /tmp
Generated package 9 in file /tmp/ORA1578_20090602113045_COM_1.zip, mode complete
IPS pack 의 예제)
ips pack problem 100 in /tmp
-- problem id 100 에 관련된 trace file 들을 /tmp directory 에 압축파일로 생성한다.
ips pack incident 6439 in /tmp
-- incident id 6439 에 관련된 trace file 들을 /tmp directory 에 압축파일로 생성한다.
ips pack problemkey "ORA 1578"
-- problem_key 'ORA 1578' 를 가지는 모든 problem 에 관련된 trace file 들을 현재 directory 에 압축파일로 생성한다.
ips pack seconds 8
-- 최근 8 초 이내에 발생한 incident 에 대한 압축 파일을 생성한다.
ips pack time '2007-05-01 10:00:00.00' to '2007-05-01 23:00:00.00'
-- 특정 시간대의 incident 에 대한 압축파일을 생성한다.
'IPS pack' 명령은 'IPC create' 와 'IPS generage' 명령을 일괄적으로 수행할 수 있는 명령이다.
이와 같이 생성된 압축 파일을 SR (service request)을 통해 오라클 고객지원센터로 전송하면 된다.
동영상 참조 :
IPS package 를 생성하는 방법 (동영상 자료 02:30)</br>
(My Oracle Support 접속 필요)
참고자료 :
DOC ID : 443529.1
11g Quick Steps to Package and Send Critical Error Diagnostic Information to Support (Video)
DOC ID: 738732.1
ADR Different Methods to Create IPS Package

Is it possible to alter an incidents severity?

hi! we do have many hijacks on our mars due to the vss core. we do not want to disable hijacks on the ips systems completely - but to change the severity for hijacks from red to yellow would be very helpful. is this possible? thank you! kr michael

It is not possible to change the severity for firing incidents in CS-MARS as it is a calculated value based on details specific to the incident. If you are not wanting to receive IPS alerts for a specific network behavior, you may want to look into creating an event action filter (EAF) on the IPS sensor to remove the produce alert action (device-side tuning) or create a drop rule within CS-MARS to only log the event to the CS-MARS database and not generate an incident (appliance-side tuning).
Scott

Hacker intrusion event and questions.

I wonder if someone can help me out with this problem. My router cisco 870 IOS 12.4 was hacked into recently. He probably got in through the console port as initially I omitted to set a password. I logged the following commands he set on the router:
User:console logged command: access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
User:console logged command: crypto map NiStTeSt1 10 ipsec-manual
User:console logged command: set peer 20.20.20.20
User:console logged command: exit
User:console logged command: no access-list 199
User:console logged command: no crypto map NiStTeSt1
After this the system rebooted and I lost connection. A few days later I started to notice the following unusual traffic in my logs repeatedly:
list 101 permitted udp 10.240.96.1(67) > 255.255.255.255 (68) 1 packet (or anything up to 12 or more in one session)
I should mention list 101 is assigned to FastEthernet4, I did no sanction this permission and can find no trace of it in 101. Nor can I find any evidence
of a crypto map matching the previous command, or a list 199. However, the Hacker returned with a repeat set of identical commands even when I had changed the console password.
How do I get rid of this guy - he's persistent - and how do I prevent him from circumventing my firewall?
One other thing that concerns me. In SDM for some reason I am unable to access the area with 'Additional Tasks', also can't run a security audit - I don't know whether he's managed to change the configuration or insert commands I am not aware of.
Any assistance will be greatly appreciated.

Really can't say for certain because we have no idea what the other IPS alerted on. To determine the discrepency the other IPS must provide their rule and what was matched.
But basically we don't know the entire attack chain. Sourcefire alerted on CNC traffic, which is post-exploit. We don't know what happened before that based on this information.

IPS - Event Action Filters. Which alerts do you supress

Currently we have three IPS sensors consolidating all of our information into MARS and it is working quite well.
The question that I am wondering is if anyone has a suggestion for what is the best practice for tuning signatures at the IPS appliances and what alerts to surpress.
For example, our internal IPS has fired off a signature in regards to network scanning from our Orion NPM server. In the past I would filter out all alerts from this source IP to respective destination networks.
Looking at things again, is it best to just surpress the alert and still log the packets, or just remove all of the alerts, packet logging, etc. because it is a false positive.
Thanks in advance,
Matt

I think everyone has a different opinion about where and how to best tune the "SIM" environment. My 2 cents...
Think about how many places you'd have to make a change in order to effectively tune out what your after.
Reserve your MARS drop rules for more "broad" filtering that would otherwise require changes to multiple devices and device types. For example, you might have a drop rule for all devices that perform network management-like processes. These devices can create lots of firewall accept (and sometimes denies). Lots of netflows. They often trigger various IDS signatures. This is perfect for a MARS drop rule. Some changes may only require a change in one place (i.e. tune one reporting device). Cisco IDS alarms are a common one. You have a specific signatures triggering a single rule in MARS. In this situation, if you have the ability to do it(time,know-how,access to device,etc), do your tuning as close to the reporting device as possible. Research alarms and tune on the sensor itself. Disable irrelevant or false-positive prone signatures. Create event filters where necessary.

5585X-IPS SSM40 Event alert

Hello,
ASA Firewall is running in Active/Active mode. Below is the configuration of the firewall and IPS SSM module.
We are not getting event on IPS sensor when we type "show event alerts".
IPS configuration:
++++++++++++++++++++++
IPS1#
IPS1# sh configuration
! Current configuration last modified Tue Jul 02 07:19:13 2013
! Version 7.1(1)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S552.0 2011-03-07
service interface
exit
service authentication
exit
service event-action-rules rules0
exit
service host
network-settings
host-ip 10.15.1.58/28,10.15.1.57
host-name IPS1
telnet-option disabled
access-list 0.0.0.0/0
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset 60
standard-time-zone-name GMT+03:00
exit
exit
service logger
exit
service network-access
exit
service notification
exit
service signature-definition sig0
exit
service ssh-known-hosts
exit
service trusted-certificates
exit
service web-server
exit
service anomaly-detection ad0
exit
service external-product-interface
exit
service health-monitor
exit
service global-correlation
exit
service analysis-engine
virtual-sensor vs1
description virtual-sensor-1
anomaly-detection
operational-mode learn
exit
physical-interface PortChannel0/0
exit
exit
IPS1#
ASA in system mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/act/pri# sh run
: Saved
ASA Version 9.1(1) <system>
hostname ASA-1
enable password u14FkAnxI.kNNH7a encrypted
no mac-address auto
interface GigabitEthernet0/0
description LAN Failover Interface
interface GigabitEthernet0/1
description STATE Failover Interface
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
shutdown
interface GigabitEthernet0/5
shutdown
interface Management0/0
interface Management0/1
interface TenGigabitEthernet0/6
channel-group 20 mode active
interface TenGigabitEthernet0/7
channel-group 20 mode active
interface TenGigabitEthernet0/8
channel-group 10 mode active
interface TenGigabitEthernet0/9
channel-group 10 mode active
interface GigabitEthernet1/0
shutdown
interface GigabitEthernet1/1
shutdown
interface GigabitEthernet1/2
shutdown
interface GigabitEthernet1/3
shutdown
interface GigabitEthernet1/4
shutdown
interface GigabitEthernet1/5
shutdown
interface TenGigabitEthernet1/6
shutdown
interface TenGigabitEthernet1/7
shutdown
interface TenGigabitEthernet1/8
shutdown
interface TenGigabitEthernet1/9
shutdown
interface Port-channel10
interface Port-channel10.96
description "Inside-CTX-1"
vlan 96
interface Port-channel10.97
description "Inside-CTX-2"
vlan 97
interface Port-channel20
interface Port-channel20.98
description "Outside-CTX-1"
vlan 98
interface Port-channel20.99
description "Outside-CTX-2"
vlan 99
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface FOL GigabitEthernet0/0
failover link STATEFULL-LINK GigabitEthernet0/1
failover interface ip FOL 10.15.1.33 255.255.255.252 standby 10.15.1.34
failover interface ip STATEFULL-LINK 10.15.1.37 255.255.255.252 standby 10.15.1.38
failover group 1
preempt
failover group 2
secondary
preempt
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
console timeout 0
tls-proxy maximum-session 1000
admin-context admin
context admin
allocate-ips vs0 adminvs0
config-url disk0:/admin.cfg
context arm-1
description ARM-1
allocate-interface Management0/0 MGT
allocate-interface Port-channel10.96 inside
allocate-interface Port-channel20.98 outside
allocate-ips vs1 arm-1vs1
config-url disk0:/arm-1_Context.cfg
join-failover-group 1
context arm-2
description ARM-2
allocate-interface Management0/1 MGT
allocate-interface Port-channel10.97 inside
allocate-interface Port-channel20.99 outside
allocate-ips vs1 arm-2vs1
config-url disk0:/arm-2_Context.cfg
join-failover-group 2
prompt hostname context state priority
no call-home reporting anonymous
Cryptochecksum:ad532251aad3ca65f6da8f1ff0762816
ASA in one arm context mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/arm-1/act/pri# sh run
: Saved
ASA Version 9.1(1) <context>
firewall transparent
hostname arm-1
enable password u14FkAnxI.kNNH7a encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface BVI1
ip address 10.15.1.57 255.255.255.240
interface MGT
management-only
nameif management
security-level 0
ip address 10.14.1.9 255.255.255.0 standby 10.14.1.10
interface inside
nameif inside
bridge-group 1
security-level 100
interface outside
nameif outside
bridge-group 1
security-level 0
access-list global extended permit ip any any
access-list out extended permit ip any any
access-list in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group in in interface inside
access-group out in interface outside
route inside 10.0.0.0 255.255.0.0 10.15.1.51 1
route inside 10.0.10.45 255.255.255.255 10.15.1.51 1
route outside 10.11.0.0 255.255.0.0 10.15.1.53 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
no threat-detection statistics tcp-intercept
username admin password fMQ/rjnxl9Vwe9mv encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
class-map any
match access-list global
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map IPS
class any
ips promiscuous fail-open sensor arm-1vs1
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
service-policy IPS interface outside
Cryptochecksum:00b87b7c25f21d91cf5b90cb18c4d745
: end
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why we are not able to see any event on IPS. As MPF is configured on ASA and that ACL is gettin hit count?
Regards,

In the CLI enter the following command to see if any signatures are triggering, it could just be that you haven't had the right combination of signatures trigger to cause an actual event:
show stat virtual-sensor | begin Per-Signature
You could also enable Signature 2000 and that will usually generate events in a short time to ensure you have traffic configured correctly for inspection by the IDS.

Configure newly deployed inline IPS to alert only

All,
I'm hoping some of you experts can assist me with this request. Recently started a new job and they put the IPS into prod (We are running the software based module on our ASA.) and it started blocking more then they had intended. They configured the ASA to not send any traffic to it, to stop the outage.
So now we have an IPS half-way setup and I need to finish the job. I'm new to Cisco IPS, but I really want to know is there a way I can deploy this sensor so that it is still inline but it will not block anything. This way I can baseline the environment and see what type of alerts are firing?
Any help on the best to set this up / deploy tips would be appreciated!

If you don't want IPS to block any thing sitting inline but throw alert, from the event actions opt "produce alert"
Produce Alert
Writes the event to the Event Store as an alert.
Note The Produce Alert action is not automatic when you enable alerts for a signature. To have an alert created in the Event Store, you must select Produce Alert. If you add a second action, you must include Produce Alert if you want an alert sent to the Event Store. Also, every time you configure the event actions, a new list is created and it replaces the old list. Make sure you include all the event actions you need for each signature.

[ISA570][router212c52]IPS Alert

Similar Messages

Maybe you are looking for