Monitoring IPS 4240 for positives

A customer has purchased from us a IPS 4240 box.
I recently configured the box. It will monitor the customers Network in the following configuration:
1 Inline Interface pair created from G0/0 and G0/1. Traffic from the customers edge moves in on the IN (G0/0) interface and then in turn exits out to our Outside Perimeter Firewall which guards the customer DMZ.
We have scheduled the Inline Interfaces to be connected this evening.
I have a question regarding this installation:
1) We have the default "vs0" Virtual Sensor assigned to the Inline Interface Pair. If in fact any Positives are identified, where in IDM would I be able to see what is happening...(very important as in case of False Positives, I have to be able to get traffic moving again.
Kevin Melton

The sensor has a limited size event store that will wrap around when it fills up and overwrite previous alerts. SecMon was intended to be the long term storage for the alerts. In looking at the summary numbers, SecMon always has more alerts than the IDM. You can login using CLI and use command "show events alerts".

Similar Messages

  • IPS 4240 - additional card

    Hi,
    Does anybody know, when will be available 4xFE cards for IPS 4240 (for total 8 interfaces)?
    Regards,
    Krzysztof

    Cisco IDS 4250 is supported in version 5.0 Inline if the 4FE, Gig TX PCI card, two of the SX PCI cards, or the XL card is installed. Cisco IPS 4240 is supported in version 5.0, Inline supported (it has four sensing interfaces). IPS 4255 is supported in version 5.0, Inline is supported (it has four sensing interfaces). IDSM-2 is supported in version 5.0, Inline supported (it has two sensing interfaces).
    http://www.cisco.com/en/US/netsol/ns498/netqa0900aecd8029e8de.html

  • IPS-4240-K9-sys-1.1-a-5.0-2.img for pkg

    Hi All,
    What's the correct pkg file for the IPS-4240-K9-sys-1.1-a-5.0-2.img for pkg
    Kindly confirm the same

    After upgration IPS-4240-K9-sys-1.1-a-5.0-2.img to IPS-4240-K9-sys-1.1-a-6.1-1-E3.img i am getting below message
    There is no license key installed on the IPS-4240. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to http://www.cisco.com/go/license
    to obtain a new license or install a license. Its not going to promt mode ?
    How can i go to ips configuration mode?
    Any steps which are to be done first?

  • New to IPS 4240 - What else can I use to manage it?

    I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.
    My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.
    I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.
    Thanks!

    The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.
    My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:
    The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.
    the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.
    Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.
    Matt

  • IPS 4240 Design Question

    I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
    Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
    Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
    Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
    Thanks!

    A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.
    A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.
    A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

  • TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

    I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
    We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
    However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
    I am a beginner is IPS, Any inputs will be valuable for me.

    We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
    For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
    -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
    -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
    -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
    TCP resets are a best effort response, they aren't going to be a 100% effective stop

  • IPS 4240 software 6.2(3)E4

    Hello!
    I have a sensor IPS-4240 which holds IPS software 6.2(3)E4. Right now we havn't got a license.
    With the device wh have almost 100% cpu usage all the time:
    show statistics host
    General Statistics
       Last Change To Host Config (UTC) = 27-Dec-2010 14:51:19
       Command Control Port Device = Management0/0
    Network Statistics
    Memory Usage
       usedBytes = 1426128896
       freeBytes = 558419968
       totalBytes = 1984548864
    Summertime Statistics
       start = 02:00:00 UTC Sun Mar 27 2011
       end = 03:00:00 UTC Sun Oct 30 2011
    CPU Statistics
       Usage over last 5 seconds = 100
       Usage over last minute = 100
       Usage over last 5 minutes = 100
    Memory Statistics
       Memory usage (bytes) = 1426128896
       Memory free (bytes) = 558419968
    From service accont I see that only one process eats CPU - mainApp.
    I even created addition virtual sensor vs1 where I have disabled all signatures. It gave me no result.
    Situation can be changed for a while after the sensor's reboot, but not for long time.
    show interfaces doesn't show a lot of input traffic too.
    Event log contains only following warnings:
    evError: eventId=1293461883161643337 severity=warning vendor=Cisco
      originator:
        hostId: XXXXXX
        appName: notification
        appInstanceId: 409
      time: 2011/01/19 15:22:56 2011/01/19 21:22:56 GMT+06:00
      errorMessage: name=errWarning - the subscription lost data [IdsEventStore::readSubscription()]
    What can be a problem? How can I reduce CPU usage?
    With hope to resolve the issue

    It would be difficult to pin point what the exact issue is with the high CPU just by the information provided in the post. It seems that the mainApp is causing the high CPU, however, it is worth investigating further. I would suggest that you log a Cisco TAC case so further investigation can be performed.
    Alternatively, you can try to upgrade the software to the latest version of 7.0.4(E4) which has engine improvement.

  • Cisco IPS 4240 stops file downloads at 90%

    Hi everybody. I have a Cisco IPS 4240 with version 7.0.4 installed and upgraded to the last signature. But since it was installed i have the issue with some file downloads because the IPS stops the file at 90-99% of download percentage (in some cases, not all), The ips is inline in front of firewall, some partner say me that i have to change the mode to promiscuous for the solution of the issue, but i think that if the IPS was designed for work inline, i dont have to change anything and maybe some expert of the forum have the correct answer.  Or this issue have solution with configuration changes.
    Sorry by my write english.... I try to find some signature that causes the issue but if i disabled the sensor, the issue occurs. The firewall is not the problem because if i connect a laptop in front of the firewall and behind of IPS the issue occurs too. Well i have now some months trying of find a solution. In the page of Cisco not find some similar.... [:-(
    Pd. An example of files that stop when downloads is Apple Itunes... or Microsoft Patch, or Vmware software by example.
    Thanks for your response are greatly appreciated.

    Thnaks for your help this is the last packets before freeze the download:
    The size of the download with problems is random, sometimes ocurrs with small size downloads sometimes ocurrs with large downloads. The download of the example have 47 MB, I think that the traffic is dropped and the tcp conn timeout. Do you see some anomalies in this traffic portion?.
    14:55:20.536119 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536122 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536420 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536718 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.536820 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537123 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537125 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537517 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537520 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537522 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537821 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.537823 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538116 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538118 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538415 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.538418 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544207 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.544307 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638362 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638365 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638463 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638862 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.638866 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639164 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639166 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639560 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639562 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639564 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.639960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640263 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.640568 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641958 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.641960 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.642158 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742304 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742603 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742605 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742607 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.742903 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743202 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743302 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.743601 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745000 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.745100 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845347 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845548 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845550 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845647 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.845845 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846247 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.846544 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 47929166 win 65335
    14:55:20.849040 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48010926 win 65335
    14:55:20.849439 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48012386 win 65335
    14:55:20.948787 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48015306 win 65335
    14:55:20.948789 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48018226 win 65335
    14:55:20.952982 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48021146 win 65335
    14:55:20.953679 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48024066 win 65335
    14:55:21.055723 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48029906 win 65335
    14:55:21.055725 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48032826 win 65335
    14:55:21.055930 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48035746 win 65178
    14:55:21.058919 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48037206 win 65335
    14:55:21.068809 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48040126 win 65335
    14:55:21.068812 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48043046 win 65335
    14:55:21.069006 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48045966 win 65335
    14:55:21.070103 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48048886 win 65335
    14:55:21.158967 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48051806 win 65335
    14:55:21.159265 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48054726 win 65335
    14:55:21.159465 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48057646 win 65335
    14:55:21.159864 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48060566 win 65335
    14:55:21.159867 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48063486 win 64605
    14:55:21.162162 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 63875
    14:55:21.162260 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48066406 win 65335
    14:55:21.172245 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48069326 win 65335
    14:55:21.172248 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48072246 win 65335
    14:55:21.172545 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48075166 win 65335
    14:55:21.172645 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 64605
    14:55:21.172744 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48078086 win 65335
    14:55:21.172844 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48081006 win 65335
    14:55:21.173144 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 64605
    14:55:21.185225 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48083926 win 65335
    14:55:21.572333 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48116046 win 65335
    14:55:21.585313 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585315 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585414 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585417 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.585512 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.677172 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688654 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48151086 win 65335
    14:55:21.688657 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.688757 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48158386 win 65335
    14:55:21.780613 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.883755 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:21.986998 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335
    14:55:22.090639 IP 10.0.0.1.56109 > apollo.fileburst.net.80: . ack 48170066 win 65335

  • Need Information about IPS 4240

    Hello,
    Could you please give me information about IPS 4240:
    Number of sessions
    Number of signature
    Number of protocol
    Thank you very much

    Refer to the following urls for moreinfo on using IPS 4240:
    http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliSgDef.html

  • Monitor IPS with IEV?

    Got notified that we have to upgrade our IDS 4.1 to IPS 5.0.
    We currently use Cisco IEV to monitor the IDS. Can we use IEV to monitor IPS or do we need something else?
    Finding info on cisco.com is like a d@mn treasure hunt.

    Hello Tscislaw,
    We went thru the same routine a few months back. Yes, you can still use IEV with IPS 5.1.x. Just go to the link http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/ --- which is the Cisco Secure Software Software Center (Downloads) page. Go the bottom and look for the Network IDS Management/Monitoring Software section. There you will find the IDS Event Viewer (IEV) for IPS v5.x.
    This version works fine with the new IPS v5.1.x software. It even has a few enhancements like a "reports tab" next to the "views" and "filter" tabs in the bottom left corner of the IEV Console.
    There are two things that are different. One, the help files are the same as v4.1. Cisco is working on updating them. Second, the fields in the export file. IEV 5.1 no longer breaks out the unix local date/time code to readable date and time columns. You need to be aware of this if you try to export the csv to Excel. Cisco TAC has a BugTrack number for this. A human readable date and time field will be added in IEV v5.2(6) according to them. This will help a lot in creating adhoc reports from the export file (as a lot of people did with v4.1).
    Hope this answers your question.
    DF

  • How to configure IPS 4240 - K9 to send log file to syslog server

    I am looking for the commands in how to configure IPS 4240-k9 to send log file to SYSLOG server. If anybody has or came across similer issue please advice.
    Thanks in advanced.

    Ali -
    I am sorry to tell you, but the Cisco IPS Sensors do not send Syslog messages. Your only options for sending signature event information are:
    SDEE (an TLS Encrypted XML formatted message) the sensor is the SDEE Host and your event receiver (MARS, IME, Intelitactics, etc) is the client.
    SNMP Traps - You need to set the "Action" on each signature you want the sensor to send a trap.
    - Bob

  • Upgrading IPS-4240-K9

    Hi,
         I have an IPS-4240-K9 with system Version 5.1(8)E2 and I need to upgrade to the last version Release 7.1(7)E4, I need to know if there is some way to do this without jumping from all the old versions (6.0 E2, 6.0 E3, 6.0E4, etc) do i need to make a reimage?? what is the process?? what files needs to download?
    Thanks,

    Hello Salvador,
    The upgrade path is: 5.1(8) >  6.0(6) > 7.1
    If you want to do it directly you will need to re-image the sensor.
    For upgrade use teh .pkg file and for re-image use the .img file.
    Download from:
    http://software.cisco.com/download/type.html?mdfid=278810718&flowid=4425
    For re-image:
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_system_images.html#wp1060091
    Hope it helps,
    Regards,
    Felipe.

  • IOS IPS Signatures for password guessing?

    I recently experienced a password-guessing attack. The inside Windows server's security was pretty well useless in stopping the attack (block, yes; stop, no), because the user ID kept changing, and Windows account lockout ignores source addresses. In this case, it was FTP, and I found an IPS signature for that, but it got me to thinking:
    There don't seem to be password-guessing signatures for RDP, HTTP, HTTPS, or SSL. Granted it may not be practical for HTTPS and SSL, but what about the other two? Should we consider rolling our own?

    You can configure custom signatures for IOS IPS using Security Monitor which is part of VMS. Below is a doc on how to do this:
    http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080104f44.html#xtocid9
    Also try this link for Cisco Security Advisory
    http://www.cisco.com/en/US/products/products_security_advisory09186a008055dbdd.shtml

  • IPS 4240 Sig Update License

    Is this the correct part no. for the IPS 4240 Sig Update License?  CON-SUSA-IPS4240S
    I can only find this part number in the ordering tool: CON-SUI-IPS4240 which also has SMARTNet Support?
    Which one do we need just for having Sig Updates?
    Thanks

    You can't purchase a standalone IPS subscription for IPS appliance.
    You have to purchase either of the following:
    1) CON-SUI-IPS4240 for example that includes Smartnet for hardware, software as well as the IPS subscription.
    OR/
    2) CON-SUSA-IPS4240 contracts are only sold to customer who have purchased a hardware and software support contract through a reseller/partner.
    CON-SUSA... can't be sold on its own, it must be sold in conjunction with the reseller/partner support contract.
    Hope that helps.

  • IPS 4240 even backup/retrewals

    Hi,
    We having IPS three number of 4240 placed on different segments of our network. We having following querries about collecting IPS logs;
    1) We need to collect IPS events/logs to external server
    2) is there any other application that we can retriew IPS logs other than Cisco IME
    3) can cisco IME retriew logs taken from a backup server in the same manner that it retriew in current logs (with colored, graphs etc).
    4) what is the correct logs storage capacity of the IPS 4240 appliance, when I see TAC IPS media Series, Episode 2 - IPS Hardware
       its mentioned as 2GB DDR RAM and 512MB flash. (https://supportforums.cisco.com/docs/DOC-13565) 
       However when I checked my IPS Total memory 1984MB and Total Data Storage 788MB. what are these figures..?
    5) where exactly save the IPS logs, will the event goes off once we do power recrycle?.
    Appreciate if some one can answer with correct solutions to above questions

    yes you are right, and it is clear for me, but i think using ASDM-IDM launcher can
    be used for both ASA and IPS.
    but in my case currently, i am upgrading only the IPS to 7.0(2)E4 from version 7.0(2)E3. so i don't want to loose the ability to access both ASA and IPS(with new version).
    in addition, when i do Access the IPS through Https, it do not create any shortcut on my screen. moreover, when i do try and click on "You can also install DM Launcher to run IDM." i got the DM Laucnher with version 1.5(37) and not with version 1.5(49)
    PS:
    - i rebooted the sensor, same issue.
    - i cleared the cache folder in the path "C:\Users\Administrator\.asdm\cache" & "C:\Users\Administrator\.idm\cache" also same issue
    problem persists.
    Please Advice

Maybe you are looking for

  • How can I reallocate sales order stock within sales order?

    I have a material that is strategy 50 and produces sales order stock.   A customer placed an order for a quantity to be shipped to a single location.  So the sales order was set up with a single line item and a single ship-to partner.  Just before sh

  • Creating DVD Data Disc to Share HD Video Files

    Hi All, I have a MacBook Pro and have created HD Videos using iMovie 09.  I need to send the HD Video files to a company in India for them to be able to access and utilize the files.  These are the parameters that they have sent me: Format : PAL. 720

  • Trouble shoot mac problems on a pc?

    I am developing my AIR project on a PC, the project runs as desired on the PC, but is having several problems on the Mac I am testing on. It is becoming extremely painful trying to trouble shoot the problem, I have to change 1 line at a time, then co

  • Transportation module under LES

    Hi All,     We need to leverage functionalities in Transportation module in ECC 6.0 per se for transportation Planning , Bulk shipments , Manifestations , Alternate routing , consolidating monthly/weekly Deliveries for a customer & printing  one sing

  • Hard Drive Spin Down....Good or Bad??

    'Two questions, really, but first some background.  I have an earlier Mac Pro running 10.7.3 (as I recall).  I also have a Sonos music system.  All the hard drive bays in the Mac Pro are occupied.  The first has a 2 TB Western Digital RE that has my