Sensing interfaces on IPS!

Similar Messages

• Why does the sensing interface flap or frequently go to the down state in IDS ?

  Hi all,
  this is the answer I found in Cisco website, but according to this, I didnot make any updates or any configuration changes, but stilll my sensing interface is going down. I'm not even getting the error messages which they have mentioned at the end.
  Ans: During a signature update and reconfigurations, sensorApp stops to process packets as it processes the new signatures in the update. The network driver detects that sensorApp has stopped and pulls any new packets from the buffer. So the network driver does different things, which depends on the configuration and sensor model:
  Promiscuous Interface—It brings the link down on the interfaces, and brings the link back up once sensorApp starts to monitor again.
  Inline Interface or Inline Vlan Pair—It depends on the Bypass setting:
  Bypass Auto—The driver keeps the link up and begins to pass packets through without analysis. It then reverts back to sending the packets through sensorApp once sensorApp starts to monitor again.
  Bypass Off—The driver brings the link down on the interfaces, which is the same as in promiscuous mode, and brings them back up once sensorApp starts to monitor again.
  So, if sensor app does not pull packets from the buffer, which possibly occurs because there is no interface configured to process packets, then the driver can put the interface in a down state.
  These logs are seen when the sensing interface flaps:
  28Jun2011 09:03:09.483 6050.885 interface[409] Cid/W errWarning Inline databypass has started. 28Jun2011 09:03:13.639 4.156 interface[409] Cid/W errWarning Inline databypass has stopped. 28Jun2011 09:19:23.922 970.283 interface[409] Cid/W errWarning Inline databypass has started. 28Jun2011 09:19:27.486 3.564 interface[409] Cid/W errWarning Inline databypass has stopped.

  It is possible you are overloading that little 4215. If that is the case you should also be seeing "missed packet percentage" messages in your events.
  How much traffic is your 4215 getting? Those sensors will start to drop packets for inspection at about 30 Mb/s.
  - Bob

• IDSM-2 -Sensing Interfaces go down and up continously

  Hi there.
  Apparently the sensing interfaces of our Cisco IDSM-2 are having issues with link status.
  Recently I've getting these events
  in the console of the catalyst switch where IDSM-2 is installed:
  %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/7, changed state to down
  %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/7, changed state to up
  Not getting too much information with that led me to look into the IDS logs and we got:
  GigabitEthernet0/7 : Link is down.
  Inline data bypass has started
  A few milliseconds later:
  Inline data bypass has stopped
  We are getting this up and down link status messages every two hours.I've already checked on possible attacks on time ranges around the time we get these messages and there seems not to be any that pose a risk of shutting down a gigabit interface.
  Could this be a normal behavior every now and then?
  Thanks

  There's nothing you can do to speed it up. It just has to run and finish. Don't interrupt it.
  Regards
  TD

• VMS MC 2.0.2 - Sensor contain no sensing interface

  We are running VMS MC 2.0.2 for all IDS. While trying to Deploy a job in VMS Management Center for IDS Sensors, we received the following error:
  "Generate failed. The configuration of Sensor xxxxx does not contain any sensing interfaces. The configuration should contain at least one sensing interface so that the sensor can obtain packets for analysis."
  Can't understand what caused this problem as it is our active sensor with one sensing and one mgmt interfaces.
  Your help is much appreciated.
  TIA
  Simone.

  An interface group provides a way to group sensing interfaces into one logical virtual sensor. Only one interface group, 0, is supported. Depending on the configuration of your sensor, you may need to assign the sensing interface to interface group 0 and enable the interface.
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/hwclipr.htm#wp86441

• Bypass Interface for IPS 4200

  Hi,
  Can somebody help me how IPS bypass interface module for 4200 is used? Is it that, when IPS appliance fails (no power, hardware failure), traffic can readily flow from outside interface to inside bypassing the IPS? Usually in inline placement, IPS appliance is the point of failure during hardware failure, is the bypass module introduced to defy such failure?

  The bypass module is only available on the 4260 and 4270 sensors. It can give you a hardware short of the Ethernet pairs in the event of a sensor power failure. The rest of the sensor product line uses a software bypass. We have found both of these methods to be less then reliable when a sensor experiences a software crash (the software need to realize the sensing app has crashed in order to activate the bypass). Using an external device has proven to be much more reliable.
  A simple switch, with two VLANS can be used. Connect the two VLANS externally with your sensor and a patch cable. Assign a higher Spanning Tree Protocol cost to the cable connecting your two VLANS. The cable becomes a hot standby path to your sensor.
  - Bob

• Problem adding CSA external interface in IPS 6

  I configured my AIP-SSM sensor running IPS 6 to connect to the CSA MC, but I get a connection failure. The sensor is showing the following error when trying to connect:
  evError: eventId=1168311248090659938 severity=warning vendor=Cisco
  originator:
  hostId: os-ips
  appName: externalProductInterface
  appInstanceId: 317
  time: 2007/01/20 02:50:22 2007/01/19 20:50:22 GMT-06:00
  errorMessage: name=errNotAvailable Failure opening a subscription on the Management Center for Cisco Security Agents external interface at 1.1.1.1: Parse response found a different element when expecting the SOAP Envelope element

  The interface is currently disabled, but I think you'll get the picture.
  cisco-security-agents-mc-settings (min: 0, max: 2, current: 1)
  ip-address: 1.1.1.1
  interface-type: extended-sdee
  enabled: no default: yes
  url: /csamc/sdee-server
  port: 443
  use-ssl
  always-yes: yes
  username: adminuser
  password:
  host-posture-settings
  enabled: yes default: yes
  allow-unreachable-postures: yes
  posture-acls (ordered min: 0, max: 10, current: 1 - 1 active, 0 inactive)
  ACTIVE list-contents
  NAME: 1-subnet
  network-address: 192.168.1.0/24
  action: permit
  watchlist-address-settings
  enabled: yes
  manual-rr-increase: 25
  session-rr-increase: 25
  packet-rr-increase: 10

• Ids 4235 with single sensing interface

  hi guys,
  I have an IDS 4235 which i upgraded to 6.0(5)E3 version.
  it has only one sension interface,now how can i keep it in inline mode??
  any ideas please help.

  With a single interface you'll need to trunk two vlans to your sensor, an "inside" and and "outside" vlan (just like a firewall) and configure your sensor for in-line vlan paris
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/idm/dmInter.html#wp1029962

• Pairing odd physical type interfaces for ips

  In the 4250-sx, there is a copper gigabit interface (ge_0/0) and a fiber gigabit interface (ge_1/0). Can these interfaces be paired together to do blocking or do they have to be the same physical type.
  What are the disadvantages, if any, of pairing odd physical type interfaces?

  Pairing of copper and fiber interfaces is not supported.
  We have not tested this configuration and do not know what issues might develop from that combination.
  Here is the list of supported inline interface pairs:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/cliinter.htm#wp1057307
  Alternatives:
  1) Purchase a second SX interface from Cisco so you can pair the 2 SX interfaces.
  2) Use InLine Vlan Pairs which pairs 2 vlans on a single interface instead of using 2 interfaces. You can then create inline vlan pairs on the SX card, and can even created inline vlan pairs on the TX interface ofthe motherboard at the same time.
  Marco

• IPS 4240 - additional card

  Hi,
  Does anybody know, when will be available 4xFE cards for IPS 4240 (for total 8 interfaces)?
  Regards,
  Krzysztof

  Cisco IDS 4250 is supported in version 5.0 Inline if the 4FE, Gig TX PCI card, two of the SX PCI cards, or the XL card is installed. Cisco IPS 4240 is supported in version 5.0, Inline supported (it has four sensing interfaces). IPS 4255 is supported in version 5.0, Inline is supported (it has four sensing interfaces). IDSM-2 is supported in version 5.0, Inline supported (it has two sensing interfaces).
  http://www.cisco.com/en/US/netsol/ns498/netqa0900aecd8029e8de.html

• IPS Interface using SNMP

  Hi there,
  I am encountering a problem with a number of Cisco IPS 4200 series devices. When we perform a walk using the MIB-II (rfc1213) OID's, the information that is returned is incorrect (interface status, speed, ...)...
  After some searching, i found the following on the cisco site for these devices:
  The following private MIBs are supported on the sensor:
  • CISCO-CIDS-MIB
  • CISCO-PROCESS-MIB
  • CISCO-ENHANCED-MEMPOOL-MIB
  • CISCO-ENTITY-ALARM-MIB
  Note MIB II is available on the sensor, but we do not support it. We know that some elements are not correct (for example, the packet counts from the IF MIB on the sensing interfaces). While you can use elements from MIB II, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct.
  Is there any way that we can correctly read the interface status, speed, etc. I cannot find similar OID's in the supported MIB's.
  IPS4240 ver 7.0(4)E4
  Thanks

  Hi,
  Unfortunately, there is currently no way to get the correct interface statistics through SNMP.
  An enhancement request has been opened to have parts of MIB-II supported:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk41177
  If this feature is important for you, you can contact your account team so that they can work with the IPS folks to have this feature prioritized for the next software release.
  Regards,
  Nicolas

• IPS 4240 management interface MAC address

  Hi All,
  I am using DHCP in my network. And i need to reserve one IP for the Management Interface of the IPS.
  I tried to get the MAC but couldn't. It is not even on the Show tech-support.
  Can any please tell me how to get the MAC of Management interface of IPS?

  If the show interface output is not giving you this information, you can logon via service account and run the 'ifconfig -a' command. Just make sure you do a 'su -' otherwise this command won't be available.
  Please rate if helpful :)
  Regards
  Farrukh

• Detect attack man in the middle with IDS/IPS

  Hi,
  I have aip-ssm 20, IPS Version 7.0(6)E4
  The ID  signature 7101, 7102, 7104 and 7105 is used for detecting attack arp poison.
  The sensor works as IDS in promiscuous mode. All traffic is fordwared to sensor.
  I have made attack man in the middle with cain & abel but sensor doesn't send alarm. I attach image with signatures.
  Why don't sensor detect attack? The network is in zone inside.
  Can anybody help me, please?

  Did you check if SSM is getting those packets by running "packet display .." command on the sensing interface. In SSM the ARP packets would not be forwarded by ASA to the SSM.
  thx
  Madhu

• How to see mac address in IPS 4240 ???

  Hi all,
  How to see mac-address of inline-vlan-pair ?  and how to see mac-address of management interface in IPS ?
  Regards,
  Kiran

  Hello Kiran,
  The inline-vlan-pair itself is tied to a particular interface. So you're really asking for the MAC address of the interface associated with the inline-vlan-pair.
  The MAC address of sensing ports will be added to a "show interfaces" via CSCse84414. You can currently view the MAC address of sensing interfaces by doing an "ifconfig -a" from the service account.
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• IPS don't see any traffic

  Hi all,
  I’ve configured IPS module in Cisco ASA firewall, unfortunately for unknown reason, I can’t see any network traffic hit the IPS.
  I can see the number of packet is increase by issuing “show interface” command, but there is no traffic hit the IPS when I issue “show statistics analysis-engine” command.
  IPS-A# sh int gigabitEthernet0/1 | i Total Packets Received   Total Packets Received = 107449498IPS-A# sh int gigabitEthernet0/1 | i Total Packets Received   Total Packets Received = 107449511
  IPS-A# sh stat analysis-engine
  Analysis Engine Statistics
     Number of seconds since service started = 13836300
     The rate of TCP connections tracked per second = 0
     The rate of packets per second = 0
     The rate of bytes per second = 0
     Receiver Statistics
        Total number of packets processed since reset = 0
        Total number of IP packets processed since reset = 0
     Transmitter Statistics
        Total number of packets transmitted = 0
        Total number of packets denied = 0
        Total number of packets reset = 0
     Fragment Reassembly Unit Statistics
        Number of fragments currently in FRU = 0
        Number of datagrams currently in FRU = 0
     TCP Stream Reassembly Unit Statistics
        TCP streams currently in the embryonic state = 0
        TCP streams currently in the established state = 0
        TCP streams currently in the closing state = 0
        TCP streams currently in the system = 0
        TCP Packets currently queued for reassembly = 0
     The Signature Database Statistics.
        Total nodes active = 0
        TCP nodes keyed on both IP addresses and both ports = 0
        UDP nodes keyed on both IP addresses and both ports = 0
        IP nodes keyed on both IP addresses = 0
     Statistics for Signature Events
        Number of SigEvents since reset = 0
     Statistics for Actions executed on a SigEvent
        Number of Alerts written to the IdsEventStore = 0
     Inspection Stats
  Please let me know if you need to know more info.
  Any advise would be appreciated, thanks.

  I've checked both and confirmed that GigabitEthernet0/1 has been assigned to the IPS. Attached is the screenshot for your reference. Is there anything else I can do to fix this?
  After making this change in CSM, have you submitted and deployed it to the sensor? If not, go ahead and Submit and Deploy, then confirm whether the issue remains.
  As Jennifer noted, a 'show tech' command output from the sensor can help confirm this (it will include a 'show stat virtual' command output which will indicate if the sensing interface is in-fact assigned on the live sensor).
  Finally, is this AIP-SSM sensor module installed in a standalone ASA or an Active/Standby failover pair? If the latter, then you'll want to ensure that you are working on the module installed in the Active ASA (the AIP-SSM sensor modules do not currently replicate/synchronize their configuration like the ASAs do, and must each be configured).

• IDSM-2 sensing ports errorDisabled

  Hi - I have a number of IDSM-2 cards I've recently upgraded from 4.x code to 5.1.1 IPS code. Since the upgrade, I am having frequent issues with the sensing interfaces (gigabitEthernet0/7 and 0/8) going errorDisabled. Of course I am not able to do a "set port enable" on those, so a reset of the card is required to get it going again. I've noticed if I don't span any traffic to the ports, they stay up (and stay useless as well). This is happening in 4 cards, all in CAT6500 switches. Are there any suggestions you can offer? Thanks!

  James, Not that this will make you feel any better but this is the exact problem I'm running into at a customer site. Coincidently, they had just upgraded to 5.1.1 code also. Of course the port counters on the Cat6500 stay clean- they errdisable with a reason of "other". The Cat6500 is running CatOS 8.4.
  Has anyone else run into this and know of the cause?
  You help is appreciated.