SSM-IPS 6.03E1 unwanted blocking

Similar Messages

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Active-Standby SSM-IPS upgrade question

  I have 2 ASA 5510's with ASA-SSM-10 IPS modules. The IPS's were running version 5.0.2, and I noticed this will not be supported for SIGS so I started to upgrade to version 5.1.1g. I got one unit upgraded and it seems to be fine, but the second still says it is running 5.0.2 and it will not let me login to it via CLI. When I for a failover the IPS always seems to be with the upgraded unit, so I can never get to my other IPS to upgrade it.
  What did I do wrong?
  Thanks,
  Dan

  When you say it will not let you login via CLI, what method of connection are you attempting? Are you telneting directly to the management IP of the second SSM, or sshing directly to the management IP of the second SSM, or sessioning through the console of the second ASA into the second SSM?
  What if any errors are you seeing when trying to login?
  When you say that you failover the IPS you can't get to the other IPS, to what are you referring?
  The SSMs don't failover to each other. They do not share configuration, and should not share IP Addresses for their management IP. If you have configured the same IP for both SSMs, then you have a bad configuration. Each SSM needs their own independant IP Address. The SSMs should be managed as independant sensors.

• SSM IPS Configuration

  I have a couple of questions regarding the ASA that deal with the SSM module.
  I have read the document "Configuring ASA-SSM" and am confused by the command logic. I realize that you need to specify a service-policy globally that defines the traffic being sent to the SSM module. My concern is that the configuration document lists as one of it's steps to define an ACL for the IPS traffic and then apply it to an interface before configuring the class map, policy map, and service-policy. Why would this ACL need to be applied to an interface when it is being used for defining IPS traffic? Shouldn't the ASA send whatever traffic is defined globally in the service-policy to the SSM without attaching the ACL to an interface?
  Also, on the ASA factory default configuration there is a service-policy defined as:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  service-policy global_policy global
  But, if I define a global service-policy for the SSM I would lose this default service-policy as only one global service policy is allowed. Is the default service-policy providing the fixup protocol services as in the PIX that I am used to seeing? If so do I lose this functionality by applying a global service-policy for IPS/
  Sorry for the length of the post and thanks for your help in advance.

  The configuration in the IPS User's Guide is just one method for settings up the ASA to send packets to the SSM.
  It is an extremely basic configuration on the ASA where all the ASA is doing is copying packets to the SSM and the ASA is not doing any of it's firewall functionality.
  This configuration is only practical if the ASA was purchased and used only for housing the SSM and sending it traffic ( a rare deployment in the field ).
  If your ASA is already configured for firewall functionality then the only additional command(s) that need to be added to your config are:
  ips inline|promiscuous fail-open|fail-close
  Take your existing policy-map and for every class in that policy you will need to decide if the traffic should be monitored promiscuously, inline, or not monitored by the SSM.
  In your example, if you wanted to monitor all of the traffic inline on the SSM and want to continue passing traffic if the SSM fails. Then simply add the line "ips inline fail-open" within the existing "class inspection_default".
  NOTE: If you change the policy you need to understand that the new policy will only affect new connections and not existing connections.
  The only reason you would have to create additional acls and class maps using the acls would be if you did not want all of the traffic monitored inline by the SSM.
  If you want different traffic monitored promiscuous and other inline (or not monitored), then you need to include additional classes in your policy-map so that a different ips configuration line can be added for each class.

• Correlating Cisco ASA-SSM-IPS Events/Logs

  I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

  Hi Chris,
  Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

• FiOS IPS server suspected of blocking emails from Constant Contact

  My homeowners assocation cannot get emails through to me at {edited for privacy}, but they do get emails through to my wife at {edited for privacy}. These emails are administered by Constant Contact, who suspect the FiOS servers of blocking emails to me. They suggest that I send you the following information:
  To: Verizon ISP Customer Support
  Subject: Remove Constant Contact Block
  Hello. My name is {edited for privacy} and I understand that you employ filters and/or blacklists to protect customers like myself from unsolicited email; however, this might have made it impossible for me to receive certain information that I have solicited. I value these communications and would like to receive them using my AOL email address.
  The sender of these emails uses an email marketing service called Constant Contact. Constant Contact is not an open relay and has strict anti-spam policies in place. Possibly because your filters block emails from Constant Contact I am unable to receive these communications.
  I ask that you please help me determine why these emails are being blocked. For further information about Constant Contact or to request more information from them such as log files, the Operations team can be reached at - {edited for privacy}.
  Mail from Constant Contact can be found by the following characteristics for whitelisting:
  "Envelope from:" domains:
  @in.constantcontact.com
  @in.confirmedcc.com
  Sending IPs:
  All mail from Constant Contact is sent from:
  IP Range: 208.75.123.0 - 208.75.123.255
  Please contact me when this problem has been resolved at {edited for privacy}.
  Sincerely, {edited for privacy}

  Hello tomfulks,
  This community is meant mainly for peer-to-peer support. If you need to provide information to a Verizon representative, you should contact customer service directly.

• Unwanted block on menu template

  I dragged the Grid menu template into my project. It has boxes for the dvd title, for play, and for scenes. But there is also an extra block that seems to have no purpose. I can select it but cannot delete it. Is this just a buggy template or is there some way to get rid of this extra block?

  Welcome to the forum.
  The elements that you are seeing might well be extra Buttons, that may, or may not come into play, when you do the authoring. That will depend on the Markers that you have set. Do you see this initially, or do you see blank Buttons, when you Preview?
  As a bit of background, PrE uses a Menu Set, which is a pair of PSD (Photoshop's native Layered format) files, one for the Main Menu and one for Scene Selection Menu(s). Each has pre-made Buttons on them, and they cover most possibilities. Unused Buttons are deleted automatically, when one goes to actually author the Project. An example of this is the Previous and Next Buttons on the Scene Selection Menus. If one has enough Chapter Markers to need three Scene Selection Menus, the first one will not have a Previous Button, and only a Main Menu Button, as there is no "previous" Scene Selection Menu to navigate to. The second will have both a Previous and a Next Button. The last will only have the Previous Button, as there is no Next Scene Selection Menu to navigate to. This is done for you by PrE. That is why I am asking where you are seeing these elements.
  Can you do a screen-cap, pointing to the elements in question? I only have PrE 4, and no Grid Menu Set. I do not know if PrE 7 had that Menu, or not, and it might be just available in PrE 8, which not everyone has. Point to the elements, so we can see what you are referring to.
  Thanks and good luck,
  Hunt

• New to IPS SSM 10

  Can i know the link where i can get the guide how to work on IPS SSM 10 (cisco IDM 6.0)

  Configuring the AIP-SSM, IPS CLI Config Guide v6.0
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliSSM.html
  Troubleshooting the ASA AIP-SSM
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00808908d5.shtml
  Sending traffic from ASA to AIP-SSM config example
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
  Deploying IPS using the AIP-SSM
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/white_paper_c11-459025_ps6120_Products_White_Paper.html
  Getting started guide ASA v8.0 configuring the AIP-SSM
  http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
  initialize the AIP-SSM
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliInit.html#wp1043876
  installing the AIP-SSM system image
  http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliImage.html#wp1032373

• Trend micro and IPS

  Hello,
  I want to buy an ASA5510 + SSM for my lan.
  The goal is :
  - Make URL filtering/blocking within work hours
  - Deny some application like IM, P2P, web radio, during work hours.
  Trend Micro is good for the first think : url filtering by categories
  But is not good for blocking IM, ... (only check port 80 http)
  So, is it possible on an ASA to have Trend Micro and IPs working on the same appliance ?
  If no, what is the solution?
  Thx

  Hi.
  you can only install one module into the ASA. so yes, you can't have both the CSC and the SSM module in the same asa 5510.
  however the ASA does support url filtering via Websense or Secure Computing SmartFilter (formerly N2H2) . so if you have a any of those servers, you can configure the ASA to do the url filtering, and install the ssm ips module into the ASA to do the IM blocking.
  more info on asa web traffic filtering:
  http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_filter.html#wp1069318
  Regards,
  Fadi.
  if this answers your question please mark the thread as resolved.

• Configuring AIP SSM to monitor only

  Hi all,
  We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
  Thanks!
  Jacques

  Configure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
  hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
  fail-open} [sensor {sensor_name | mapped_name}]
  http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
  Geroge

• How to change the default servcie port number to be checked for the IPS sig

  Dear
  i have an AIP-SSM (IPS) installed in a an ASA firewall.
  i have configured an access-list in the firewall to forward the traffic coming from the internet toward the internal server to be checked by the IPS module.
  but the case is that the services have to be checked is not the default services port numbers.
  http port is 8081
  oracle port is 2006
  and many other services.
  the question now, is how to change the default service number in the IPS in order to be checked by the corresponding service signatures?
  Thanks

  You would set those as part of the signature variables.
  http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_signature_definitions.html#wp1040009

• HP C309 blocked by McAfee HIPS

  We have encountered an issue for users with HP C309 series printers and McAfee HIPS.  One of the critical network IPS signatures is to block UDP Port Scans and then blocks access to the device for 10 minutes.  The problem is this printer is doing UDP port scans roughly every 13 minutes and is being blocked.  Can UDP scanning be disabled on the printer?

  Hello there,
  I was going to suggest blocking a certain UDP number but I want you to refer to this...
  https://community.mcafee.com/thread/5083
  Of all the research I've done most state that they just disable McAfee in order to print and in your case I don't think this is an option. Hopefully this helps if not we'll just keep looking for a solution.

• SSM MODULES and Mars events and local?

  Is it possible to setup an AIP-SSM Module to log event alerts to Its local cache as well as the Mars Appliance. I say this because I ran some tests for alerts and never see them on the IPS module itself but i do see them on the Mars Appliance correctly! I dont know what setting would need to be changed to make sure that the event alerts are logged to the local IPS itself. Or is this even possible?
  does anyone know how to make it log locally and to the MARS Appliance?
  Thanks,

  Make sure Bypass mode is not enabled on IPs Module. Another workaround for this issue is to reload the Advanced Inspection and Prevention Security Services Module (AIP-SSM) IPS module with the hw-module module 1 reload command, and tune any noisy signatures in order to lighten the sensor load.

• ASA SSM-20 is not working as expected

  Dear Forum,
  we have an ASA 5510 with an IPS Module SSM20. When i penetrate the ASA with NMAP from the outside interface i can detect the OS of the servers in the DMZ.
  When i allow the ip address of my testing machine on the outside interface the IPS is logging some TCP SYN PORT SWEEPS but not the NMAPFingerprint Event.
  Thanks for your advises
  Alex

  It is my understanding that the IPS modules analyze packets permitted to traverse through the host ASA. If your ASA ACL only allows TCP 80 and 443, then it might not look like a sweep to the IPS module's rule. The SSM IPS does not see that which is stopped by the ASA.
  Now, if you built a server, placed it in a new/separate (no access from outside) DMZ and permitted an inside host ip any any and then ran a sweep, see if it fires then.

• Cisco IPS Manager 7.0.2

  Hi,
  I installed Cisco IPS Manager and it can see the AIP-SSM ips. But I do not see any real time logs and cannot create any report. What can cause this problem ?
  Thanks

  It could be a lot of things, I would do the following:
  > To start of, verify if any events are coming on the AIP-SSM itself (via GUI or console)
  > Is the 'Events Connection' showing as connected on the IME summary window?
  > Goto Events >> Historical >> Last x duration and see if any events came from the AIP-SSM
  > Double click the AIP-SSM (or right click and update the status) to get the latest certiifcate
  > Restart the IME service
  Regards
  Farrukh