Which IDS/IPS module for 10 GB WAN/LAN

Similar Messages

• Which Monitoring Tool is best to monitor LAN and WAN

  Hi,
  CAN ANYONE TELL ME Which Monitoring Tool is best to monitor LAN and WAN.
  Waiting for immediate response.
  Thanks
  Irshad

  To start with HP open, this is SNMP-based as well. As it is around for quite a while and delivers support for many vendors, it has become sort of an industry standard. Many other vendors deliver add-ons (even CiscoWorks) to support their products via HP open. That functionality however comes with a price. If you have plenty of money an a large network to manage, HP open might be your best choice.
  Cisco Works and other -start-with-C- products are typically used to manage Cisco devices. If you have a fair share of non-cisco boxes around you will find that you cannot see or do everything with them that you might want.
  One special thing about CiscoWorks is that it lacks a grapical real-time overview of the network. In my opinion this is a weakness in the product. On the other hand, it has many nice features to manage all kinds of Cisco devices.
  My ideal solution is to use both a generic SNMP manager, SNMPc in my case, and CiscoWorks 2000. With SNMPc I can quickly see network node status and do some bandwidth management (baselining). CW2k serves mainly to execute changes (NetConfig) and as a syslogger. It is also used to perform IOS upgrades and to store config files.
  I guess this could be done with HP open as well, but our money does not reach far enough to pay for both. SNMPc costs a lot less, both in purchase and in maintenance.
  Hope this clarifies things a bit.
  Regards,
  Leo

• Generic function module for delta - which FM ?

  Hi all,
  I want to create a custom generic datasource in R3 which uses a function module for delta extraction. This is straight forward for full extract (copy FM RSAX_BIW_GET_DATA_SIMPLE - I already did this and have a full extraction working to BW). However I need to extract delta - and the above function module does not have example code for that (I have seen some forum posts that it 'can' be used - but this looks like a pseudo get around where the delta field name is passed in I_T_SELECT).
  FM RSVD_BW_GET_DELTA_DATA seems to be an example code of a FM which can allow delta (i.e. manually codes how to fill date/time stamp information). However when I code this and try test in RSA3 it seems to try to populate the delta selection field before calling my function module! I need it to call my function and allow the function to specifiy the date criteria.
  Can anyone help with an example of how this should best  be done ?
  Or can it only be done in a pseudo form using 'RSAX_BIW_GET_DATA_SIMPLE' example FM.
  Note: I have setup the RSO2 datasource to allow delta.
  Also - I have spent several hours searching the forum - but please answer with a link if you think it does answer exactly this problem.
  Thanks for any help
  Martin

  Hi again,
  Have had a few requests for the code I used - I created a new custom function copied from 'RSAX_BIW_GET_DATA_SIMPLE'. AEDAT has been set as the delta date for this data source in transaction RSO2.
  Main sample code is -
  1. Code to receive selection criteria and store in internal ranges -
  FUNCTION zbw_sodetail_get_detail.                                   
  ""Global interface:                                               
  *"   IMPORTING                                                  
  *"       VALUE(I_REQUNR) TYPE  SRSC_S_IF_SIMPLE-REQUNR        
  *"       VALUE(I_DSOURCE) TYPE  SRSC_S_IF_SIMPLE-DSOURCE      
  *"       VALUE(I_MAXSIZE) TYPE  SRSC_S_IF_SIMPLE-MAXSIZE      
  *"       VALUE(I_INITFLAG) TYPE  SRSC_S_IF_SIMPLE-INITFLAG    
  *"       VALUE(I_READ_ONLY) TYPE  SRSC_S_IF_SIMPLE-READONLY   
  *"       TABLES                                                     
  *"              I_T_SELECT TYPE  SRSC_S_IF_SIMPLE-T_SELECT OPTIONAL 
  *"              I_T_FIELDS TYPE  SRSC_S_IF_SIMPLE-T_FIELDS OPTIONAL 
  *"              E_T_DATA STRUCTURE  ZBW_SODETAIL OPTIONAL           
  *--- Sales order item create date                                      
     LOOP AT i_t_select INTO l_s_select WHERE fieldnm = 'ERDAT'.         
        MOVE-CORRESPONDING l_s_select TO r_erdat.                        
        APPEND r_erdat.                                                  
     ENDLOOP.                                                                               
  *--- Sales order item change date - DELTA only - auto filled before    
     this function is called.                                          
     C (Initialise Delta) - Low = blank, High = today - safety limit   
     D (Delta) - low = , High =   .       *from roosgendlm             
     LOOP AT i_t_select INTO l_s_select WHERE fieldnm = 'AEDAT'.         
        MOVE-CORRESPONDING l_s_select TO r_aedat.                        
        APPEND r_aedat.                                                  
     ENDLOOP.                                                                               
  2. Code to use selection criteria to get initial or delta. Note that for delta the delta date field to be used is automatically populated with the date of the last delta run (from table roosgendlm) -
     SELECT VBAK~KNUMV
            VBAPVBELN VBAPPOSNR VBAPMATNR VBAPARKTX VBAP~SPART
            VBAPWERKS VBAPERDAT VBAPAEDAT VBAPNETWR VBAP~WAERK
            VBAPABGRU VBAPZPROMISE VBAP~CUOBJ
            VBEP~EDATU
        INTO CORRESPONDING FIELDS OF TABLE ZBW_SODETAIL_ITAB
        FROM VBAK JOIN VBAP ON VBAKVBELN = VBAPVBELN
                  JOIN VBEP ON VBAPVBELN = VBEPVBELN
                           AND VBAPPOSNR = VBEPPOSNR
     WHERE VBAP~VBELN IN R_VBELN        "Order number
       AND VBAP~POSNR IN R_POSNR        "Order item number
       AND VBAP~ERDAT IN R_ERDAT        "Order item date created
      AND ( VBAP~ERDAT IN R_AEDAT OR   "Created date in      Delta range
                VBAP~AEDAT IN R_AEDAT OR   "Order item change    Delta range
                VBAK~AEDAT IN R_AEDAT ).   "Order header change  Delta range
  Note that if the data source is called in initial or full extract mode the delta change date (aedat) will automatically be blank.
  I have been using this successfully.
  I hope this helps
  Martin.

• Cisco CSM - Has anyone deployed it in their environment for IDS/IPS devices

  We are an MSP and are evaluating Cisco CSM to manage about 50 IDS/IPS devices. Each of these devices has their own customer signature policy.
  Does anyone use it in their production environments? Do you find it useful?
  Regarding policy management for devices that already have a signature policy, I know you can discover the policy, what we want to do is take the current discovered policy, modify it if we need to and then re-deploy it to the device. I'm finding that this is all read only once the policy is discovered.
  Is there a way to modify the signature, for example, adding a logging parameter and then re-deploy?
  Just curious if others had similar experiences with CSM.
  Thanks!

  haxworthy,
  I currently use CSM to manager a variety of IPS devices (IOS IPS, 42xx Sensors, 65xx-series blades). The policies vary on some devices. CSM works wonderfully. CSM discoveries the various policies on the device on an individual basis. Policies can then be edited on a per-sensor basis or on a group level. Has worked wonderful in our environment. A nice upgrade from the old IPSMC. Let me know if you have any other questions.
  -Mike
  http://cs-mars.blogspot.com

• HA for Cisco IDS/IPS 42xx appliances

  Can anyone refer me to documentation on the Cisco site that talks about high-availability options and configuration examples for Cisco IDS/IPS 42xx appliances? Thank you in advance.

  I am also interested in understanding the high availability options.
  I found the following in the IPS V5 datasheet:
  Auto and manual sensor bypass configuration-High availability can be achieved through numerous mechanisms for Cisco IPS sensors. Resiliency and redundancy can be delivered through unique network collaboration, for example, hot Standby Router Protocol (HSRP) configuration and Cisco EtherChannel® load balancing on Cisco Catalyst switches to divert traffic to a secondary IPS device upon the failure of a primary device.
  I would like to have more info about how to divert traffic to a secondary IPS device; info about HSRP and EtherChannel load balancing as it relates to IPS. Is this HA option only available in bypass mode? Thanks.

• Which bluetooth module for iMac 17" 1.8Ghz

  I am trying to decide between two bluetooth modules for a 17" 1.8Ghz iMac. So far I have found part number 922-6201 and 922-6530. They look similar but I have been unable to find any explicit documentation that mentions the correct part.
  Can anyone help me out?
  JT
  Also feel free to reach me on ichat: jasontm1

  According to the information here those part numbers are interchangeable and are really the same card.
  It is really odd that on that page it states:
  Description
  Add BlueTooth to your iMac G5 17" & 20" Mac with this Apple part.
  But then does not include any iMac G5 in the compatibility information:
  Compatibility
  Power Mac G5, eMac (USB 2.0), iMac (17-inch Flat Panel, 1GHz), iMac (USB 2.0), Power Mac G4 (FW 800), Power Mac G5 (June 2004), Power Mac G5 (June 2004), Power Mac G5 (Late 2004), Mac mini**.

• Can't get SNMP data from ASA's AIP 10 IPS module

  Hi,
  I have just had the AIP 10 IPS module installed onto my ASA 5520. I have now setup the SNMP and my SNMP server (solarwinds) can detect the CPU, Memory and sensors to monitor.
  The problem I have is the SNMP server is getting data form the sensors but not data from the CPU or memory mibs, is something denying this from the IPS?

  The following are some IDS mibs, Cisco forgot to link them on the MIBs page located at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
  ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-ENHANCED-MEMPOOL-MIB.my
  ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-PROCESS-MIB.my
  ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-CIDS-MIB.my
  ftp://ftp-sj.cisco.com/pub/mibs/oid/CISCO-CIDS-MIB.oid
  ftp://ftp-sj.cisco.com/pub/mibs/oid/CISCO-ENHANCED-MEMPOOL-MIB.oid
  Here is the forula we are using to get the memory utlization percentage(in BMC Dashboard):
  average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.8 ) / ( average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.8 ) + average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.7 ) ) * 100
  Which translates to:
  average ( select cempmempoolfree ) / ( average ( select cempmempoolfree ) + average ( select cempmempoolused ) ) * 100
  I'm unable to find the formula for the CPU, but try loading the PROCESS mib for that.
  average ( select 1.3.6.1.4.1.9.9.109.1.1.1.1.5 )
  Please rate if helpful.
  Regards
  Farrukh

• WLC 4400 and IDS/IPS

  One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

  There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
  For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
  Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
  The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
  The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
  In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
  If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
  There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
  For more information, please reference the following:
  Wireless LAN Controller IDS Signature Parameters
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
  I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
  In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
  Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
  That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
  - John

• Function module for reading service line items of a po

  function module for reading service line items of a po.............I want to read data from eslh and esll tables to getthe service line details.....
  My requirement is if the item category is 9 I need to print the service line items. So I wan to read the data of service line items from a function module. I am not able to find a fm which fetches both elsh and esll data...

  Hi oskchaitanya ,
  use bapi BAPI_PO_GETDETAIL1.
  Regards
  REA

• Filtering IPs on a IDS/IPS signature

  Forgive me, I am pretty green when it comes to manipulting IDS/IPS signatures.
  Is there a way to filter an IP or subnet from a IDS/IPS signature?
  Senario:
  We have 2 ASAs with IPS modules and 2 4260 IDS's, we use IPS Manager Express 6.1 to manage them. I keep getting a mail server that is triggering signature 5748-x because its sending a helo verb instead of a noop. This is fine for this paticular mail server. So i would like to remove its IP or filter its IP from the signature so when this happens the signature doesnt fire. However I dont want to disable the signature in case it happens somewhere else.
  any help is greatly appreciated.
  e-

  It's not really too bad. I would encourage you to read still though;-)
  Each signature can be configured with any number of actions. by default, a lot of them have the "product alert" action.
  event action filters are basically a way to suppress all or some actions based on various criteria, like sigid and source (attacker) ip address. I've attached an example.

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Reg. 6509 IPS Module upgradn

  Hi
  I need to upgrade the Cisco Intrusion Prevention System, Version 6.0(2)E1 which is a prt of 6509 Bundle (Platform: WS-SVC-IDSM2-BUN ).There are 2 bundles of 6509 and in active-standby .
  a)Is upgrade procedure of 6509 Bundle E1 to E3 is different from normal upgradn procedure or is it same like other IPS .As IPS Module is without license can i upgrade it to 6.1(1)E3 or 6.2(1)E3
  b)What is the packet flow for 6509 Bundle as i am not aware as to who will forward the packet to IPS Module in this case (like in ASA , firewall wil fwd packet to IPS Module)
  d) There are 2 ethernet inetrfaces applied to backplane interface resepectively.If i want to put the module in Inline mode how will i accomplish the same

  IPS should be fine ASA5510 which supports VPN. Make sure you do the licensing part properly.

• Which Airport Admin utility for White Base Station

  I would like to know which version I need for a Windows XP machine and where I can get this version.
  I've spent the last hour online trying to find out and am losing the will to live....
  I have an old white base station simply called Airport Base Station (there are 4 sockets on the back of it 1. Phone line 2. WAN ethernet 3. LAN ethernet 4. power supply)
  I want to configure it using my Windows machine as my old MAC has died.
  Hope someone can help.
  Thanks
  Geoff

  Geoff, welcome to the discussions area.
  A model number of the AirPort Extreme would really help us help you here and minimize the chances of providing the wrong information to you.
  It's usually on the back or on the bottom of the device. Something like A1034 maybe?
  If you can't find the model number, you could take a chance with AirPort Utility 7.4.2 for Windows. No guarantees here, I'm afraid, but it won't take long to try.
  Both the Windows Firewall and/or anti-virus software on a PC may try to block the connection from AirPort Utility to your device, so you may need to go into the applications to "allow" the connection or temporarily disable the applications until you can configure the AirPort Extreme.
  Message was edited by: Bob Timmons

• ASA5505, SYN attack, ISP and IPS module

  Our 5505 is currently being hit by a SYN attack from surprise, surprise, China.  The attack easily brings down the 5505 by hitting the 10,000 connection limit of the box.  I am currently using the shun command to try to mitigate the problem but it is not much help.  It converts the 10,000 connections into 12-15k dropped packets per second which doesn't crash the box but pretty much makes it unusable. 
  I have seen some examples on using service policies to set connection and embryonic limits but I don't think they will work for me because the attacks come from several IPs and use several different ports.  The attacks don't seem to be pinpointing any particular server or service.  Seems like just basic DoS of our service.  Besides, the feedback from people who have tried this doesn't seem too convincing.
  So I have two questions:
  1) My ISP is unwilling and/or unable to do anything.  They suggest I email the abuse mailbox from the offending ISP.  Just for grins, I did send an email and it promptly came back marked "mailbox full" which is quite funny I thought.
  2) Will adding the IPS module help here?  I am hoping that the processing of the dropped packets would move to the module and leave the main processor of the ASA free to do its usual NAT and firewall functions.
  Any and all advice is welcome.
  Thanks,
  Diego

  Hi Diego,
  As Julio mentioned, info has to be there. Do you have the 'show xlate' when the issue was seen? In such cases, along with xlate table, you can check connection for hosts making unusual number of connections (show connection count/show connection all). Here are few useful commands in such scenarios:
  show local-host connection udp 100-10000          << Gives host with total UDP connections b/w 100-1000
  show local-host connection tcp 100-10000          << Same info for hosts making TCP connections
  show local-host connection embryonic 100-10000    << hosts with 100-1000 embryonic connections
  Change the range as per need.
  Sourav

• IDS/IPS 4250, two sensors, connection status Paused

  Hi,
  I have VMS 2.3 and SecMon 2.2 and two IDSs in there. I have noticed that the connection status for the sensors have changed from "Connected TLS" to "Paused". I have gone through database truncation process and all file sizes are good butstill having issues.
  I deleted the sensors from the SecMon and added only one sensor, the connection status changed back to connected but it was set to paused in one hour time after adding the one sensor.
  I can login to the sensor, i can ping the VMS server from the IDS command prompt and the IDS from the VMS DOS prompt. I have done everything possible to change this condition but none has so far worked.
  any thoughts???
  Thx,
  Masood

  Connection states for RDEP devices are written into a table in the database by the receiver collector object. This means that if the receiver thread hangs or is not currently running, whatever state was last written to the table will be displayed.
  "Paused" means that the collector for this device is waiting for the system to clear a large backload of data that is waiting to be inserted into the database. This can occur if the rate of flow of events temporarily overwhelms the receiver and usually indicates that the database has grown too large (more than 2 million IDS or Syslog events) or the system is very busy (servicing event viewer, generating reports, pruning, etc.). It usually takes several minutes (fifteen or more) for the system to recover to the point where it can begin collecting events again.
  What sounds like happened here was that the sensors were offline, or at least were not getting events from the MC for a period. Then when you reconnected it the events began to be processed by the receiver process which in turn caused the 'paused' state. As I mentioned above, once it catches up with event processing you should be ok. Of course you'll want to ensure that you regularly prune your IDSMC/SecMon database to prevent this from happening again.
  You may also want to look at see how much you're logging. You may still need to tune your signatures down as well and you should not have every signature enabled.
  You should also look to upgrade your IDS/IPS software (you didn't mention what version you're on) to the latest service pack (4.1.5 for 4.x and 5.0.5 for 5.0.x)
  Thanks,
  Jeff