Why my IPS - aip-ssm send requests to 80.53.146.82 port 80

Similar Messages

• CSM to update IPS AIP -SSM

  Hi all,
  I need some help. I am configuring my CSM 3.1 to apply update on my IPS AIP-SSM.
  I went to the apply IPS Tab and choose to update from cisco.com. But it is always like processing for a long time.
  I tried to enter my username and password for the sensors or the CCO account but still no improvement. Does anyone knows how to configure this. I tried reading the user guide there is no examples.
  Thanks

  The IPS-engine-E2-req-5.1-7.pkg Engine Update file is just to upgrade an existing 5.1(7)E1 sensor to 5.1(7)E2.
  It only changes the "engine" features of the sensor that are necessary for installing signature updates requiring E2. It does not change other files on the sensor.
  The IPS-K9-5.1-8-E2.pkg Service Pack file is for upgrading the entire image to the next service pack level as well as upgrading the "engine" features. So you get all of the latest bug fixes.
  So which to use?
  If you are running 5.1(7)E1 then you will eventually want to get to 5.1(8)E2. But the upgrade to 5.1(8)E2 WILL require a reboot and so if running in an inline mode it should only be done during a scheduled network downtime. For most networks this could be a week or even a month before the downtime can be scheduled to do this type of upgrade. So the IPS-engine-E2-5.1-7.pkg file is a short term solution to get you to the E2 level required for signature updates, until you can schedule the upgrade to 5.1(8)E2.
  The IPS-engine... file will NOT reboot the sensor. It will temporarilly stop analysis and if Software ByPass is set to auto then traffic will be allowed to pass through the sensor unanalyzed while the engine update takes place. Because the traffic will continue to flow with Software ByPass most companies will allow an Engine update to be installed without having to schedule network downtime.
  Of course, the above discussion was really only applicable when E2 was the latest Engine release. Now that E3 is out, the discussion really becomes how to get to E3.
  There is Not an IPS-engine-E3-req-5.1-7.pkg engine update file.
  So you must get to 5.1(8)E3 if you want to keep getting recent signature updates.
  So then it just depends on your current IPS version.
  If you are running 5.1(7)E2 or earlier version then you must schedule a downtime and install the IPS-K9-5.1-8-E3.pkg file in order to install the latest E3 required signature updates.
  If you are running 5.1(8)E2 already, then you need to install the IPS-engine-E3-req-5.1-8.pkg file because the only thing needing to be upgraded is the Engine level to E3.
  General Rules of Thumb:
  Always ensure you are at the latest Service Pack level for the major/minor version train you are using. (5.1(8) in this case)
  If you are running the latest Service Pack then you will be able to simply install an Engine Update when the next Engine Update comes out without having to schedule downtime.
  If you are not at the latest Service Pack level then you will want to schedule a network downtime to do that upgrade within 60 days of the Service Pack being released.
  If an Engine Update comes out before you get a chance to upgrade to the next Service Pack, then install the Engine Update for the prior Service Pack (that you should at least be at) as a temporary measure to keep getting signature updates. And schedule a Service Pack upgrade as soon as possible.
  Why 60 days?
  If a new Engine Update is released within 60 of a Service Pack release, then the Engine Update will be released for both the latest Service Pack AND the one prior. But if the new Engine Update is longer than 60 days after the latest Service Pack, then an Engine Update will be created only for the latest Service Pack and not for the prior. This is why E3 was only released for 5.1(8). E3 was released more than 60 days after 5.1(8) so there was not an E3 for the prior 5.1(7).
  So you see that an Engine Update for a prior Service Pack should be considered a temporary measure until you can get the next Service Pack installed.
  If you wait too long another Engine Update might come out, and you might be forced into an immediate network downtime to get to the latest Service Pack.
  As for do you HAVE to install IPS-engine-E2-req-5.1-7.pkg before installing IPS-K9-5.1-8-E2.pkg (or more importantly IPS-K9-5.1-8-E3.pkg).
  The answer is NO.
  You can go directly from any 5.0 or 5.1 version directly to IPS-K9-5.1-8-E3.pkg.

• Activating IPS AIP-SSM

  Hello Everyone,
  Some time ago we purchase a couple of ASA5510s with the IPS aip-ssm modules in them. I got them installed and got the vpns running, but never activated the IPS module on them.
  I am getting ready to get the IPS modules going. But, don't I need some time of subscription so that the IPS module can download signature updates?
  Does anyone know what the part number on that subscription is? I am seeing listings for "content security plus" licenses, but I think that is something different. I am also seeing licenses for Botnet traffic filter licenses. But, again, I am not sure if that's the right one.
  Thanks,
  Ben

  You will need a subscription license in order to take advantage of signature and Global Correlation updates. The official name for this license is "Cisco Services for IPS".  Take a look at the following Q&A doc which covers some of the part numbers.
  http://www.cisco.com/en/US/services/ps2827/ps6076/services_qa0900aecd8022e962.pdf

• IPS AIP-SSM

  Hi,
  What is difference between E3 and E4 system upgrade files in IPS ? Is it possible to upgrade AIP-SSM from 6.0 E3 to 7.0 E4 ?
  Regards
  Amar

  Amar;
    The E3 and E4 designation represents the version of the analysis engine installed on the sensor.  The signature developers create signatures to the most current release of the analysis engine (E4 currently).  Without the most current analysis engine (and an active license) you cannot apply signature updates to the sensor.
    It is possible to upgrade an AIP-SSM from release 6.0 to 7.0 using the current 7.0 upgrade package (.pkg file).
  Scott

• Evaluating cisco IPS AIP-SSM-10 allong side Tipping Point S330

  Hello all,
  What are your thoughts on this matter?  I am also going to be looking at the Palo Alto solution for IPS as well.
  I'm probably going to use the cisco 4200 sensors if they offer multi segment like the tipping point does. 
  I'm looking at protecting the perimiter but NOT replacing my current firewall.  The current firewall is the Microsoft TMG.
  I like what I see on the Cisco IPS express.  I've also looked at the CSM for management.  It seems that Cisco is a lot more flexible when it comes to editing and managing the signatures.
  ARe there similar experiences out there that you would like to share?
  Thanks!
  Kurt

  Both products are pretty strong. But Tipping point have a much more comprehensive, promptly updated, and a well managed signature base. Both products can monitor multiple segements (terminologies are different).
  A good way to compare is to subsribe to their IPS signature updates and see the difference, I mean both from Cisco and DV labs
  BR
  Farrukh

• Is there any architectural difference between CSC-SSM and AIP-SSM modules

  Hello security gurus!
  I'm wondering if there's any chance to make Content security module (CSC-SSM) work as IPS (AIP-SSM). It seems to me they are absolutely identical in terms of hardware. Is there any chance to make CSC-SSM boot with the flash from AIP-SSM and have the ASA recognize it as an IPS module ?
  Eugene

  Zheka,
  This is not recommended and you will loose support, these are different devices designed for different purposes, you will also have issues with the license, I have seen it one once, and the customer did it by mistake, the module eventually crashed and we had to add the proper image.
  Regards,
  Felipe.

• IPS Labs using AIP SSM 10

  Hi,
  Can anybody send me a lab with a scenario for IPS using AIP SSM 10 and and if they could be for both CLI as well as by using ASDM. Also, when I was trying to access IPS using ASDM, I was getting an error message "Error connecting to sensor. Failed to load sensor-Error getting config data from following modules analysisEngine signatureDefinition networkAccess host". Can anybody please give me a solution for it.
  Thanks.

  Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
  You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

• Monitoring AIM-IPS-K9 and AIP-SSM-10

  Does anyone have any tips on monitoring the IPS devices for being up, healthy, not-in-bypass, and running normally, I had five of them fail after the E3 upgrade (one is still tweaked due what TAC has identified as a corrupt license issue). Although CSMARS 6.0 lists some unreachable devices once daily, it has all devices in the list making it less that useful information, but that is a different question.
  AIM-IPS-K9: 19 ea.
  AIP-SSM-10: 3 ea.

  Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
  You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

• IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

  Hi,
  Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
  -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
  Thanks,

  IPS on ASA/PIX = just 50 or so common signatures
  AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
  Please rate if helpful.
  Regards
  Farrukh

• HT203025 As an organizer, why I can't receive any requests when my kids send an ASK?

  As an organizer, why I can't receive any requests when my kids send an ASK?

  Hey lannysh,
  If you are having an issue with receiving Ask to Buy requests from your Family Sharing group, you may want to use the steps in this article to help troubleshoot -
  Get help using Ask to Buy in the iTunes Store - Apple Support
  Thanks for using Apple Support Communities.
  Be well,
  Brett L 

• Cisco IPS 4240 VS Cisco ASA AIP SSM-10 Modula

  I'm looking to replace another vendor's IPS system we have at our company. We do have an ASA 5510 in our envionment currently.
  Considering I don't need the extra bandwidth of the IPS 4240 series and the AIP SSM-10 requires an ASA 5510 what are the differences?

  Operationally the AIP-SSM1 and the 4240 run the same software, so they work pretty much the same.
  The AIP-SSM inside the ASA is less expensive alternateive, but becuase it sits inside an ASA there is more to configure and manage (the ASA plus the sensor), The ASA also has some built in inspections that may filter some traffic/attacks from being seen at the AIP-SSM sensor.
  - Bob

• Failure to Upgrade the software of my AIP-SSM-20

  Dear all,
  I have failed to upgrade the software of my AIP-SSM-20 on the ASA. The AIP-SSM-20 had an Image of version IPS-K9-5.1-7-E1.pkg and I tried to upgrade it to IPS-K9-6.1-1-E2.pkg but after the upgrade the AIP-SSM-20 became unusable. I can no longer log on  to the IPS Module from the ASA. When I initiated a connection to the module with session 1 command, the systems says card in slot 1 did not respond to system request. I decided to restored the system image from the ASA by using the hw-module module 1 recover configure and hw-module module 1 recover boot commands but has so far failed.When  I issued the command hw-module module 1 boot command, the status of the IPS shows recover and would be in that state even for days.And my TFTP server shows that it is transfering the images to the IPS.
  I don't know where I have gone wrong and I would be very happy if somebody can give me a procedure that would help me to re-image the software of the IPS.
  Any help would be highly appreciated.
  Claude Fozao

  Halijen has already send you a link to reimage,let me briefly answer what a system image and upgrade files are and the difference between them
  The System Image files are meant to be used only when a complete erasing of the sensor's image is needed.  This is generally because the installed files were corrupted, or so old that it would be easier to start over and make it look like it came from the factory; than to use the standard "upgrade" files.So in case you are doing reimaging than use .img files which are system reimage files
  In more than 90% of the cases, most customers will want to "upgrade" rather than do a System Image.  The "upgrade" is done from within the sensor itself, and will both load the higher version as well as convert your current configuration to work with the newer version.it uses .pkg files
  A usual poblem with the System Re-imaging process is that the card winds up in a boot loop because of an error.  When ROMMON detects an error it reboots and tries the same steps again which usually winds up with the same error which causes a reboot, etc.....
  So determining if the card is in a reboot loop, and what the error is would be the next step in your debugging process.
  Execute "debug module-boot".  Enter "hw-module module 1 recover stop".   Wait for a few minutes, and then enter "hw-module module 1 recover boot".
  The output from ROMMON on the SSM will be seen on your ASA connection.Look at the configuration being passed to the SSM's ROMMON and look for any bad entries.Watch to see if it able to download the System Image file, or if it continuously reboots.
  If it continuously reboots, then look to see what error message is seen just prior to the reboot.
  Some common problems:
  1) Typos in IP address, gateway, tftp server IP, or system image filename.
  2) If the tftp server is on the same subnet as the SSM's IP Address, then try leaving the Gateway address blank since it is not needed.
  3) Remember that the IP Address is for the external interface of the SSM.  So be sure you are using an address that is applicable for the network where you are pluggin in the SSM's external interface.
  4) If the TFTP Server is on another subnet, then be sure there is a route to the other network.  If having to route back through the ASA, then ensure that the ASA will allow TFTP packets to pass through the ASA.  (The ASA could wind up blocking the TFTP packets depending on the ASA configuration)
  5) Be sure the file can be downloaded from the TFTP server.  Check the file permissions, and the directory where the file is located.   From your desktop try to downlaod the file from the tftp server.  This will ensure you are using the correct directory and that the file has correct permissions.  Once common problem is that the file may be /tftpboot/sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img.  But because the tftp server automatically starts in /tftpboot, you may need to NOT specify it for the file and instead just use: sensorfiles/IPS-SSM_20-K9-sys-1.1-a-6.1-1-E1.img
  6) Check to make sure the file is not corrupted by running an md5sum and checking it against the value listed on cisco's web site.

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav

• Best practices for using Normalizer in ASA and in AIP-SSM

  Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.
  The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?
  Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"
  "When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."
  To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.
  So, those who're using ASA with SSM, please share your experience.
  Thx.

  Yes, this is almost correct ;)
  TCP SRP (Stream Reassemly Processor) is turned OFF on the SSM and cannot be enabled, contrary to 4200 appliances, but IP FRP (Fragmentation Reassembly Processor) is functioning on the SSM.
  The testing of 7.2(1) shows the following:
  When you configure "policy-map" to send packets to the SSM the "tcp-map" parameter "queue-limit", which has the value of zero by default, is set to an X (the X is unknown). This means that the ASA now only accepts the TCP segments which are sent in the correct order. More specifically, the gaps in SEQs are not allowed anymore. When for example, the ASA receives a TCP segment which has a SEQ within the window, but the previous TCP segment has been lost, it sends an ACK to the sender to enforce retransmition of the lost segment. As a result the sender retransmits both segments. Only after that the ASA forwards both segments to the SSM. This basically means that SSM always sees in-order TCP segments. That it is why SRP is not needed on the SSM.
  There are at least two problems however.
  The first problem is the performance impact.
  ASA now acts almost like a proxy. And, so far as I know, it doesn't support SACK (Selective ACKs). First, when the ASA does TCP SEQ randomization it doesn't change SEQ values within the SACK TCP Option. This simply breakes SACK. Second, even if you turn randomization mechanism OFF, then, I believe, the ASA will not selectively ACK the lost TCP segments, as it simply doesn't support this mechanism.
  The second problem is THE SECURITY HOLE.
  By default the ASA doesn't check TCP checksums. The 4200 appliances do check by default. But as we now know the SRP is turned OFF on the SSM... So, this means that SSM module can easily be evaded. The hacker only needs to mix attacking traffic with the random TCP segments that have bad TCP checksum. The SSM module will see the mixture of the two and will not recognize the attack. The target host will drop TCP segments with the bad checksums and see only attacking traffic... This has been successfully verified in the lab.
  Of course, this security hole can be closed with the "tcp-map" parameter "checksum-verification", but it will definitely has performance impact.
  The last note: All of the above has never been documented by Cisco. So, use at your own risk, etc.
  I hope, you will read this message, Marcoa. All of this MUST be documented. Once again, the default behaviour of the ASA opens up a big security hole.
  Regards,
  Oleg Tipisov,
  REDCENTER,
  Moscow

• Configuring AIP SSM to monitor only

  Hi all,
  We purchased an AIP-SSM-20 for our ASA5520. Is there a way to enable IPS functionality, but not block anything, i.e. just log events? This is just to see if any legitimate company traffic will be blocked.
  Thanks!
  Jacques

  Configure the ASA to send traffic to the IPS in promiscuous mode using the following command in a policy-map:
  hostname(config-pmap-c)# ips {inline | promiscuous} {fail-close |
  fail-open} [sensor {sensor_name | mapped_name}]
  http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/aipssm.html
  Geroge