Cisco NetPro -

IDSM-2 Inline mode

Fri, 9 May 2008 01:14:34 PST

Hi, I am working with the IDSM-2, We have Cisco 6509 with CSM & FWSM, We are planning IDSM-2 in Inline mode and now i want to monitor the traffic which is coming through Outside Interface of the FW context ( Which is nothing but a VLAN A, VLAN B, Vlan C. on MSFC ) Data flow :-- ISP RTR---INternal RTR---FWSM---IDSM---MSFC---CSM--- IDSM version is 5.1(4)S257.0, This will support only Two VLAN (IN and OUT) on access mode. My problem is I don’t know how to scan the traffic of 3 numbers of VLAN (A,B,C). Cisco 6509 --- Version 12.2(18)SXF7,

IPS Event Viewer settled in CSM

Fri, 9 May 2008 01:00:04 PST

Hi, I am working on preparing CSM to launch it until June, so I am in quite hurry. Morevoer I have got in trouble with IPS Event Viewer, so if you have any clues after checking the below`s explaination, Please let me have. 1)Situation -testing CSM(3.1) and IPS Event Viewer(ver5.2) -made a test environment, in which a IPS is connected to CSM and let IPS break out alarms, to check if IEV is working well 2.problem -No events are registered on the real- time table even though some events are being updated on Dashboard in real time. 3.question -What is the wrong. -What is the solution. if you want any further information of this problem, please ask me. Thank You.

CSA SQL 2000 database move to 2005

Thu, 8 May 2008 17:29:00 PST

I've been informed that the SQL 2000 database that our MC uses (version 5.1)in one of our environments needs to be moved to a SQL 2005 database server. What's the best way to point the MC to the new SQL 2005 server?

CSA: 5.2 agent reports but doesn't poll?

Thu, 8 May 2008 17:27:43 PST

So I'm running into an issue with a 5.2 agent install (r245). The agent install and registers to the MC without an issue. The issue is that the agent is not polling every 10 minutes like it is supposed to. I placed the same policy on my workstation and I can poll without a problem. The system will still report back to the MC if necessary (if an event logs), and once it does the host shows as active again. But then goes inactive as the polling is failing. I'm looking for details on how the agent should be polling (I think it's UDP, but what port?) and if there's any debugs I can do on the client side to find the issue. We've removed the XP SP2 firewall so it should not be blocked on the workstation. Thanks in advance! -Mike http://cs-mars.blogspot.com

IPS license

Thu, 8 May 2008 09:21:25 PST

my client had a ips with 6.0x image, they having license upto DEC-2009, 2 days back IPS crashed, so loaded new image which is 6.1x after that i updated license information through cisco.com then it came only upto May-17-2009 it should be upto DEC-2009? if any one help me for this issue that would appreciated, regards -walter mavely

Add Checkpoint SmartCentre to MARS

Thu, 8 May 2008 05:20:30 PST

I have Mars v4.2.6 and I wish to add checkpoint. I've gone through all the instruction as per the user guide and yet I still can't get this to work. When I click discover (under MARS) I get the following message: "CPMISessionNew failed messg: NO Error" I've double checked all the configurations DN's etc but it still fails. I get the certificate fine and doing a Telnet fromj MARS to the TCP ports as instructed seems to work OK. I am receiving events from Checkoint, but understand that MARS needs to be able to Log onto Checkpoint in order to do the correlation correctly. I can't find any matching bugs or descriptions of the error anywhere on CCO. Google also returns zero matches for the error message

CISCO IPS MANAGER EXPRESS

Wed, 7 May 2008 16:43:42 PST

Hi, anyone donwloaded the cisco ips manager express yet ? i have downloaded it but when i click on the installation file , i get "setup.exe has encountered a problem and needs to close". i have tried this on 3 pcs, windows Xp and windows 2003 , any thoughts ?

Engine E2 Question

Wed, 7 May 2008 08:59:33 PST

Dear Sir/Madam, I manage four Cisco IPS sensors SSM-20. I am currently running 6.0(3) E1 and do not particularly want to upgrade to 6.0(4) because of the following; CSCsm60273 AIP-SSM stays in Unresponsive state after ASA5500's bootup I have a number of power downs this year but need to continue to install signature updates but will be unable to if I do not upgrade to 6.0(4) E2 as per your comment below, Warning: After E2 is released, your sensors must be running release 5.1(7)E2 or 6.0(4)E2 to continue to install signature updates. I would prefer to stay on 6.0(3) and upgrade to E2 (as this version is eligibale for engine upgrade) and wait until caveat CSCsm60273 is resolved – hopefully in 6.0(5)but I then will not be able to apply the signature updates. Please can you assist me? Thanks in advance for your time. Rich,

IDSM image upgrade issue

Wed, 7 May 2008 03:54:16 PST

Hi, I can reach my FTP server system from my IDSM. but unable to upgrade..When ever i m trying to upgrade i am getting timed out..Kindly help me out in this..

Need help identifying the cause for this Cisco IPS 4542 Pls.

Tue, 6 May 2008 12:48:24 PST

Hi, Our IPS has started to actup all the sudden with the error that is listed below. it says its about not having a valid license but they tell me here that they have a valid license! I am very new here! i ithink its licensing issue too but they keep telling me that they have the correct valid license.!!! when we try to load the IDM we get this error message and when we login to the sensor using Putty and type: show statisctics virtual-sensor, we also get the sam eerror: ^ % Invalid input detected at '^' marker sensor2# sensor2# ***LICENSE NOTICE*** sensor2# The license key on the IPS-4240 has expired. sensor2# The system will continue to operate with the currently installed sensor2# signature set. A valid license must be obtained in order to apply sensor2# signature updates. Please go to http://www.cisco.com/go/license sensor2# to obtain a new license or install a license. sensor2# interfaces Display statistics and information about system sensor2# interfaces sensor2# inventory Display PEP information. sensor2# os-identification Display Passive OS Fingerprinting OS Identification. sensor2# privilege Display current user access role. sensor2# ssh Display Secure Shell information. sensor2# statistics Display application statistics. sensor2# tech-support Generate report of current system status. sensor2# users Show all users currently logged into the system. ^ % Invalid input detected at '^' marker sensor2# version Display product version information. ^ % Invalid input detected at '^' marker sensor2# sensor2# sh users ^ % Invalid input detected at '^' marker sensor2# CLI ID User Privilege sensor2# 20049 admin administrator sensor2# * 20185 admin administrator sensor2# sensor2# show statistics sensor2# % Incomplete command sensor2# sensor2# show statistics ? sensor2# sensor2# show statistics sensor2# analysis-engine Display analysis engine statistics. sensor2# anomaly-detection Display anomaly detection statistics. sensor2# authentication Display authentication statistics sensor2# denied-attackers Display denied attacker statistics. sensor2# event-server Display event server statistics. sensor2# event-store Display event store statistics sensor2# external-product-interface Display statistics for the interfaces to external sensor2# products sensor2# host Display host statistics. sensor2# logger Display logger statistics sensor2# network-access Display network access controller statistics. sensor2# notification Display notification statistics. sensor2# os-identification Display OS identification statistics. sensor2# sdee-server Display SDEE server statistics. sensor2# transaction-server Display transaction server statistics. sensor2# virtual-sensor Display virtual sensor statistics. sensor2# web-server Display web werver statistics. sensor2# sensor2# show statistics virtua- sensor2# sensor2# sensor2# show statistics virtual-sensor sensor2# Error: getVirtualSensorStatistics : ct-sensorApp.371 not responding, please check system processes - The connect to the specified Io::ClientPipe failed. sensor2# sensor2# Error: getVirtualSensorStatistics : ct-sensorApp.371 not responding, please check system processes - The connect to the specified Io::ClientPipe failed. Please advise if you have seen error or if you can help us fix this. Regards, Masood

IDS-4260 SNMP TRAPS SUPPORT....

Tue, 6 May 2008 07:50:16 PST

Hello, I received the following traps while disconnecting the fiber from the IDS: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (97610796) 11 days, 7:08:27.96 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.138.2.0.1 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.3 = Gauge32: 4 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.4 = Gauge32: 3 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.5 = INTEGER: 4 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.6 = Gauge32: 97610796 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (97611029) 11 days, 7:08:30.29 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.138.2.0.1 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.3 = Gauge32: 4 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.4 = Gauge32: 1 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.5 = INTEGER: 4 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.6 = Gauge32: 97611029 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (97611229) 11 days, 7:08:32.29 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9.9.138.2.0.1 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.3 = Gauge32: 4 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.4 = Gauge32: 2 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.5 = INTEGER: 4 SNMPv2-SMI::enterprises.9.9.138.1.3.3.1.6 = Gauge32: 97611229 I am not being able to decode the message using de CIDS-MIB, does anybody know what else do I need??? Regards,

Getting log data out of IPS 4240

Tue, 6 May 2008 07:43:01 PST

We installed an IPS 4240 on our Customers Network a few months ago. We had great expectations for it during the installation, thinking that it would be alerting us to potentially suspicious activity any time any potential intruder tried to do anything suspicious on our network. We can see where to device is useful with respect to seeing bogus signatures and then logging some data (capturing frames) in its IP Logging Feature. It is also useful in its "Events" tab as one can drill down to specific time periods... But what I really want is for it to: 1) Send syslog data to our Log Collection host, and 2) Send Alerts when these suspicious activities are detected so that an IT Admin knows what is going on and can react to them... Is there a way to configure this?

Getting log data out of IPS 4240

Tue, 6 May 2008 07:42:05 PST

ASA 5510 IPS Edition Bundle high availability

Mon, 5 May 2008 23:27:00 PST

Hi we intend to use asa5510 ips edition as firewall and ips ,anybody know if asa 5510 ips edition support high availability also ? regard

spanned port for IDS

Mon, 5 May 2008 18:14:57 PST

We're about to get an IDS system which will require a spanned port on the inside of our network. Inside our network we have a few 6500's so I'd span a port on one of our core switches...my question is, there is definetly more then 1GB of traffic going through the core at any time...how would I get all this traffic to the IDS system? Would I just create an etherchannel and use it as a destination, and plug all the ports into the IDS?

Span Configuration

Mon, 5 May 2008 08:52:43 PST

I have configure my 3750 switch for span. In this switch my IPS 4255, Internet router and Pix firewall is connected. Below mention is the span configuration monitor session 1 source interface Gi1/0/1 - 3 monitor session 1 destination interface Gi1/0/5 now the problem is the that IPS capturing traffic twice once while going out and once while coming in. I wana know how to configure monitor session that it only capture traffic that is coming from Internet. Not traffic that is originating from inside of the network. In switch port 1 Internet router is connected, port 2 is for firewall and three is for concentrator. I m confuse about the span port configuration either Rx or Tx. Right it is both Rx and Tx.

MARS - Unable to filter events to port 0

Mon, 5 May 2008 08:12:18 PST

I get a lot of 'TCP SYN Host Sweep On Same Dest Port' events on my network that I want to filter out. All the events with destination port 0 are false positives since this is normal behaviour for many operating systems when starting a connection. Unfortunately MARS does not allow me to filter these events since in the 'Tune' section a match destination port '0' is interpreted as match 'any'. Has anyone else had this problem or is there a workaround? I get literally thousands of these a day on a moderate sized network (2 class Bs)

Blank device and policy pages in CSM 3.1.1 SP3

Mon, 5 May 2008 02:20:17 PST

Hi everyone, have a strange issue here: from one day to the other CSM 3.1.1 SP3 does not show any devices (using 42xx and IDSM2) or even the policy. The devices are accessible themselves, and they do fire if signatures are triggered. Anybody has a clue, or even same experience? Will CSM 3.2 help?

AIM-IPS deployment specifics

Sun, 4 May 2008 00:44:40 PST

I’m planning to deploy IPS system using router 2821 and AIM-IPS module. Guys, could you help me to find out answers to the following questions: 1. Can the SUBinterface of the router interface be specified as command and control interface of the module using ip unnumbered command? 2. If external interface is configured in module as monitored interface and malicious traffic will be destined to this interface ip address (that is, this ip address will be as destination ip in the packets header). Is such traffic under control of AIM-IPS module? 3. Can BGP traffic be monitored by AIM-IPS module? How does it happen?

IDSM-2 setup and configuration

Sun, 4 May 2008 00:21:41 PST

I need some guidance to find a good book or material to use in setting up a new IDSM-2. Would prefer it to be fairly easy to understand to a new user setting it up. I could open a TAC case because I do have Smartnet but I would rather try and learn it myself before I go that route. Any suggestions?

How to download Signature from cisco

Sun, 4 May 2008 00:07:24 PST

Hi, Kindly provide me information, I m having CCO login account.but unable to download signature.how can i do it

SYN flood attack log In CSA MC

Sat, 3 May 2008 08:12:00 PST

I got an SYN flood attack log in CSA MC CSA log: TESTMODE: A potential SYN Flood attack has been detected. This may also indicate a possible routing problem. Reason: The TCP Listen Queue is full using interface Wired\HP NC7781 Gigabit Server Adapter #2. TCP: CSA MC IP/5401->local Instance IP/4418, flags 0x12. The operation would have been denied. (Note: In log I have specified CSA MC IP and local Instance IP instead of its IP address) I understood that SYN flooding is a type of denial of service attack and this alert has occured when a TCP/IP connection was requested by MC to the Instance. It has resulted in a half open connection, as the return address that is not in use. MC has detected it and it got denied. Please let me know what action I have to take at tins point? Thanks Arumugam.K

IPs system events and restart

Fri, 2 May 2008 12:05:00 PST

Hi, I am looking at monitoring the IDS system events like adding users/sensor application restart,interface down with a SDEE client.Does system events like this get logged in detail to the event store to be picked up by the API ...or is there something i need to do with my CIPS ver 6 to get it across with verbose messages . Thanks and appreciate

Last Version of IEV

Thu, 1 May 2008 07:21:31 PST

IS 5.1 of IPS Event Viewer (IEV) the last Version ??

IDS Event viewer error

Thu, 1 May 2008 03:30:33 PST

Hi All Please help me out with this .I am getting attached IDS Event viewer error while trying to install it .Please let me know the probable causes and how to rectify the same Regards Ankur

AIP SSM Upgrade

Tue, 29 Apr 2008 12:19:58 PST

Hello we just receive 4 5540 ASA and they are running 5.1(6)E1 on the IPS and I want to update it to 6.0(4)E1. I tried using the ASDM to no avail this is new to me need to implement this tomorrow don't want to put in network until IPS is upgraded. Please help me with this procedure. I read the Doc and still can not get it going.

IDS Events not appearing in the IEV

Mon, 28 Apr 2008 23:35:30 PST

hi iam using Cisco IEV version 5.1 .The issue is that my IDS sensor is up and via command line i can see i am able to get the latest events in the same however iam not able to get the same in the Event viewer (iam able to telnet on sensor on port 443 from machine where IDS Event viewer is installed).Please let me know the probabilities for the same Regards Ankur

IDSM-2 not updating 6500 ACL

Mon, 28 Apr 2008 15:04:55 PST

I have a 6500 IDSM-2 blade which is configured to create a blocking ACL in the 6500 for a few signatures. It's been working for a couple of years but recently stopped. The IDSM detects attacks and thinks it's updating the 6500, but the 6500's ACLs are not updated and the 6500 shows no login from the IDS. I am not seeing any error msgs anywhere. When I manually insert an IP to block via the IDM client, it shows up in the sensor with no error, but the 6500 is not updated. This seems to have started about the time I installed S324 (3/26/08). The sensor is now S329. I have rebooted the IDS with no effect in behavior. Can someone suggest what I might look at to narrow down the problem? Thanks.

TCP Hijack/TCP Segment Overwrite false positives?

Mon, 28 Apr 2008 12:17:45 PST

Hello all, I was just curious if anyone else has had many false positives with 3 signatures in particular: TCP Hijack (3250.0 - High), TCP Hijack Simplex Mode (3251.0 - High), and TCP Segment Overwrite (1300.0 - High). The reason I think they are false positives is because they occur everyday, and I've also seem them caused by internal network traffic that crosses an IPS sensor (that is, making the potentially dangerous assumption that the internal devices can be trusted). We usually see between a dozen and 3 dozen a day depending on the signature, and we have 8 IPS total deployed internally and on the perimeters. Has anyone else had similar experiences? If so, do you have any suggestions on how to decrease the number of false positives for these alerts? Thanks, Ryan

CSA, problem with installing SAS Institute 9.1

Mon, 28 Apr 2008 10:40:14 PST

Hi there, I am having some strange problems with an application called SAS 9.1 from SAS Insitute. The application itself isn't actually the problem, but the install. I have a windows 2000 pro sp4 installation on my desktop machines, and installation fails when having CSA on the machine even in test mode. Disabling the CSA Service or uninstalling is the only thing that works, we have enabled override for logging all deny rules, and still there is no log from csa when the install runs, setup.exe simply crashes and the application is not completely installed. We have some windows xp machines as well, and here it works fine, both with and without CSA. We also tried to add the installer to the class just to make sure, although i have never seen an actual installshield installer checking stuff like kernel debuggers and such, which csa is sometimes found to be by other applications, like AutoCAD and therefore won't run.