topic Re: AIP SSM-10 setup and testing in Network Security

AIP SSM-10 setup and testing

jimmyc_2 — Sun, 10 Mar 2019 12:51:04 GMT

In my lab, I have a new 5510 with AIP-SSM card.

I believe it is configured correctly to evaluate traffic, but I can't be sure.

Here is part of the ASA config:

class-map global-class

match any

class-map inspection_default

match default-inspection-traffic

policy-map global-policy

class inspection_default

inspect ftp, etc,

class global-class

ips inline fail-open

service-policy global_policy global

I have a PC going to a switch, going to the ASA (inside interface)

The ASA outside interface is going to a seperate VLAN on the switch.

Both have VLAN interfaces configured.

Is there a ping command, or other traffic that I can generate from the PC that will throw an alert?

I tried Ping -S from a bogus addresses, but that didn't cause an event.

How do I know if traffic is actually going through the IDS?

Thanks.

AIP SSM-10 setup and testing

Julio Carvajal — Sat, 15 Dec 2012 01:39:12 GMT

Hello Jimmy,

You must assigned a virtual sensor to the interface that connects the AIP-SSM to the ASA ( this must be done on the AIP-SSM, you could use either the GUI or the CLI to make it happen)

Now to test it you can use the signature ID 2004 witch is related to ICMP Echo packets.... Enabled it as its disabled by default and on the actions set it to generate an alert,, Then go to monitoring and get a report on the last minute, hour, etc. to get this log and make sure the AIP-SSM is up and ready to protect you,

Regards,

Julio

Re: AIP SSM-10 setup and testing

jimmyc_2 — Mon, 17 Dec 2012 15:47:39 GMT

Thanks Julio,

Under Configuration>IDS>Interfaces, G0/1 is enabled.

I have turned on ID 2004.

Under the IME menu Home>Device Details:

G0/0 Link=UP, Enabled=Yes, Mode=(blank), Rcd and Xmit are incrementing

G0/1Link=UP, Enabled=Yes, Mode=unpaired, Rcd and Xmit are incrementing

We did not order maintenance, so I have no License. (I'm hoping I only need this to get latest updates and support, not to run the device??)

I still have no alerts. How do I generate them?

Regards,

Re: AIP SSM-10 setup and testing

Julio Carvajal — Mon, 17 Dec 2012 17:34:53 GMT

Hello,

Good, have you try to ping across your network?

Regards,

Re: AIP SSM-10 setup and testing

jimmyc_2 — Mon, 17 Dec 2012 17:46:26 GMT

Yes.

From the PC through the Switch to the Firewall and then back to a second network (VLAN interface) on the switch.

There is no event or log entry.

I was using Ping -S 0.0.0.0 192.168.1.1 and expected the IDS to pick up the bogus source.

I also tried a standard ping, no luck.

Using the CLI for the IDS, under show statistics virtural interface, I found "total packets processed since last reset = 0"

Re: AIP SSM-10 setup and testing

Julio Carvajal — Tue, 18 Dec 2012 17:59:51 GMT

Hello Jimmy,

Share the following from the ASA

show service policy

Regards,

Re: AIP SSM-10 setup and testing

jimmyc_2 — Tue, 18 Dec 2012 20:22:59 GMT

Service-policy: global_policy

Class-map: inspection_default

Inspect: DNS, FTP, H233, etc (all zeros)

Class-map: global-class

IPS: Card status UP, mode inline fail-open

Packet input 0, Packet output 0, drop 0, reset-drop 0

Keep in mind that I only have one PC and one switch (with two VLAN interfaces) attached.

Thanks.

Re: AIP SSM-10 setup and testing

Julio Carvajal — Tue, 18 Dec 2012 21:29:41 GMT

Hello Jimmy

lass-map: global-class

IPS: Card status UP, mode inline fail-open

Packet input 0, Packet output 0, drop 0, reset-drop 0

No packets are getting to the IPS module

You told me is assigned to Virtual sensor 0 on the AIP-SSM right?