topic How can I test my IPS? in Network Security

How can I test my IPS?

Andy White — Sun, 10 Mar 2019 12:41:31 GMT

Hello,

I have 2 5520 ASA's in Active/standby mode, they both have the AIP-10 modules installed with 7.0(6).E4 installed.

How can I test it is all working can I fire any test scripts through the ASA to trigger an alert and se that it gets blocked?

Also how do I keep these to IPS modules in sync? I have to mak changes on one then the other all the time.

Thanks

How can I test my IPS?

Jennifer Halim — Tue, 29 May 2012 01:40:41 GMT

To test the IPS functionality, you can enable signature# 2000 (echo-reply) and 2004 (echo-request) and ping across the ASA. You should get those 2 triggered as a test.

With the IPS modules in ASA active/standby mode, unfortunately the configuration will not be sync automatically and there is a bit of manual work involved to get the config synchronized. The IPS modules are standalone unfortunately.

How can I test my IPS?

mkodali — Tue, 29 May 2012 02:23:54 GMT

Also make sure the signatures 2000 and 2004 are un retired besides enabling them. In recent versions they have been retired.

qssp-8083(config-sig-sig)# stat

qssp-8083(config-sig-sig-sta)# sh set

status

-----------------------------------------------

enabled: false

retired: true

Madhu

How can I test my IPS?

Andy White — Tue, 29 May 2012 08:57:22 GMT

We can't use teh echo one for testing as we have soem important monitoring servers that will have issues, is there any other way we can test if the IPS modules are blocking?

How can I test my IPS?

Jennifer Halim — Tue, 29 May 2012 11:36:29 GMT

You can create custom signature and block for example telnet traffic going through the ASA. You just have to specify the TCP port within the custom signature. Or you can configure any other ports for testing purposes.

How can I test my IPS?

Andy White — Tue, 29 May 2012 12:23:58 GMT

To create a custom rule for Telnet can I use the Cisco IPS ME? I woudl like to block 192.168.9.11 from telnetting to 172.30.1.1?

Thanks

How can I test my IPS?

Jennifer Halim — Tue, 29 May 2012 12:58:08 GMT

You can create a custom signature (engine string TCP), and specify telnet port, and configure regex. When it detected the regex settings that you specify, it will trigger the signature.