topic Re: no alarm from IPS in Network Security

no alarm from IPS

harinirina — Sun, 10 Mar 2019 12:14:20 GMT

Hello,

We're using AIP-SSM-40, Version 7.0(2)E4.

We send traffic from all interfaces to the IPS. When we test it with sigID 2004, we don't have any alarm.

the configuration on the ASA is as follow :

access-list inside_mpc extended permit ip any any

class-map inside-ip-class
match access-list inside_mpc

policy-map inside-ips-policy
class inside-ip-class
ips inline fail-open

service-policy inside-ips-policy interface inside

on the AIP-SSM, the configuration is as follow:

signatures 2004 0
alert-severity high
engine atomic-ip
event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-connection-inline|deny-packet-inline
specify-l4-protocol yes
l4-protocol icmp
specify-icmp-type no

what we should do to have alarm?

Re: no alarm from IPS

Jennifer Halim — Mon, 24 Jan 2011 08:11:04 GMT

What do you mean by alarm? Are you saying that you are not able to see the events that is triggered by signature# 2004?

Can you check what is the Alert Frequency configured for this signature? The default is "Summarize" every 30 seconds. You might want to change the Alert Frequency to "Fire All" if you are using signature#2004 to test.

Plus you would need to send the traffic across the ASA so traffic will be inspected by the IPS.

Lastly, I am assuming that you have already enabled/assigned the IPS virtual sensor (vs0) to the signature (sig0).

Hope that helps.

Re: no alarm from IPS

harinirina — Mon, 31 Jan 2011 09:55:53 GMT

Hello,

The alert frequency is "fire all" and we sent continuous ping. we also tested with other signature (FTP authentication failure) but no alarm.

we used default sensor on each interface. so do we need to change it into vs0 ?

Re: no alarm from IPS

Jennifer Halim — Mon, 31 Jan 2011 15:52:48 GMT

Can you please confirm if you are sending the traffic through the ASA firewall? I would suggest that you assign the IPS as global policy on your ASA, and on the IPS itself, pls check if the virtual sensor has been enabled.

Re: no alarm from IPS

harinirina — Wed, 02 Feb 2011 08:40:41 GMT

Hi Jennifer,

we sent traffic through the ASA, it is enabled on each interface, not globally.

we used vs0 as you suggested, it's working.

Thanks indeed.

the configuration is now like that:

policy-map dmz-ips-policy
class dmz-ips-class
ips inline fail-open sensor vs0
policy-map outside-ips-policy
class outside-ips-class
ips inline fail-open sensor vs0
policy-map inside-ips-policy
class inside-ips-class
ips inline fail-open sensor vs0

Before, we use default sensor and the configuration is as follow :

policy-map inside-ips-policy
class inside-ips-class
ips inline fail-open sensor

didn't work.

We used default sensor on another ASA, with other IPS version, it worked fine.

is there any explanation?

Re: no alarm from IPS

Jennifer Halim — Wed, 02 Feb 2011 18:24:08 GMT

Are you running multiple context on the firewall, or just a single context?

The initial configuration that you have should work just fine, as long as you have enabled vs0 on the IPS module itself.

Re: no alarm from IPS

harinirina — Thu, 03 Feb 2011 07:58:46 GMT

Hi,

We're running single context.

How to check on the IPS if vs0 is enabled?

Re: no alarm from IPS

Jennifer Halim — Thu, 03 Feb 2011 17:38:00 GMT

If you IDM into the IPS, under Configuration --> Interface Configuration --> Summary --> check if under the "Assigned Virtual sensor" colum if vs0 is assigned.

Re: no alarm from IPS

harinirina — Thu, 10 Feb 2011 14:19:17 GMT

Thanks for your reply.

One more question Jennifer, we'd like to know which is applied first, the ASA rules or IPS ?

Re: no alarm from IPS

Jennifer Halim — Thu, 10 Feb 2011 23:30:41 GMT

ASA rules will be applied first before the IPS inspection because IPS is getting the traffic from the ASA.

Re: no alarm from IPS

harinirina — Fri, 18 Feb 2011 08:45:35 GMT

Ok, thanks for all Jennifer.