topic Re: IPS-4260 Traps in Network Security

IPS-4260 Traps

bellg — Sun, 10 Mar 2019 12:09:06 GMT

We would like to be able to generate a trap or some how determine if/when our IPS-4260 sensor goes into bypass mode. In addition, we'd like to be able to monitor the CPU, memory, and interface status.. It would appear the 4260 has limited monitoring capabilities.

Based on the IPS release notes, I have loaded the Cisco-CIDS-MIB, Cisco-PROCESS-MIB, Cisco-ENHANCED-MEMPOOL-MIB, and Cisco-ENTITY-ALARM-MIB into WhatsUp Gold v14.3. However, uncertain what to check for. I can see traps showing up; however, they are not descriptive enough to tell what is what.

How do we trap/monitor for bypass mode? Anyone else have traps/monitoring operational on their 4260?

Thanks.

Re: IPS-4260 Traps

Scott Fringer — Mon, 11 Oct 2010 10:58:50 GMT

Gary;

As you have noted, SNMP management of the IPS appliances is quite limited. There is an enhancement request currently filed to increase SNMP monitoring visibility; the enhancement ID is CSCsu08529.

Scott

Re: IPS-4260 Traps

bellg — Thu, 14 Oct 2010 23:15:07 GMT

Thanks. I'm looking into this. Although there is a reference to version 7.1; unknown if that version has the additional SNMP/Trap functionality. I'll continue to explore.

Re: IPS-4260 Traps

rhermes — Sun, 17 Oct 2010 14:05:09 GMT

If you used an external device to perform your bypass function, such a STP in

a switch, you could have the switch issue a trap when STP reconfigured.

For CPU and Memory, you're stuck polling SNMP for them and watching for the threshold to be exceeded externally.

- Bob

Re: IPS-4260 Traps

bellg — Wed, 20 Oct 2010 23:33:24 GMT

After some research, finally was able to get the sensor traps to work properly.

I had to ensure the sensor was actually sending traps.

Once configured using:

service notification

error-filter warning|error|fatal
enable-detail-traps true
enable-notifications true
trap-destinations
trap-community-name
trap-port 162

I confirmed traps were being sent off the sensor using a tcpdump:

# tcpdump -ni ma0_0 udp and port 162

I also confirmed traps were being obtained on the monitor application - in my case WhatsUp Gold (system trap logs)

The strings you want to search for in your monitor application are:

%PassiveMonitor.Payload.Protocol Version=SNMPv2 %PassiveMonitor.Payload.1.3.6.1.4.1.9.9.383.1.3.3=Inline data bypass has started.

(this one means the IPS sensor is presently in bypass mode and NOT checking traffic)

%PassiveMonitor.Payload.Protocol Version=SNMPv2 %PassiveMonitor.Payload.1.3.6.1.4.1.9.9.383.1.3.3=Inline data bypass has stopped.

(this means the IPS sensor is no longer in bypass mode)

In order to make it work, I had to ignore the major and minor event numbers and match on the respective strings only (Inline data bypass ...)

Another message that might be of interest, just prior to stopping the inspection generated is:

%PassiveMonitor.Payload.Protocol Version=SNMPv2 %PassiveMonitor.Payload.1.3.6.1.4.1.9.9.383.1.3.3=Bypass Mode has been enabled, stopping packet inspection.

IPS version 7.1 is supposed to be released towards end of the year with additional trap/snmp support (according to Cisco). The above is working on version 6.2.

As mentioned in release notes, the following MIBS are the only ones supported:

-CISCO-CIDS-MIB

-CISCO-PROCESS-MIB

-CISCO-ENHANCED-MEMPOOL-MIB

-CISCO-ENTITY-ALARM-MIB

I'm hoping this information might assist someone else.