topic Re: ips to csc ssm in Network Security

ips to csc ssm

rajbhatt — Sun, 10 Mar 2019 10:28:50 GMT

HI,

I have a ASA 5520 running IPS but with no license .But I have a trend micro with all the required license .

How to erase the IPS module that is running in the inline mode and instead install and configure the trend micro instead of the existing ips configuration ?

Thanks in advance

Raj

Re: ips to csc ssm

edwakim — Tue, 20 Feb 2007 13:31:08 GMT

Hi Raj,

If you have CSC license, you should be able to reimage your SSM module and use it.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080693b38.html

Please make sure you remove the ips related commands in ASA before doing so.

Thank you.

Edward

Re: ips to csc ssm

rajbhatt — Wed, 21 Feb 2007 05:25:35 GMT

Hi,

thanks for your answere

Raj

Re: ips to csc ssm

rajbhatt — Mon, 26 Feb 2007 04:27:12 GMT

Hi,

There was an attack on the servers with blaster worm(quite old and known worm) and the IPS was not able to detect it .

Is there a command to find out the Ip address of the attacker and see if IPS recognised the attack or not or some logging info that i can see .

It was also not able to prevent it also.

What are the revelant commands related to it .

I am pasting my config .Is this config functional at all as it was unable to detect the attack ?

Thanks

Raj

Re: ips to csc ssm

edwakim — Mon, 26 Feb 2007 04:53:17 GMT

Hi Raj,

How does your ASA config look like?

Was it setup to send traffic to IPS? Is it configured Promiscuous mode or Inline mode?

ACL, Class-Map, Policy-Map defined and applied?

You can find configuration guide here.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df98.html

Also, you are running 5.0(2) code. It is very old and buggy. Latest code in 5.x track is 5.1(4).

Edward

Re: ips to csc ssm

rajbhatt — Mon, 26 Feb 2007 09:37:50 GMT

Hi Edward,

Thanks for ur reply.

yes traffic goes to IPS .It is in inline mode with acl policy map class map and it is applied to the outside interface .

What I need to know is the command to check if IPS detcted the attack and also what is the ip address of the attacker and what are the signatures present on the ips and stattus of those signatures .Basically need to find out if the IPS is fuctional or not with the current config ?

And do u have a sample real life config of a functional IPS ?

Raj

Re: ips to csc ssm

rajbhatt — Tue, 27 Feb 2007 17:37:22 GMT

Hi,

Any on has any leads ?

Thanks in advance

Raj

Re: ips to csc ssm

edwakim — Tue, 27 Feb 2007 18:15:16 GMT

Hi Raj,

'sh stat v' will show you if the sensor is working or not.

There are many ways to see the alert details.

in CLI you can do 'sh events alert' and you can use '?' to fine tune your search.

i.e) sh events alert past 02:00 -> show any alerts for last 2 hours

You can use IEV, SecMon (VMS) or MARS to view them as well.

Thank you.

Edward