09-25-2012 09:10 AM - edited 03-10-2019 05:47 AM
Our Internal Auditor is asking for a copy of the logs or a report from our IPS showing that it is indeed keeping bad guys out. If you have had this same request, what info have you provided?
09-25-2012 10:06 PM
Hi,
You may provide the list of signatures that have fired.
From CLI issue, "show stats virtual-sensor | inc Sig", this will give you the list of all signatures that fired.
Regards,
Sawan Gupta
09-27-2012 06:25 AM
Hi,
I ran this command on a recently enabled AIP-SSM-10 module and it reports several signatures have fired. However, when I run a report or check the event monitor in IME all I see are events for the NetBIOS 5575/0 signature and the ICMP signatures (2000.0 and 2004.0) that I enabled for testing purposes. Any idea why the other signatures do not appear in my report?
show statistics virtual-sensor | inc Sig
Name of current Signature-Defintion instance = sig0
The Signature Database Statistics.
SigEvent Preliminary Stage Statistics
Number of Active SigEventDataNodes = 26
Per-Signature SigEvent count since reset
Sig 2000.0 = 73
Sig 2004.0 = 122
Sig 3653.0 = 40468
Sig 5575.0 = 669
Sig 6131.6 = 788554
Sig 6250.1 = 2504
Sig 16297.0 = 29
Sig 21619.1 = 5299
Sig 23782.2 = 17
SigEvent Action Override Stage Statistics
SigEvent Action Filter Stage Statistics
SigEvent Action Handling Stage Statistics.
Thanks,
Jeff
09-27-2012 08:52 PM
Jeff,
The other signatures have "Produce Alert" as one of its actions?
Luis Silva
09-28-2012 05:34 AM
Luis,
Thanks for the reply. You are correct they are not set to alert and that is why I am not seeing anything in the event monitor or reports. Thanks again for the response!
Jeff
09-30-2012 09:20 AM
You are welcome!
Luis Silva
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: