07-05-2012 07:21 AM - edited 03-10-2019 05:43 AM
Hello guys,
I have installed an AIP-SSM module on my ASA's lab and I cant get it to fire any signatures. I do see traffic going thru the interfaces which makes me think it's not an issue with the ASA Config, however I dont see any sigs even if I generate events that would fire one such a TCP port scan or bitorrent.
I have assigned an interface to the vs0 and configured the basic stuff but still I'm not getting any hits. One thing I noticed is this unsual message on the logs:
vError: eventId=1341365101856715019 vendor=Cisco severity=error
originator:
hostId: sensor
appName: collaborationApp
appInstanceId: 452
time: Jul 04, 2012 20:21:32 UTC offset=0 timeZone=UTC
errorMessage: Analysis Engine is Busy Processing Stage 3 of 97 at Step 0 of 1
Messages, like this one, in the category - ct to sensorApp timed out - were logged 1 times in the last 0 seconds. name=errUnclassified
Here's the IDS config and a show int:
sh interfaces Gi
GigabitEthernet GigabitEthernet0/0 GigabitEthernet0/1
RFNET-IPS# sh interfaces GigabitEthernet0/1
MAC statistics from interface GigabitEthernet0/1
Interface function = Sensing interface
Description =
Media Type = backplane
Default Vlan = 0
Inline Mode = Unpaired
Pair Status = N/A
Hardware Bypass Capable = No
Hardware Bypass Paired = N/A
Link Status = Up
Admin Enabled Status = Enabled
Link Speed = Auto_1000
Link Duplex = Auto_Full
Missed Packet Percentage = 0
Total Packets Received = 2545022
Total Bytes Received = 1683855948
Total Multicast Packets Received = 0
Total Broadcast Packets Received = 0
Total Jumbo Packets Received = 0
Total Undersize Packets Received = 0
Total Receive Errors = 0
Total Receive FIFO Overruns = 0
Total Packets Transmitted = 2544496
Total Bytes Transmitted = 1683341358
Total Multicast Packets Transmitted = 0
Total Broadcast Packets Transmitted = 0
Total Jumbo Packets Transmitted = 0
Total Undersize Packets Transmitted = 0
Total Transmit Errors = 0
Total Transmit FIFO Overruns = 0
RFNET-IPS# sh configuration
! ------------------------------
! Current configuration last modified Wed Jul 04 16:01:57 2012
! ------------------------------
! Version 7.0(8)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S654.0 2012-06-25
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 172.16.10.235/24,172.16.10.1
host-name RFNET-IPS
telnet-option disabled
access-list 172.16.10.0/24
access-list 172.16.14.0/24
dns-primary-server enabled
address 172.16.10.237
exit
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset -360
standard-time-zone-name GMT-06:00
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 209.114.111.1
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
event-retrieval-policy
enable false
exit
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
Any suggestions would be appreciated
Thanks!
07-05-2012 07:46 AM
Either this is a little weird or I'm looking at the wrong place. If I do a show statistics virtual-sensor I seem to be getting some hits on different sigs:
Per-Signature SigEvent count since reset
Sig 6403.1 = 6
Sig 6409.1 = 17
Sig 6409.2 = 2
Sig 20059.1 = 1453
Sig 21619.1 = 2
Sig 23782.2 = 2
Sig 30260.1 = 3
However If I go to the IDM, Monitoring, Events, Event Viewer all I see is health messages from the sensor itself, not signatures.
Any ideas? Thanks.
07-05-2012 09:57 PM
You may edit the above firing signatures. Add Event Action to "produce-alert.
Regards,
Sawan Gupta
07-09-2012 11:59 PM
Raga,
Hope you are doing great. Have you tried with the very basic ones? 2000 and 2004 for ICMP traffic? Enable them and put the action to produce alert.
Then go to Monitoring and set an IP logging. Use the IP addresses that you are trying to ping to make a packet capture (ip logging ), start it, send the ping and then stop the IP logging, after that the IP logging either will dissapear (meaning the packets are not getting to the virtual sensor) or appear but the action is not taken.
On the home page you can also see the state of the analysis engine, it normall stucks in compiling signatures, but analysis engine should be back.
We can take it from there.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide