Ask the Expert: Cisco Intrusion Prevention System (IPS) - Page 5

ciscomoderator · ‎08-24-2012

With Robert Albach

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about security best practices and management for the Cisco Intrusion Prevention System (IPS) with Robert Albach. The Cisco Intrusion Prevention System is a context aware threat prevention system for your networked environments. The module unobtrusively detects and prevents problematic traffic from reaching its target; uses contextual inputs to determine the proper level of response; and tightly integrates with the ASA firewall for greater network security.

Robert Albach is a product manager in the Security Business Unit at Cisco, responsible for intrusion prevention offerings. Before joining Cisco in 2010 he held product management positions for intrusion prevention offerings at Hewlett-Packard/TippingPoint. He has more than 15 years of experience with systems management and security product offerings and has presented at the RSA trade show and other security venues.

Remember to use the rating system to let Robert know if you have received an adequate response.

Robert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through through September 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

glenthms · ‎02-19-2013

Robert I apprecieate you providing us the SNMP OID for load on the IPS modules for ASA firewalls. I was looking for clarification. Is the OID you've mentioned in the support forum

1.3.6.1.4.1.9.9.383.1.4.30.0.

provide me the same output as when I look at load in IME for that device? Say IME says 5% load for that IPS, the OID you provided is it the same info?

Further to this, if we have IPS's that are not on 7.1 and can't support this, what are our other options for reporing load issues back to us? Can we send TRAP alerts when the load reaches a certain level somehow? If so how do we do that as its not clear in documentation.

tiwang · ‎02-19-2013

Hi Robert

Ok - I opened also a TAC case on it yesterday so we'll see - thanks

/ti

Vitaly Maystrovich · ‎02-26-2013

Hi Robert,

We have IPS 4260 device with 7.0(8)E4 version software. The IPS software is Linux-based and it have embeded OpenSSH 3.7.1p2. This version of OpenSSH have some vulnerabilities. So my question: Have Cisco a plan to switch the new version OpenSSH (e.g. 4.4)?

obryadinrv · ‎07-17-2013

Hi, Robert.

We have Cisco IPS4255 7.1(7)E4 in promiscouse mode (connected to switch SPAN port).

SPAN port monitors traffic from one trunk port with one vlan allowed.

There are a lot of fiers of TCP Segment Overwrite signature (ID:1300/0).

After invertigation I think, that the df-bit set is the reason of this problem.

We have this topology:

host1(MTU1500) -> LAN (Switch) ->(IPS connected to switch SPAN port)-> local router (route map with DF-bit set) -> ipsec tunnel (with smaler MTU<1500) -> remote router (route map with DF-bit set) -> remote LAN-> host2(MTU1500).

After the host1 established tcp connection with host2 it sends first data segment, and the segment size is too big to go through ipsec-tunnel without fragmentation. A this moment IPS sees this first data segment.

Local router sends the icmp (need fragmentation with information of the next hop MTU) paket to the host1, and host1 resends the first data segment with less segment size to go through ipsec-tunnel without fragmentation. A this moment IPS sees the data segment (atleast first 256bytes) second time and TCP Segment Overwrite signature is fired.

I don't know yet how to solve this problem. My exp in IPS is not yet enough.

May be there is a method to filter out this alerts.

Thanks

dheeraj_singh · ‎08-21-2013

Hi Robert,

We are haing ASA SSM 40 module NIPS at perimeter network. When I keep the IPS in promiscuous mode then eveything is workign fine and when i had configured the same module in inline mode then i am not able to take putty or telnet of the internet router.

During the inline mode, IPS is drooping our telnet and SSH traffic and also event is also not genrating the for the same.

We have tried to find the traffic event for router ip and as well as for my system ip. nothing is showing in event.

I used the command sh event from CLI and also checked from ASDM alsbut not getting any scusses.

NIPS IOS version is 7.1(4)E4.

Please help me for the troubleshooting for this issue.

Thanks

prashantrecon · ‎08-21-2013

Hi Dhreeraj,

if you are having cisco IME check real time log while doing ssh/telnet to your router.

check if there is any signature is hitting at that time.

Regards,

Prashant

dheeraj_singh · ‎08-21-2013

Hi Prashant,

Thanks for your resonse.

We are not having real time log anlysis server but when I am checking the IPS event logs, there is not showing any droped traffic for ssh or telnet from my system.

Even I have tried to bypass the traffic from the my ststem to internet router but no success.

Just want to confirm that can i bypass the particular defined traffic in ASA SSM 40 IPS module.

Thanks...

prashantrecon · ‎08-22-2013

HI Dheeraj,

That is a strange issue...

can you tell me how you try to bypass the traffic from your system to internet router ..

if possible can you post(mail) your ips Configuration .

one thing you can try event action overide ...you can create a rule to not block any traffic from your machine ..(i have not check it but you can try )

below is the link for event action override ...

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html

Regards,

Prashant

dheeraj_singh · ‎08-23-2013

Thnaks Prashant for your support..

We found that there is problem with default sersor but other Internal IPS with default sersor working properly. We have deleted defaults virtual and created new virtual sensor (VS0).

Problem is resolved now.

Thanks,

Dheeraj

TM13 · ‎08-25-2013

All we have ASA 5510 and IPS 4240 and our upload speed is very slow, and sometimes it is not allowing any traffic, i see Deny connection messages on ASA, and no logs on IPS, and just found https://supportforums.cisco.com/thread/228118
this section, we just updated latest signature still same, any idea about that Regex?

jmp780718 · ‎08-25-2013

is possible to config an subscrat rule for all the signatures enables in IPS?

Thks

Sent from Cisco Technical Support iPad App

eddiedelcid · ‎09-09-2013

Hello Robert,

Is that possible to authenticate windows AD users with de IPS module on ASA 5585x?

Is necesary a CDA to do this like the configuration of the CX Module.?

Thanks

softimpera · ‎09-18-2013

Hello,

I have some problems with an 2901 Router because of IPS: When I try to dwonload a file (>5Mb) (hosted in my network) from an external computer It stops in the middle .

I disabled the IPS and everything works perfectly .

I have attached the configurations with IPS Enabled .

Current configuration : 10172 bytes

!

! Last configuration change at 20:48:01 UTC Tue Sep 17 2013 by admin

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service internal

service sequence-numbers

!

hostname asdasdasd

!

boot-start-marker

boot system flash0:/c2900-universalk9-mz.SPA.152-4.M4.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

enable secret 5 $1$..aB$asfghdfghdfghdfghG7o/

enable password 7 110dfghdfghdfghC5A

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

no process cpu extended history

no process cpu autoprofile hog

!

no ip source-route

ip cef

!

ip dhcp excluded-address 192.168.1.101 192.168.1.254

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool pool1

import all

network 192.168.1.0 255.255.255.0

dns-server 1455.456.567.1 867.546.345.1

default-router 192.168.1.1

!

ip dhcp pool Hossdf1

host 192.168.1.2 255.255.255.0

client-identifier 01d4.asd2.8sdf9.3fs

!

ip dhcp pool swos

host 192.168.1.4 255.255.255.0

client-identifier 04b8.asdff.94dfg7.da

!

no ip bootp server

ip name-server 455.456.567.1

ip name-server 867.546.345.1

ip inspect log drop-pkt

ip inspect WAAS flush-timeout 10

ip ips config location flash0:/IPS2013V3 retries 1

ip ips notify SDEE

ip ips name sdm_ips_rule

!

ip ips signature-category

category all

retired true

category ios_ips advanced

retired false

!

no ipv6 cef

!

parameter-map type inspect global

log dropped-packets enable

max-incomplete low 18000

max-incomplete high 20000

spoofed-acker off

parameter-map type ooo global

tcp reassembly timeout 60

tcp reassembly queue length 64

tcp reassembly memory limit 4096

tcp reassembly alarm off

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1599122921

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1599122921

revocation-check none

rsakeypair TP-self-signed-1599122921

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

crypto pki certificate chain TP-self-signed-1599122921

certificate self-signed 01

30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31353939 31323239 3231301E 170D3133 30393032 31353536

35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35393931

32323932 3130819F 6C91963A 2A864886 F70D0101 01050003 818D0030 81890281

8100A20F 6C91963A 93EA56D8 B2AA3E26 491B4640 BBA28A73 3C086797 5E4189FF

2C7FFC05 7FBEA959 CD6139C9 9DE34AF1 6B6F3CAF EC4C8681 9356089E A6A16BCD

52C2967A 69441691 6C91963A 944508EC 783FD7D4 C31C45DB 8A9EA37B 57DC513A

6275B24D 1C9F2B31 DFA441D4 E37A3429 6ED1B022 C70DD609 4A15B93C 03038927

1A9D0203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603

551D1104 11300F82 0D686F73 74696D70 65726172 7472301F 0603551D 23041830

16801481 81C95CB2 1ABF7800 6FA5040A 63DA2DC9 8EDE6130 1D060355 1D0E0416

04148181 C95CB21A BF78006F A5040A63 DA2DC98E 6C91963A 06092A86 5E4189FF

01010405 00038181 007D1A5A 0400EC2F 19DC03BA 7EE3226F 44195F8A 9F89ED84

EC5E1107 5D1BC74B C26665A2 B5C87E4F 75CCD956 23F9958F 32A5C197 C4381EE1

7D4CCAD2 6BC29DE3 E0923B3E AFA6B13F 285748F3 6C91963A E0BF5A7D 9C996751

BBAB6D1A 2D97EB55 9898EDE0 49664A57 5E4189FF 680ECE3C 5E4189FF 6101F88F

66DE9A5F 9EB86462 6C

quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

license udi pid CISCO2901/K9 sn Fss456792sX

license boot module c2900 technology-package securityk9

!

username sadfmdin privilege 15 secret 5 $1$ZwasdassssssBq.

!

redundancy

notification-timer 60000

!

crypto key pubkey-chain rsa

named-key realm-cisco.pub

key-string

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 5E4189FF 02820101

00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16

17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 5E4189FF 43CDABC3 6007D128

B199ABCB 5E4189FF 49664A57 359C189E F30AF10A C0EFB624 7E0764BF 49664A57

5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 49664A57 20F30663 9AC64B93 C0112A35

FE3F0C87 5E4189FF 994AE74C FA9E481D F65875D6 85EAF974 49664A57 F0B08B85

50437722 49664A57 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36

006CF498 079F88F8 A3B3FB1F 49664A57 49664A57 9693CCBB 551F78D2 892356AE

2F56D826 8918EF3C 49664A57 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3

F3020301 0001

quit

!

no ip ftp passive

!

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-all sdm-nat--1

match access-group 101

class-map type inspect match-all sdm-nat--2

match access-group 102

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 103

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

!

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat--1

inspect

class type inspect sdm-nat--2

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-insp-traffic

inspect

class type inspect ccp-sip-inspect

inspect

class type inspect ccp-h323-inspect

inspect

class type inspect ccp-h323annexe-inspect

inspect

class type inspect ccp-h225ras-inspect

inspect

class type inspect ccp-h323nxg-inspect

inspect

class type inspect ccp-skinny-inspect

inspect

class class-default

drop

policy-map type inspect ccp-permit

class class-default

drop

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

csdb tcp reassembly max-queue-length 128

!

interface Null0

no ip unreachables

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly in

shutdown

!

interface GigabitEthernet0/0

description $FW_INSIDE$$ETH-LAN$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface GigabitEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$

ip address 144.45.134.157 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip verify unicast reverse-path

ip nat outside

ip ips sdm_ips_rule in

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

no cdp enable

no mop enabled

!

ip forward-protocol nd

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip nat inside source static 192.168.1.4 85.124.14.138

ip nat inside source static 192.168.1.2 85.124.14.140

ip route 0.0.0.0 0.0.0.0 144.45.134.155

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 2 deny any

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 144.45.134.157 0.0.0.127 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.1.4

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.1.2

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host 255.255.255.255 any

access-list 103 permit ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip 144.45.134.157 0.0.0.127 any

no cdp run

!

control-plane

!

banner login ^CAccess Denied ! ^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

password 7 104Dsdasdasdasd18

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

dheeraj_singh · ‎09-22-2013

Hi,

We are having two pair of NIPS SSP and working in Active and standby mode.

All four Devices (ASA 5545 and ASA 5525 SSP IPS) showing CPU utilization 100% on both active and standby devices.

Memory usage is also showing very highly utilized.

Kindly help me resovle this issue.

Regards,
Dheeraj

nikzad_beh · ‎03-27-2016

Hi Robert

I have a problem with Add virtual Sensor window - part Interfaces I don't have access to my interfaces and Assign and Remove buttons is gray (not access) what can I do?