Thanks!

Hi learnsec,

                          Please see my response inline :

1- How can i configure an IPS-4215 running in inline mode to never deny a certain IP address(s) regardless of the signature fired?

I used event action filter, but it is based on Signature ID, My question is to have a way to configure the IPS to never deny this ip address regardless of signatures fired.

Madhu -  Currently we have a "deny attacker ip-address x.x.x.x" command which denies the address for 60 minutes by default.  We don't have the "never deny-attacker" feature as the same functionality can be achieved through filters. If you create a filter with actions-to-remove "deny-xxxx" with other settings as default that should achieve this purpose.

Event-action-filters is the eventual stage of actions. The flow of addition/subtraction of actions are signature tuned -> event-action-overrides -> event-action-filters.  The signature tuning and overrides will add actions while the filters will remove actions those were added by tuning and overrides.

2- Isn’t there a way different than event action filter?

Madhu  -  Please see my response to 1 above

3- In addition, when event action filter is configured for a certain ip address, the "use event action override" is bypassed right? So even if an alarm was fired with risk rating high or Risk Rating value was 100 (or any other value between 85 -100) the sensor will never block the ip address right?

What i mean, that the event action filter rule override the "signature" action AND override the "event action override" action?

Madhu  -  Please see my response to 1 above

4- One more issue, using event action filter to bypass an ip address with a certain port for a certain signature, what should be the value of the attribute named deny percentage? the default value is 100, while in my point of view it should be 0. to mean that 0% of packets are denied else, the whole action filter will mean nothing.

Madhu - By definition Deny-percentage applies to non-tcp packets from a particular ip address. Say if you configured 30% for this variable then 70% of the packets from this source ip address will be inspected as normal packets.  If these packets cause alerts they can cause further deny actions. The Tcp packets are denied at 100% regardless of the deny percentage settings. Each packet will register counters in the data node, and these counters will be used to calculate the per-packet percentage.  For example, if a setting of DenyPercentage 50 is used, every other non-tcp packet will be sent thru the inspection channel and possibly transmitted thru the inline pair.

Looks like you have a point here when we have a default value of 100% under filters. The logic goes counter-intuitive here and let me do couple of tests to evaluate the actual behavior. However it would be good to leave it at default value until you are sure of what you want to achieve.

5- While monitoring the IPS alarms, sometimes the ips event indicates that an action was taken, like "dropPacket==true" or "deny connection==true". Can i say that if any alarm was fired without mentioning if any action was taken like mentioned above then there was no action taken for this alarm?

Madhu - Yes that would be a safe assumption. If you are seeing an alarm without an action then there was no action taken for this event. However there are some silent actions like denies which can happen without producing alerts. There will be other methods to check if the packets are getting denied without producing alerts.

Also, I noticed sometimes that for a certain alarm, I find the same alarm repeated twice, as alarm was fired twice for the same ip surce and destination, but on the first alarm I find that action taken like ("dropPacket==true") while in the second alarm that directly follows the first alarm there is nothing mentioned about any action taken.

Madhu - Can you check if the second alarm was a summary alert. Summary alert will not show the deny actions though the action will apply to all intermediate events

Every time an action is taken - regardless if action was taken based on a signature action or based on even action override - the action is mentioned in the alarm event?

(Note: in IPS's running in promiscuous mode i notice "dropPacket==False")

Madhu -  That is right. Irrespective of the trigger, the alarm event which produced an alert will always have that action mentioned. For Promiscuous mode the denyPacket will be mentioned as  "denyPacketRequestedButNotPerformed" on the alert.

Hi Parvez,

                  Usually these addresses are seen on summary alerts for some signatures. Summarization is enabled by default depending on the sigs.

But it is also possible that you are seeing Sig 1102 subsig 0 firing. This Sig looks for source ip address = destination ip address and classifies it as "Impossible IP packet". To do more forensic you can add an action of log-pair-packets or produce-verbose-alert which can help us finding the root cause.

We will need answers to some of the questions here before we can proceed further :

- Can you please check if you can start IDM on this computer where you are seeing this error.

- Could you add another sensor on this IME.

- Can you try without using different credential for subscription service (basically only one username and password)

- If you can send us IME logs from this location C:\Program Files\Cisco Systems\Cisco IPS Manager Express\log that would help us debug the issue

thx

Madhu

Hi Mkodali

- Can you please check if you can start IDM on this computer where you are seeing this error:

          Yes, I can. No any problem with IDM.

- Could you add another sensor on this IME:

            No, I tried to add 3 sensors and result the same.

- Can you try without using different credential for subscription service (basically only one username and password):

           I tried all variants, but problem repeated.

- If you can send us IME logs from this location C:\Program Files\Cisco  Systems\Cisco IPS Manager Express\log that would help us debug the issue:

          Yes. in atach

Thank you!

BR,

Maxim

Looks like there may be some issue with the IME services or local settings.

IME should have 2 services running at all times:

• Cisco IPS Manager Express
• MySQL-IME

Can you please check the Windows services applet to see if both are running.

Since you have two virtual sensors vs0 and vs1 receiving traffic from different inline pairs, there will not be any issue on how you have deployed it. But if you are expecting to see internet addresses on the outside link of the firewall I would suggest have those addresses configured under "external" zone for consistency purposes.

thx

Madhu

Thanks Madhu.  Yes, we're expecting to see Internet addresses on the outside of both sensors, however the internal zones will be different.  The inside sensor is configured with the internal private addresses in the internal zone, and the external zone is at the default, which I believe is all other addresses.  The outside sensor is setup similar, but this is where I'm unsure.  Currently for the outside sensor I have defined the outside subnet on the firewall, which is public addresses, as the internal zone and the external zone is at the default like the internal sensor, which is all other addresses.  Is this correct for the outside sensor?

Thanks,

Pat

     I think what you have makes perfect sense. For outside sensor the outside subnet of Firewall is your internal zone now and all other addresses are external zone. That configuration should work fine as there are no restrictions on what kind of addresses you define for each zone.

thx

Madhu