Best way to test if IPS is inspecting the traffic

chhavi.sharma · ‎09-18-2013

Hi ,

One of our customers complained that the inspection load (3-5%) he is seeing under ASDM is not what he usually see. He thinks it is too low and he expects it to be atleast 30% as it was before.

We want to check if IPS is performing its duty, as in if it is inspecting the traffic properly.Whats the best way to check it apart from "show interface" and "sh stat virtual" output.

Customer says he cant see any events generated as well.

Any response appreciated.

Regards

Chhavi

Anim Saxena · ‎09-18-2013

Hi Chhavi,

You can find the desired info at the below mentioned link:

IPS Testing

Regards,

Anim Saxena

Community Manager

jerryshenk · ‎09-20-2013

That IPS Testing page shows you a number of things to verify that your IPS is running. In addition to that, I always like to have it actually catch something bad - or maybe something that's not bad but that looks bad like intentionally infecting a machine with something....install a back door perhaps. There are also some HTTP signatures that are fairly simple to generate hits on. I'm working on an issue right now where wew were doing just that type of testing and I installed Poison Ivy behind the ASA and it DID NOT catch it. But, the IDS is catching other issues so we're pretty sure it is inspecting traffic. We have a case open on that....seems like there isn't a signature but that's a side issue. I can't test this at the moment but how about going to http://www.somesite.com/index.htm?union%20select - I think that should trip an SQL signature. In fact, I'd like to build a library of things like that to use in testing an ids. For a snort-based ids, going to http://www.testmyids.com will give you a hit beause it's just a simple page that looks like you compromised a box.