Cisco IPS Manager Express email alerts not working

jason.giambrone · ‎05-27-2011

Cisco IPS Manager Express 7.1.1

device: ASA-SSM-20 7.0.(1) E3

I configured the email notitifications page under Perferences to receive an email for High and Medium events and I can get emails when I do "Send a test Mail". But when a real High or Medium event happens I do not get an email alert. The Risk Rating is set to 60-100. I am seeing Medium or High events that are above 60 on the event monitor but I do not receive and email for them.

Notification Interval: 10 minutes

enabled-Send summarized notifications

enabled-Send detailed notifications

I set the mail server, from address, and recipient address. Am I missing an additional configuration step?

Farrukh Haroon · ‎06-16-2011

Hello Jason

Try resetting the IME service, you might also be hitting a possible bug that others are facing as well.

Please see:

https://supportforums.cisco.com/message/3377686#3377686

Regards

Farrukh

jason.giambrone · ‎06-16-2011

Hi Farrukh

I have tried reseting the IME service with no change with the issue. Thanks for pointing out the other discussion I am particpating in it.

Thanks.

Jason

secureIT · ‎06-16-2011

Hi All,

-check the load on the IPS module cpu/mem
-disable unwanted signatures..

run it to clear the signature statistics in peak hours
" show statistics virtual-sensor clear "

run it after 5 mins in peak hours
"show statistics virtual-sensor "

you can confirm by checking the signature details using below link, there by disable unwanted sigs.

http://tools.cisco.com/security/center/search.x

regards

rajesh

haivrajesh · ‎06-27-2011

Hi

Please check your smptp server settings in IME and also chck your mail server end it is allowing are not.

Rajeswar.

jason.giambrone · ‎06-27-2011

I have checked these settings and as I stated above, the test email works ok but I do not get notifications as events happen.

secureIT · ‎06-29-2011

lets check if there is any time mismatch in ime & ips device, if so surely the said problem will occur..Try rebooting the ips as well as the second step..

jason.giambrone · ‎06-29-2011

Interesting idea checking the time.

I did a show clock:

CDPHE-IPS-1# show clock

14:24:17 UTC Wed Jun 29 2011 (this is correct)

CDPHE-IPS-1#

In the gui though, is has UTC Offset: -420 minutes, (I'm really not sure what this setting means)

Zone name is: Mountain time (which would be correct)

Enable Summertime is enabled.

Thanks for looking at this rajesh!

Jason

secureIT · ‎07-01-2011

Hi,

The time in IPS and IME should be correct and SAME..pls Re-check.

Also let me know if you get something from the SR617971307... The thread posted by me earlier was resolved by changing the time settings..

jason.giambrone · ‎07-01-2011

Sensor time and IME time are the same.

I will let you if\when I get an update on SR617971307. Hopefully soemthing soon.

jason.giambrone · ‎07-11-2011

Resolved.

The source of the problem was Mcafee Access Protection. There are two processes that IME uses to send notifications. IME.EXE and IMEJava.exe. I had an exclusion for IME.exe but I did not realize there were two processes that send notifications. Once we excluded IMEjava.exe from Mcafee Access Protection I started getting notifications. You also have to understand the notifications come from the IME server not the IPS sensor itself.

Jason

secureIT · ‎08-03-2011

Hi Jason,

Thanks for the update...!!!

So you meant to say, you have enabled enpoint security in your IME server viz., Mcafee is it? So you had not checked earlier by disabling the AV or how is it? Could you please share the tests...

regards

--Rajesh