Solved: cisco IPS reporting

seegomaa · ‎10-18-2011

Hi All,

When i genrate top 10 victim report on IPS module on ASA 5520 it shows that attacker addresses are my local LAN ip addresses and the victims are public ip address on the internet. I beleive should be the other way around to be the victim are my LAN side.

I have the same in more than on IPS modules for different customers

Please advise

rhermes · ‎10-19-2011

Using the Java GUI,

Go into the "Configuration" tab, select the "Policies" button (lower left corner)

Expand the tree on the tree in the upper left panel: Signature Definitions, sig0, All Signatures

Select the signature you want to edit.

Scroll about halfway down the list of signature settings to "Swap Attacker Victim", check the box and set the value to "yes". hit "OK" to save this signature and move on to the next signature.

- Bob

View solution in original post

rhermes · ‎10-18-2011

Have you been performing any analysis on these "attacks"? Are they real or false positives?

If they are real and your attackers and victims are indeed incorrect, you can swap them by editing the signature in question.

- Bob

seegomaa · ‎10-18-2011

thanks Bob for your reply.

I believe that it is incorrect because all attackers are from LAN side and zero from outside for around 4 months.

So could you explain to me how to swap this in the signature as you mentioned ? ""Im using GUI interface""

Thanks,,,

rhermes · ‎10-19-2011

Using the Java GUI,

Go into the "Configuration" tab, select the "Policies" button (lower left corner)

Expand the tree on the tree in the upper left panel: Signature Definitions, sig0, All Signatures

Select the signature you want to edit.

Scroll about halfway down the list of signature settings to "Swap Attacker Victim", check the box and set the value to "yes". hit "OK" to save this signature and move on to the next signature.

- Bob