Re: IDS/IPS 4250, two sensors, connection status Paused

gmaccisco1 · ‎02-18-2006

Hi,

I have VMS 2.3 and SecMon 2.2 and two IDSs in there. I have noticed that the connection status for the sensors have changed from "Connected TLS" to "Paused". I have gone through database truncation process and all file sizes are good butstill having issues.

I deleted the sensors from the SecMon and added only one sensor, the connection status changed back to connected but it was set to paused in one hour time after adding the one sensor.

I can login to the sensor, i can ping the VMS server from the IDS command prompt and the IDS from the VMS DOS prompt. I have done everything possible to change this condition but none has so far worked.

any thoughts???

Thx,

Masood

Jeffrey Bollinger · ‎02-20-2006

Connection states for RDEP devices are written into a table in the database by the receiver collector object. This means that if the receiver thread hangs or is not currently running, whatever state was last written to the table will be displayed.

"Paused" means that the collector for this device is waiting for the system to clear a large backload of data that is waiting to be inserted into the database. This can occur if the rate of flow of events temporarily overwhelms the receiver and usually indicates that the database has grown too large (more than 2 million IDS or Syslog events) or the system is very busy (servicing event viewer, generating reports, pruning, etc.). It usually takes several minutes (fifteen or more) for the system to recover to the point where it can begin collecting events again.

What sounds like happened here was that the sensors were offline, or at least were not getting events from the MC for a period. Then when you reconnected it the events began to be processed by the receiver process which in turn caused the 'paused' state. As I mentioned above, once it catches up with event processing you should be ok. Of course you'll want to ensure that you regularly prune your IDSMC/SecMon database to prevent this from happening again.

You may also want to look at see how much you're logging. You may still need to tune your signatures down as well and you should not have every signature enabled.

You should also look to upgrade your IDS/IPS software (you didn't mention what version you're on) to the latest service pack (4.1.5 for 4.x and 5.0.5 for 5.0.x)

Thanks,

Jeff

gmaccisco1 · ‎02-20-2006

Hi,

What you explained is what excactly happened. After truncating the database using the DOS commands and upgrading the SecMon to version 2.2 from 2.1 and converting the database to 2.2 and reconfiguring the sensor itself everything started to go back to normal.

I am ruunning version IPS/IDS version 4 signature and S200 signature files on IDS 4250. Is this what you asked for?

the pruning is setup but I have not been able to see what signatures I want to disable and what to have enabled. ids there anything outthere suggesting a signature set for an ONline Business that i can follow? of course that I am aware that even something like that may be 100% accurate but even 80% accuracy will do fine.

Please advise,

Thx,

Masood

Jeffrey Bollinger · ‎02-20-2006

What do you get at 'show version'? It should say 4.1.5S200, correct? If not, you need to apply the latest 4.1.5 service pack:

http://www.cisco.com/cgi-bin/tablebuild.pl/ids4

With regards to what sigs should be enabled, the default settings that come with most signature packs should be sufficient, but of course every network is different and has different needs. Therefore I cannot say which signatures should be enabled/disabled for your network. That is something that you should discover for yourself while tuning the signatures. You'll need to calculate the the possible threats you're facing then compare that with the risk level of leaving a signature disabled or enabled.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#wp31303