Hi,

What protocol or port IEV uses to receive data from IPS? Does it need to be any ACL or entry in "Logging" setup?

-Janakan Rajendran

You most likely need to setup https access from the Security Monitor to the sensor. Also, I forgot to ask but did you make sure you added your sensor in the Security Monitor Devices before you attempted to view them in the Monitor --> Devices?

Hi,

I just use IEV not Security Monitor. From IEV to IPS, it's a https connection. I can see "Subscription Successfully opened" when I check the "Device Status".

I'm using 'Diesel Test' to simulate DoS attack and can see TCP FIN coneections getting teared down at ASDM. I can also see the activity in hyperterminal under IPS when I give "packet display gigabitethernet0/1"...

I hope this proves that my IPS is working.

I'm hoping at least I should see information messages in IEV. No clue yet :-(

-Janakan

So you are scanning from a lower security zone to a higher security zone through the ASA/PIX? Hopefully this is the case.. Because for your SSM module to see the traffic, you must traverse the firewall. Meaning you must go between firewall interfaces. To pick the traffic up, your firewall would also have to allow traffic through on the ports you are testing. Basically your test might be flawed... Can you describe the test setup ie where are you coming from/ going to?

Hi,

I have a test machine (subnet A-public IP) as a host connected to Outside Interface of ASA5510.

I have another machine(Subnet B-private IP) running IIS which is connected to Inside interface of ASA5510. I configured NAT from subnet A to B. I also configured ACL's to allow "any" http/https traffic to go to my inside host. I can access the webpage using public IP from the test machine connected to outside interface.

I have also configured management interface on ASA 5510 (subnet C-private IP) through which I'm using ASDM to configure ASA. I configured managemnt interface of IPS module in Subnet C.

I have a machine running in Subnet C which has ASDM and IEV which only connected to the managemnet interface of ASA and IPS through a switch.

Outside-----> ASA&IPS----->Inside

70.x.y.z | 10.x.y.z

|

Mgmt (IEV&ASDM&syslog server)

192.x.y.z

As I said earlier, syslog server running on the same machine (UDP/514) collects data from ASA without any trouble.

Hope this gave you an idea of my test setup.

-Janakan

Sounds like it should be able to pick up traffic then... Can you log into the sensor and do a sho config, save it to a file and post it? Perhaps your sensor is not correctly configed... You must do this with the sensor's CLI (try using putty.exe as your SSH client). Then run the command above

Please find the attachment. In my earlier mail today I have posted the ASA configuration as well.

Looks like none of your signatures are enabled (they might not even be installed at all because they should show up on your sho config output).... You need to login to your sensor via IDM. To do this, https to the sensor's IP. Then go to the signature configuration section and enable/disable the necessary signatures....

Hi,

I already have enabled the signatures I needed. The computer on which IEV running is on the same subnet of Management Interface and connected to the ASA through Managment Interface.

Is there a rule that the machine running on should be on specific subnet? The management IP subnet is on the list of Allowed networks on IPS. The same box running IEV has syslog server running and it can receive alrets.

Thx again!

-Janakan

Hi,

I was running IPS 5.0 which doesn't send events to IEV. I upgraded to 5.1(3) and it works now.

Thanks for your help!

-Janakan Rajendran