09-25-2012 09:10 AM - edited 03-10-2019 05:47 AM
Our Internal Auditor is asking for a copy of the logs or a report from our IPS showing that it is indeed keeping bad guys out. If you have had this same request, what info have you provided?
09-25-2012 10:06 PM
Hi,
You may provide the list of signatures that have fired.
From CLI issue, "show stats virtual-sensor | inc Sig", this will give you the list of all signatures that fired.
Regards,
Sawan Gupta
09-27-2012 06:25 AM
Hi,
I ran this command on a recently enabled AIP-SSM-10 module and it reports several signatures have fired. However, when I run a report or check the event monitor in IME all I see are events for the NetBIOS 5575/0 signature and the ICMP signatures (2000.0 and 2004.0) that I enabled for testing purposes. Any idea why the other signatures do not appear in my report?
show statistics virtual-sensor | inc Sig
Name of current Signature-Defintion instance = sig0
The Signature Database Statistics.
SigEvent Preliminary Stage Statistics
Number of Active SigEventDataNodes = 26
Per-Signature SigEvent count since reset
Sig 2000.0 = 73
Sig 2004.0 = 122
Sig 3653.0 = 40468
Sig 5575.0 = 669
Sig 6131.6 = 788554
Sig 6250.1 = 2504
Sig 16297.0 = 29
Sig 21619.1 = 5299
Sig 23782.2 = 17
SigEvent Action Override Stage Statistics
SigEvent Action Filter Stage Statistics
SigEvent Action Handling Stage Statistics.
Thanks,
Jeff
09-27-2012 08:52 PM
Jeff,
The other signatures have "Produce Alert" as one of its actions?
Luis Silva
09-28-2012 05:34 AM
Luis,
Thanks for the reply. You are correct they are not set to alert and that is why I am not seeing anything in the event monitor or reports. Thanks again for the response!
Jeff
09-30-2012 09:20 AM
You are welcome!
Luis Silva
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide