cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2132
Views
0
Helpful
5
Replies

IPS-4240-K9 IDM 6.2 Monitoring Events issue

Ruslan Mansurau
Level 1
Level 1

hi, everyone

i've noticed one tangled fact on idm monitoring events dashboard. it doesn't show alerts, which i notice on main page home/netwrok security health sensor cyrcle. In the past 5 minutes sensor show for example 10 red alerts, but when i switch on event dashboard - there are nothing on this table.....

several days ago i saw some periodical alerts about 4003 signature - nmap udp sweep. it was happening during week, and i think that quaintity of real tine alerts on sensor health cyrcle and on events table were the same.

only that i'm noticing now, 3041 signature and some times errorMessage: - the event store wrapped around [IdsEventStore::writeEvent(), index = 19531]  name=errWarning 

i've read about this error some notes,but don't understand what should i change for viewing real-time alerts and 4003 signature (when idm works correct, it was the main attack). practically all confoguration on default values. ips works in promiscious mode

thanks for any help and advices

2 Accepted Solutions

Accepted Solutions

sawgupta
Level 1
Level 1

Regarding the message "errorMessage: - the event store wrapped around "

Events are stored in a circular buffer. Once the buffer if full, we would simply overwrite the oldest event. If you are seeing multiple such messages, it means that the number of events is really high. You might want to set Alert Frequency > Summary Mode for the signatures which are firing a lot.

Refer to the following link to configure Summary Mode:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080838bcf.shtml#IDM

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

For signatures firing a lot, you can use IPS CLI command "show stats virtual-sensor"

or

"show statistics virtual-sensor | be SigEvent count"

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

5 Replies 5

sawgupta
Level 1
Level 1

Regarding the message "errorMessage: - the event store wrapped around "

Events are stored in a circular buffer. Once the buffer if full, we would simply overwrite the oldest event. If you are seeing multiple such messages, it means that the number of events is really high. You might want to set Alert Frequency > Summary Mode for the signatures which are firing a lot.

Refer to the following link to configure Summary Mode:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080838bcf.shtml#IDM

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

one more question - how can i reveal definite signatures which are firing a lot? because this message appears in all tables which I choose (show monitoring events dashboard - for example only high or only medium or only low notifications)

and could you give me pieces of  advice for primary configuring ips (any books, notes, examples), please? i've explored several on cisco.com, but only what i've found is general opportunities of ips

p.s. for beginners in security)

For signatures firing a lot, you can use IPS CLI command "show stats virtual-sensor"

or

"show statistics virtual-sensor | be SigEvent count"

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

thanks one more time

ok, i've found big quantity in some signature, but this signature hasn't changed for producing alerts (by default). so can it make this wrapping error? or i should find those signature which produces alerts to monitoring events dashboard and after that change state for appearing this alert from Fire all to Summarize as you said at the first answer?

You can verify the events using command "show events"

- If it is a false positve, then you might want to report it to Cisco TAC.

- Or summarize the signature event.

- If the signature is not relevant then you may retire and disable it.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
Review Cisco Networking for a $25 gift card