Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5110
Views
0
Helpful
11
Replies

IPS (7.0(7)E4) on ASA-SSM-10 block DNS without alerts

Go to solution
dimaonline
Level 1
Level 1

‎06-26-2012 05:54 AM - edited ‎03-10-2019 05:42 AM

Hi All

I have IPS module:

  Build Version: 1.1 - 7.0(7)E4

  ASA 5500 Series Security Services Module-10

  Signature Update      S652.0    2012-06-20

ASDM log deduces events :

4    Jun 26 2012    18:21:47        193.227.240.38    53    sd-outside    65347    IPS requested to drop UDP packet from outside:193.227.240.38/53 to dmz1:sd-outside/65347

But IPS don't deduces alerts - It does not explain why blocks these packages. DNS inquiries are blocked only from one network.

! ------------------------------       
! Current configuration last modified Tue Jun 26 18:01:58 2012
! ------------------------------
! Version 7.0(7)
! Host:                                         
!     Realm Keys          key1.0                
! Signature Definition:                         
!     Signature Update    S652.0   2012-06-20   
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
filters edit PROXY 
attacker-address-range 192.168.72.7
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters edit Q00000 
signature-id-range 5684
attacker-address-range 95.190.8.0-95.190.8.255
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters edit Q00001 
signature-id-range 5684
victim-address-range 95.190.8.0-95.190.8.255
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters edit USERS 
signature-id-range 1102,5237,2152,5684,2100,5581,3030,6061,3030,11020,5403,5474,20020,60000-60100
attacker-address-range 192.168.0.0-192.168.255.255
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters edit USERS2 
signature-id-range 5575-5591,2151,21619,2150-2151
attacker-address-range 192.168.0.0-192.168.255.255
victim-address-range 192.168.0.0-192.168.255.255
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters move PROXY begin 
filters move USERS after PROXY
filters move Q00000 after USERS
filters move Q00001 after Q00000
filters move USERS2 after Q00001
general
global-deny-timeout 14400
exit
target-value low target-address 192.168.0.0-192.168.255.255
target-value medium target-address 192.168.1.0-192.168.1.255,192.168.64.0-192.168.64.255,192.168.3.0-192.168.3.49,192.168.65.128-192.168.65.255
target-value high target-address 192.168.72.2-192.168.72.254,192.168.66.0-192.168.67.255,192.168.2.0-192.168.2.255
target-value mission-critical target-address 192.168.65.0-192.168.65.127
os-identification
calc-arr-for-ip-range 192.168.0.0-192.168.255.255
exit
exit
! ------------------------------
service host
network-settings
host-ip 192.168.64.194/24,192.168.64.1
host-name gw1-ips
telnet-option disabled
access-list 192.168.0.0/16 
dns-primary-server enabled
address 192.168.66.2
exit
dns-secondary-server enabled
address 192.168.72.19
exit
dns-tertiary-server enabled
address 192.168.72.20
exit
exit
time-zone-settings
offset 360
standard-time-zone-name GMT+06:00
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 192.168.64.1
exit
summertime-option disabled
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 04:20:00 
days-of-week sunday 
days-of-week tuesday 
days-of-week thursday 
days-of-week saturday 
exit
user-name dimaonline
cisco-url https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl
exit
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
general
enable-acl-logging true
never-block-networks 192.168.0.0/16 
exit
exit
! ------------------------------
service signature-definition sig0
signatures 60000 0 
alert-severity low
sig-fidelity-rating 50
sig-description
sig-name XPress Administrator Service
sig-string-info Access to Administrator Service
sig-comment External user open Admin
sig-creation-date 20120622
exit
engine service-http
max-field-sizes
specify-max-uri-field-length no
exit
regex
specify-uri-regex yes
uri-regex [Aa]dministrator[Ss]ervice[.]asmx
exit
exit
service-ports 80
exit
event-counter
event-count 1
event-count-key Axxx
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
summary-interval 15
summary-key Axxx
specify-global-summary-threshold no
exit
exit
vulnerable-os windows-nt-2k-xp
specify-mars-category yes
mars-category Info/Misc/Login
exit
exit
signatures 60000 1 
alert-severity low
sig-fidelity-rating 50
sig-description
sig-name Xpress Bridge
sig-string-info Service URL
sig-comment External Access to bridge
sig-creation-date 20120625
exit
engine service-http
regex   
specify-uri-regex yes
uri-regex [Bb]ridge[/][Ss]ervice[.]asmx
exit
exit
service-ports 80
exit
event-counter
event-count 1
event-count-key Axxx
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
summary-interval 15
summary-key Axxx
specify-global-summary-threshold no
exit
exit
status
enabled true
exit
specify-mars-category yes
mars-category Info/Misc/Login
exit    
exit
signatures 60001 0 
alert-severity high
sig-fidelity-rating 90
sig-description
sig-name FreePBX Display Extentions
sig-string-info Acces to Extentions settings
sig-comment Weak Password Detection
sig-creation-date 20120622
exit
engine service-http
event-action produce-alert|deny-attacker-inline
regex
specify-uri-regex yes
uri-regex [/]admin[/]config[.]php
exit
specify-arg-name-regex yes
arg-name-regex display
specify-arg-value-regex yes
arg-value-regex (extensions)|(trunks)
exit
exit
exit
service-ports 80
exit
event-counter
event-count 1
event-count-key Axxx
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
summary-interval 15
summary-key Axxx
specify-global-summary-threshold no
exit
exit
exit
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
enable-tls false
port 80
exit
! ------------------------------
service anomaly-detection ad0
internal-zone
enabled true
ip-address-range 192.168.0.0-192.168.255.255
tcp
enabled true
exit
udp
enabled true
exit
other
enabled true
exit
exit
illegal-zone
enabled false
tcp
enabled false
exit
udp
enabled false
exit
other
enabled false
exit
exit
ignore
source-ip-address-range 192.168.0.0-192.168.255.255
exit
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
signature-update-policy
enable false
exit
license-expiration-policy
enable false
exit
event-retrieval-policy
enable false
exit
exit    
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0 
physical-interface GigabitEthernet0/1 
exit
exit
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ruppala
Level 1
Level 1
In response to dimaonline

‎07-09-2012 10:49 AM

I have confirmed with the Ironport team that this IP is a known bad host in sensorbase. This is the reason for the traffic from this host being dropped. There might be many reasons for this subnet to be in the list , for example it might be part of a known host contolled by spammers. You will need to reach out to the development team for a confirmation though.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
dimaonline
Level 1
Level 1

‎06-27-2012 10:17 PM

IPS upgraded to 7.0(8)E4. Problem not resolved.

0 Helpful

Go to solution
sawgupta
Level 1
Level 1
In response to dimaonline

‎06-28-2012 01:57 AM

Check the output of

"show statistics virtual-sensor".

It should show which all signatures are firing. You can add action produce-alert for those signatures.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful

Go to solution
dimaonline
Level 1
Level 1
In response to sawgupta

‎06-28-2012 03:03 AM 

         Per-Signature SigEvent count since reset
            Sig 5474.0 = 7
            Sig 6131.6 = 44
            Sig 6403.1 = 69
            Sig 6409.1 = 16
            Sig 6409.2 = 52
            Sig 20059.1 = 1227
            Sig 21619.1 = 212
            Sig 23782.2 = 292
            Sig 24199.1 = 1
            Sig 28481.1 = 5
            Sig 30260.1 = 2

There are no signatures with UDP

If I ping with dns request (ping -a 193.227.240.38) then Sig 20059.1 = 1321 counter increases

But If I disable this signature then the problem does not dare and also 420002 alert generated in addition:

4    Jun 28 2012    15:56:55        193.227.240.38    0    ASA55xx-outside    0    IPS requested to drop ICMP packet from outside:193.227.240.38/0 to inside:ASA55xx-outside/0

0 Helpful

Go to solution
ruppala
Level 1
Level 1

‎07-02-2012 11:29 AM

dimaonline, signature 20059-1 is a component of signature 20059-0 and is disabled and retired by default. You mentioned that you disabled this signature. Did you enable it earlier ? This component signature detects benign traffic and only functions best as a component signature.   It would be possible that this signature may block benign traffic when its enabled.  Did you also enable any of the ICMP signatures ? "Ping" uses ICMP as its underlying protocol.

0 Helpful

Go to solution
dimaonline
Level 1
Level 1
In response to ruppala

‎07-02-2012 08:39 PM

The signatures 20059-1 and 20059-0 is not disabled by default. They is on by default now.

I setup all signatures by default for troubleshuting this problem:

I have shown a configuration above - there was not present changed signatures

0 Helpful

Go to solution
dimaonline
Level 1
Level 1
In response to dimaonline

‎07-02-2012 11:05 PM

I set the policy for generation of alerts for all signatures:

Allerts in ASDM:

But not alerts into IPS:

0 Helpful

Go to solution
dimaonline
Level 1
Level 1
In response to dimaonline

‎07-08-2012 08:50 PM

I do commands :

show statistics virtual-sensor clear

ping -a 193.227.240.38 (from workstation)

show statistics virtual-sensor :

Virtual Sensor Statistics
   Statistics for Virtual Sensor vs0
      Name of current Signature-Defintion instance = sig0
      Name of current Event-Action-Rules instance = rules0
      List of interfaces monitored by this virtual sensor = GigabitEthernet0/1 subinterface 0
      General Statistics for this Virtual Sensor
         Number of seconds since a reset of the statistics = 48
         MemoryAlloPercent = 57
         MemoryUsedPercent = 56
         MemoryMaxCapacity = 600000
         MemoryMaxHighUsed = 401408
         MemoryCurrentAllo = 344636
         MemoryCurrentUsed = 339771
         Inspection Load Percentage = 4
         Total packets processed since reset = 116008
         Total IP packets processed since reset = 116008
         Total IPv4 packets processed since reset = 116008
         Total IPv6 packets processed since reset = 0
         Total IPv6 AH packets processed since reset = 0
         Total IPv6 ESP packets processed since reset = 0
         Total IPv6 Fragment packets processed since reset = 0
         Total IPv6 Routing Header packets processed since reset = 0
         Total IPv6 ICMP packets processed since reset = 0
         Total packets that were not IP processed since reset = 0
         Total TCP packets processed since reset = 76816
         Total UDP packets processed since reset = 39143
         Total ICMP packets processed since reset = 49
         Total packets that were not TCP, UDP, or ICMP processed since reset = 0
         Total ARP packets processed since reset = 0
         Total ISL encapsulated packets processed since reset = 0
         Total 802.1q encapsulated packets processed since reset = 2
         Total GRE Packets processed since reset = 0
         Total GRE Fragment Packets processed since reset = 0
         Total GRE Packets skipped since reset = 0
         Total packets with bad IP checksums processed since reset = 0
         Total packets with bad layer 4 checksums processed since reset = 0
         Total number of bytes processed since reset = 67447436
         The rate of packets per second since reset = 2416
         The rate of bytes per second since reset = 1405154
         The average bytes per packet since reset = 581
      Denied Address Information
         Number of Active Denied Attackers = 0
         Number of Denied Attackers Inserted = 0
         Number of Denied Attacker Victim Pairs Inserted = 0
         Number of Denied Attacker Service Pairs Inserted = 0
         Number of Denied Attackers Total Hits = 0
         Number of times max-denied-attackers limited creation of new entry = 0
         Number of exec Clear commands during uptime = 0
      Denied Attackers and hit count for each.
      Denied Attackers with percent denied and hit count for each.
      The Signature Database Statistics.
         The Number of each type of node active in the system
            Total nodes active = 18998
            TCP nodes keyed on both IP addresses and both ports = 3530
            UDP nodes keyed on both IP addresses and both ports = 157
            IP nodes keyed on both IP addresses = 2163
         The number of each type of node inserted since reset
            Total nodes inserted = 8821
            TCP nodes keyed on both IP addresses and both ports = 1720
            UDP nodes keyed on both IP addresses and both ports = 759
            IP nodes keyed on both IP addresses = 843
         The rate of nodes per second for each time since reset
            Nodes per second = 183
            TCP nodes keyed on both IP addresses and both ports per second = 35
            UDP nodes keyed on both IP addresses and both ports per second = 15
            IP nodes keyed on both IP addresses per second = 17
         The number of root nodes forced to expire because of memory constraints
            TCP nodes keyed on both IP addresses and both ports = 0
         Packets dropped because they would exceed Database insertion rate limits = 0
      Fragment Reassembly Unit Statistics for this Virtual Sensor
         Number of fragments currently in FRU = 0
         Number of datagrams currently in FRU = 0
         Number of fragments received since reset = 14
         Number of fragments forwarded since reset = 14
         Number of fragments dropped since last reset = 0
         Number of fragments modified since last reset = 0
         Number of complete datagrams reassembled since last reset = 7
         Fragments hitting too many fragments condition since last reset = 0
         Number of overlapping fragments since last reset = 0
         Number of Datagrams too big since last reset = 0
         Number of overwriting fragments since last reset = 0
         Number of Inital fragment missing since last reset = 0
         Fragments hitting the max partial dgrams limit since last reset = 0
         Fragments too small since last reset = 0
         Too many fragments per dgram limit since last reset = 0
         Number of datagram reassembly timeout since last reset = 0
         Too many fragments claiming to be the last since last reset = 0
         Fragments with bad fragment flags since last reset = 0
      TCP Normalizer stage statistics
         Packets Input = 76819
         Packets Modified = 0
         Dropped packets from queue = 0
         Dropped packets due to deny-connection = 0
         Duplicate Packets = 0
         Current Streams = 3530
         Current Streams Closed = 0
         Current Streams Closing = 0
         Current Streams Embryonic = 0
         Current Streams Established = 0
         Current Streams Denied = 0
         Total SendAck Limited Packets = 0
         Total SendAck Limited Streams = 0
         Total SendAck Packets Sent = 0
      Statistics for the TCP Stream Reassembly Unit
         Current Statistics for the TCP Stream Reassembly Unit
            TCP streams currently in the embryonic state = 0
            TCP streams currently in the established state = 0
            TCP streams currently in the closing state = 0
            TCP streams currently in the system = 0
            TCP Packets currently queued for reassembly = 0
         Cumulative Statistics for the TCP Stream Reassembly Unit since reset
            TCP streams that have been tracked since last reset = 0
            TCP streams that had a gap in the sequence jumped = 0
            TCP streams that was abandoned due to a gap in the sequence = 0
            TCP packets that arrived out of sequence order for their stream = 0
            TCP packets that arrived out of state order for their stream = 0
            The rate of TCP connections tracked per second since reset = 0
      SigEvent Preliminary Stage Statistics
         Number of Alerts received = 3
         Number of Alerts Consumed by AlertInterval = 0
         Number of Alerts Consumed by Event Count = 0
         Number of FireOnce First Alerts = 0
         Number of FireOnce Intermediate Alerts = 0
         Number of Summary First Alerts  = 2
         Number of Summary Intermediate Alerts  = 1
         Number of Regular Summary Final Alerts  = 0
         Number of Global Summary Final Alerts  = 0
         Number of Active SigEventDataNodes  = 33
         Number of Alerts Output for further processing = 3
         Per-Signature SigEvent count since reset
            Sig 6409.2 = 1
            Sig 21619.1 = 2
      SigEvent Action Override Stage Statistics
         Number of Alerts received to Action Override Processor = 0
         Number Of Meta Components Input = 3
         Number of Alerts where an override was applied = 0
         Actions Added
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 0
            produce-verbose-alert = 0
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
      SigEvent Action Filter Stage Statistics
         Number of Alerts received to Action Filter Processor = 0
         Number of Alerts where an action was filtered = 0
         Number of Filter Line matches = 0
         Number of Filter Line matches causing decreased DenyPercentage = 0
         Actions Filtered
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 0
            produce-verbose-alert = 0
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
         Filter Hit Counts
      SigEvent Action Handling Stage Statistics.
         Number of Alerts received to Action Handling Processor = 0
         Number of Alerts where produceAlert was forced = 0
         Number of Alerts where produceAlert was off = 0
         Number of Alerts using Auto One Way Reset = 0
         Actions Performed
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 0
            produce-verbose-alert = 0
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
         Deny Actions Requested in Promiscuous Mode
            deny-packet not performed = 0
            deny-connection not performed = 0
            deny-attacker not performed = 0
            deny-attacker-victim-pair not performed = 0
            deny-attacker-service-pair not performed = 0
            modify-packet not performed = 0
         Number of Alerts where deny-connection was forced for deny-packet action = 0
         Number of Alerts where deny-packet was forced for non-TCP deny-connection action = 0
      Anomaly Detection Statistics
         Number of Received Packets:
            TCP = 40589
            UDP = 16944
            Other = 17
            TOTAL = 57550
         Number of Overrun Packets:
            TCP = 0
            UDP = 0
            Other = 0
            TOTAL = 0
         Number of Ignored Packets = 58431
         Number of Events = 1027
         Number of Recurrent Events:
            TCP = 276
            UDP = 285
            Other = 1
            TOTAL = 562
         Number of Worms = 0
         Number of Scanners = 0
         Number of Scanners Under Worm = 0
         Internal Zone
            Number of Events:
               TCP = 478
               UDP = 541
               Other = 7
               TOTAL = 1026
            Number of Overrun Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
         External Zone
            Number of Events:
               TCP = 0
               UDP = 1
               Other = 0
               TOTAL = 1
            Number of Overrun Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
         Illegal Zone
            Number of Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
            Number of Overrun Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
         Global Utilization Percentage
            Unestablished Connections DB
               TCP = 0
               UDP = 0
               Other = 0
            Recurrent Events DB
               TCP = 2
               UDP = 2
               Other = 0
            Scanners DB
               TCP = 1
               UDP = 2
               Other = 0

ASDM event log:

4    Jul 09 2012    09:35:47        193.227.240.38    0    ASA55xx-outside    0    IPS requested to drop ICMP packet from outside:193.227.240.38/0 to inside:ASA55xx-outside/0
4    Jul 09 2012    09:35:24        193.227.240.37    53    ASA55xx-outside    33881    IPS requested to drop UDP packet from outside:193.227.240.37/53 to inside:ASA55xx-outside/33881
0 Helpful

Go to solution
dimaonline
Level 1
Level 1
In response to dimaonline

‎07-08-2012 09:08 PM

show statistics analysis-engine after reset IPS and ping -a 193.227.240.38(from workstation):

Analysis Engine Statistics
   Number of seconds since service started = 325
   The rate of TCP connections tracked per second = 0
   The rate of packets per second = 1622
   The rate of bytes per second = 856866
   Receiver Statistics
      Total number of packets processed since reset = 527197
      Total number of IP packets processed since reset = 527197
   Transmitter Statistics
      Total number of packets transmitted = 527189
      Total number of packets denied = 2
      Total number of packets reset = 1
   Fragment Reassembly Unit Statistics
      Number of fragments currently in FRU = 0
      Number of datagrams currently in FRU = 0
   TCP Stream Reassembly Unit Statistics
      TCP streams currently in the embryonic state = 0
      TCP streams currently in the established state = 0
      TCP streams currently in the closing state = 0
      TCP streams currently in the system = 0
      TCP Packets currently queued for reassembly = 0
   The Signature Database Statistics.
      Total nodes active = 13707
      TCP nodes keyed on both IP addresses and both ports = 2488
      UDP nodes keyed on both IP addresses and both ports = 180
      IP nodes keyed on both IP addresses = 1627
   Statistics for Signature Events
      Number of SigEvents since reset = 125
   Statistics for Actions executed on a SigEvent
      Number of Alerts written to the IdsEventStore = 1
   Inspection Stats
         Inspector            active   call     create   delete   createPct   callPct   loadPct   
         AtomicAdvanced       1        527187   1        0        0           99        7         
         Fixed                342      37034    28425    28083    5           7         0         
         MSRPC_TCP            207      13290    4259     4052     0           2         0         
         MultiString          2710     93354    15300    12590    2           17        49        
         MultiStringSP        1        117      47       46       0           0         0         
         ServiceDnsUdp        1        193599   1        0        0           36        0         
         ServiceGeneric       1        204395   10796    10795    2           38        0         
         ServiceHttp          1859     36807    7316     5457     1           6         21        
         ServiceNtp           694      387198   16416    15722    3           73        0         
         ServiceP2PTCP        62       21659    10795    10733    2           4         0         
         ServiceRpcUDP        1        193599   1        0        0           36        0         
         ServiceRpcTCP        2412     68654    10692    8280     2           13        0         
         ServiceSMBAdvanced   2        161      7        5        0           0         0         
         ServiceSnmp          1        193602   1        0        0           36        0         
         ServiceTNS           75       7714     7242     7167     1           1         0         
         String               2945     101300   15797    12852    2           19        20        
         SweepICMP            8        216      78       70       0           0         0         
         SweepTCP             2840     666600   8786     5946     1           126       0         
         SweepOtherTcp        1456     333300   4522     3066     0           63        0         
   GlobalCorrelationStats
      SwVersion = 7.0(8)E4
      SigVersion = 652.0
      DatabaseRecordCount = 1864815
      DatabaseVersion = 1341805747
      RuleVersion = 1341778387
      ReputationFilterVersion = 1341803012
      AlertsWithHit = 0
      AlertsWithMiss = 1
      AlertsWithModifiedRiskRating = 0
      AlertsWithGlobalCorrelationDenyAttacker = 0
      AlertsWithGlobalCorrelationDenyPacket = 0
      AlertsWithGlobalCorrelationOtherAction = 0
      AlertsWithAuditRepDenies = 0
      ReputationForcedAlerts = 0
      EventStoreInsertTotal = 1
      EventStoreInsertWithHit = 0
      EventStoreInsertWithMiss = 1
      EventStoreDenyFromGlobalCorrelation = 0
      EventStoreDenyFromOverride = 1
      EventStoreDenyFromOverlap = 0
      EventStoreDenyFromOther = 0
      ReputationFilterDataSize = 429
      ReputationFilterPacketsInput = 115716
      ReputationFilterRuleMatch = 2
      DenyFilterHitsNormal = 0
      DenyFilterHitsGlobalCorrelation = 0
      SimulatedReputationFilterPacketsInput = 0
      SimulatedReputationFilterRuleMatch = 0
      SimulatedDenyFilterInsert = 0
      SimulatedDenyFilterPacketsInput = 0
      SimulatedDenyFilterRuleMatch = 0
      TcpDeniesDueToGlobalCorrelation = 0
      TcpDeniesDueToOverride = 0
      TcpDeniesDueToOverlap = 0
      TcpDeniesDueToOther = 0
      SimulatedTcpDeniesDueToGlobalCorrelation = 0
      SimulatedTcpDeniesDueToOverride = 0
      SimulatedTcpDeniesDueToOverlap = 0
      SimulatedTcpDeniesDueToOther = 0
      LateStageDenyDueToGlobalCorrelation = 0
      LateStageDenyDueToOverride = 1
      LateStageDenyDueToOverlap = 0
      LateStageDenyDueToOther = 0
      SimulatedLateStageDenyDueToGlobalCorrelation = 0
      SimulatedLateStageDenyDueToOverride = 0
      SimulatedLateStageDenyDueToOverlap = 0
      SimulatedLateStageDenyDueToOther = 0
      AlertHistogram
      RiskHistogramEarlyStage
         RiskHistoEarly RiskVal 94
            RepVal 0 = 1
      RiskHistogramLateStage
         RiskHistoLate RiskVal 94
            RepVal 0 = 1
      ConfigAggressiveMode = 2
      ConfigAuditMode = 0
   MaliciousSiteDenyHitCounts
      193.227.240.0/23 = 2
   MaliciousSiteDenyHitCountsAUDIT

But I don't know that is it "MaliciousSiteDeny" !

0 Helpful

Go to solution
ckamath
Cisco Employee
Cisco Employee
In response to dimaonline

‎07-08-2012 09:54 PM

Hello dima,

Looks like this IP address is being denied as a result of reputation-filtering, thats why its showing under -

MaliciousSiteDenyHitCounts

193.227.240.0/23 = 2

and thats why packets from this subnet are being dropped.

4 Jul 09 2012 09:35:47 193.227.240.38 0 ASA55xx-outside 0 IPS requested to drop ICMP packet from outside:193.227.240.38/0 to inside:ASA55xx-outside/0

4 Jul 09 2012 09:35:24 193.227.240.37 53 ASA55xx-outside 33881 IPS requested to drop UDP packet from outside:193.227.240.37/53 to inside:ASA55xx-outside/33881

Can you check the output of "show statistics global-correlation" as well?

Alternately, you can disable reputation-filtering feature under service global-correlation and check if your packets are going through.

0 Helpful

Go to solution
dimaonline
Level 1
Level 1
In response to ckamath

‎07-09-2012 12:37 AM

I have switched global-correlation in a test mode and the problem has dared.

However how to define why this network has got in Malicious Sites on update-manifests.ironport.com?

0 Helpful

Go to solution
ruppala
Level 1
Level 1
In response to dimaonline

‎07-09-2012 10:49 AM

I have confirmed with the Ironport team that this IP is a known bad host in sensorbase. This is the reason for the traffic from this host being dropped. There might be many reasons for this subnet to be in the list , for example it might be part of a known host contolled by spammers. You will need to reach out to the development team for a confirmation though.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card