We have a local syslog server which listens on UDP 514 port. As many UDP frames has been cut I've done some investigation and found dropped packets (action requested by IPS). This was 1206.0 signature which is "IP Fragmant Too Small". I have created a new entry in IPS Policies to filter this out, but it didn't help. As a test I have disabled the signature completly and all frames have been delivered fine. Another thing I've tried was bringing the new action filter to the top and enabled "Stop on Match" option. Still the same. The only one solution is to disable the signature, but we can't do it.
This is ASA-SSM-20 installed on ASA 5520 version 7.1(6)E4, mode: inline
Bug search tool didn't show any related bugs.
I have checked Database integrity and get "No errors found while performing database integrity checks.
My questions are:
1. What can cause an action to be ignored on IPS?
2. Is it worth to use "Repair Database" tool? If yes what is the impact.
3. Is it possible to check hit counts on each action filter?
By default, the Summarizer is enabled. If you disable it, all signatures are set to Fire All with no summarization. If you configure individual signatures to summarize, this configuration will be ignored if the Summarizer is not enabled.
Just for a test..
Inside the Sensor Management, Blocking, Blocking Properties.
Add the IP as Never Block, just for a test..
Anyway, Dont you think that you should update your version?
Hum... Very weird, I never see it before!
I think you have a missmatch configuration, like, something is not matching with anything so, the filter does not apply..
I know you did, but, maybe a new double-check in the configuration? Src Addr, Signature ID... Is everything correct?
Filter settings below:
The filter works partially as I don't get alerts on the IPS itself.
4 Feb 14 2014 15:33:22
IPS LOG (when enabled):
evIdsAlert: eventId=1352793300955167909 vendor=Cisco severity=low
time: Feb 14, 2014 15:33:22 UTC offset=0 timeZone=GMT00:00
signature: description=IP Fragment Too Small id=1206 version=S212 type=anomaly created=20030801
sigDetails: Too many small IP fragments in datagram
addr: 172.x.x.x locality=OUT
addr: x.x.x.x locality=OUT
os: idSource=unknown type=unknown relevance=relevant
alertDetails: InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ;
riskRatingValue: 50 targetValueRating=medium attackRelevanceRating=relevant
interface: GigabitEthernet0/1 context=single_vf physical=Unknown backplane=GigabitEthernet0/1
Our next step is to make a service policy exception on the firewall itself. We are also considering reloading the IPS device or at least the analysis engine.
Thanks for all your help so far. Any more suggestions are most welcome. I'll keep you up to date.
I configured the service policy rule on the firewall to bypass IPS. Still the same.
The only one option which works is to disable the signature.
Any more ideas?