Solved: IPS-SSM10-Events

Anukalp S · ‎06-19-2013

Hi,

I have been running IPS around a week back well but past a week my IPS license has expired and i have been notice that events logs are not showing.

Could you pls suggest that events logs are not showing because of license expiration.

smetieh001 · ‎07-12-2013

Access-list IPS_acl extended permit ip any any

class-map IPS_class
match access-list IPS_acl
policy-map IPS_policy
class IPS_class
ips promiscuous fail-open

service-policy IPS_policy global

View solution in original post

Thulasi Shankar · ‎06-21-2013

Hi Anukalp,

Ideally, events should be generated post a signature trigger. I am wondering if you had an opporuntity to check if the signatures are in fact being triggered.

Execute "show statistics virtual-sensor clear" to clear the cirtual sensor statistics.

To identify the signature triggered :

sensor# sh statistics virtual-sensor | beg Per-Sig

You can quickly test the same, by enabling the icmp signatures and initiating a ping across the sensor.

signatures 2004 0

engine atomic-ip

event-action produce-alert

exit

alert-frequency

summary-mode fire-all

exit

status

enabled true

retired false

exit

Execute "show stat vi | beg Per-Sig" to check the signature triggered. Now, you can check the corresponding events as well.

You may disable and retire the same signature post testing.

Thanks and Regards,

Thulasi Shankar

Anukalp S · ‎07-04-2013

Hi Thulasi,

I did same which you mentioned above, also enabled ICMP signature by checking in 2004 signature box and ping a device in network but not seeing that signature is triggered.

=============================================================

ipssm01# ping 192.168.110.10
PING 192.168.110.10 (192.168.110.10): 56 data bytes
64 bytes from 192.168.110.10: icmp_seq=0 ttl=255 time=0.7 ms
64 bytes from 192.168.110.10: icmp_seq=1 ttl=255 time=6.0 ms
64 bytes from 192.168.110.10: icmp_seq=2 ttl=255 time=0.7 ms
64 bytes from 192.168.110.10: icmp_seq=3 ttl=255 time=0.7 ms

--- 192.168.110.10 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.7/2.0/6.0 ms
delhiipssm01# show stat vi | beg Per-Sig
         Per-Signature SigEvent count since reset
      SigEvent Action Override Stage Statistics
         Number of Alerts received to Action Override Processor = 0
         Number of Alerts where an override was applied = 0
         Actions Added
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 0
            produce-verbose-alert = 0
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
      SigEvent Action Filter Stage Statistics
         Number of Alerts received to Action Filter Processor = 0
         Number of Alerts where an action was filtered = 0
         Number of Filter Line matches = 0
         Number of Filter Line matches causing decreased DenyPercentage = 0
         Actions Filtered
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 0
            produce-verbose-alert = 0
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
         Filter Hit Counts
      SigEvent Action Handling Stage Statistics.
         Number of Alerts received to Action Handling Processor = 0
         Number of Alerts where produceAlert was forced = 0
         Number of Alerts where produceAlert was off = 0
         Number of Alerts using Auto One Way Reset = 0
         Actions Performed
            deny-attacker-inline = 0
            deny-attacker-victim-pair-inline = 0
            deny-attacker-service-pair-inline = 0
            deny-connection-inline = 0
            deny-packet-inline = 0
            modify-packet-inline = 0
            log-attacker-packets = 0
            log-pair-packets = 0
            log-victim-packets = 0
            produce-alert = 0
            produce-verbose-alert = 0
            request-block-connection = 0
            request-block-host = 0
            request-snmp-trap = 0
            reset-tcp-connection = 0
            request-rate-limit = 0
         Deny Actions Requested in Promiscuous Mode
            deny-packet not performed = 0
            deny-connection not performed = 0
            deny-attacker not performed = 0
            deny-attacker-victim-pair not performed = 0
            deny-attacker-service-pair not performed = 0
            modify-packet not performed = 0
         Number of Alerts where deny-connection was forced for deny-packet action = 0
         Number of Alerts where deny-packet was forced for non-TCP deny-connection action = 0
      Anomaly Detection Statistics
         Number of Received Packets:
            TCP = 0
            UDP = 0
            Other = 0
            TOTAL = 0
         Number of Overrun Packets:
            TCP = 0
            UDP = 0
            Other = 0
            TOTAL = 0
         Number of Ignored Packets = 0
         Number of Events = 0
         Number of Recurrent Events:
            TCP = 0
            UDP = 0
            Other = 0
            TOTAL = 0
         Number of Worms = 0
         Number of Scanners = 0
         Number of Scanners Under Worm = 0
         Internal Zone
            Number of Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
            Number of Overrun Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
         External Zone
            Number of Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
            Number of Overrun Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
         Illegal Zone
            Number of Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
            Number of Overrun Events:
               TCP = 0
               UDP = 0
               Other = 0
               TOTAL = 0
         Global Utilization Percentage
            Unestablished Connections DB
               TCP = 0
               UDP = 0
               Other = 0
            Recurrent Events DB
               TCP = 0
               UDP = 0
               Other = 0
            Scanners DB
               TCP = 0
               UDP = 0
               Other = 0

Anukalp S · ‎07-05-2013

Hi..

I have just noticed that signatures are not being triggered by checking through the ping across sensor,

can you pls suggest what could i do to fix it so that signatures starts getting triggered and events alerts starts displaying.

smetieh001 · ‎06-21-2013

Hi Anukalp,

To the best of my knowledge, expired license does not stop the IPS from producing event actions.

On IDM or IME, go to Monitor -> Events click the "warning", "error", "fatal" and the "show status events" if not already checked. set "show pat even to at least 1hr. and click "view" at the bottom, You should see some events how ever these may not be created by any signature.

Click "configuration" ->Interfaces -> summary and see if any interface is assigned to a VS. If "none", then there lies your issue.

To fix this, goto

Configuration->IPS Policy, select the VS and click edit.

If the interface is not selected, click the check box to select the interface and click apply.

Let me know how t goes...

smetieh001 · ‎06-21-2013

Let us know if you are still having issues with IPS events.

Anukalp S · ‎07-04-2013

Hi smetieh001

I click check on "warning", "error", "fatal" and the "show status events" and when i see events then events are not generating by signatures.

Also i have checked configuration of interface, interface is assigned to VS.

Anukalp S · ‎07-08-2013

Could any one pls help...signature is not triggering and resulting events are not displaying.

Anukalp S · ‎07-08-2013

Snapshot Signature..

smetieh001 · ‎07-08-2013

Hi Anukalp,

The IPS is not recieving any traffic from the ASA. That's why you do not see any signature event.

One more thing....following your screenshot of 4-Jul. Click "Edit" tab above and confirm if the check box is checked.

If checked then we would have to take a look at your "show run class-map"; "show run policy-map" and your access-list that defines the traffic that monitored by the sensor. (if you created any for IPS). Do this from your ASA and post it in this forum if you can.

Sylvester

smetieh001 · ‎07-09-2013

Is this resolved now?

Anukalp S · ‎07-11-2013

No, it is still not resolved, i still not able to see events and what i observed, signatures are not triggering. I checked this by enabling icmp signature and ping across sensor.

smetieh001 · ‎07-11-2013

following your screenshot of 4-Jul. Did you click "Edit" tab under IPS Policy to confirm if the check box is checked ?

Anukalp S · ‎07-11-2013

Yes.it is checked..

smetieh001 · ‎07-11-2013

Your IPS looks ok. Would you like to post your ASA's IPS policy?

Do a "show run class-map"; "show run policy-map" this will let us know if any traffic is being passed to the IPS for sensing.