08-03-2009 01:54 PM - edited 03-10-2019 04:43 AM
Hello,
We are noticing a strange behavior with several IPS AIM modules and IPS Appliances. Events are generated and can be seen from the event viewer but nothing is displayed on the Network Security Gadget on the Dashboard.
We've verified and compared configurations with other working Appliances and can't find why the count event on the dashboard is 0 while the event viewer is showing several events. We've tested from different computers with different Java versions to rule out a problem with the viewer, but the result is the same.
IPS is working and denying traffic if configured, the event action overrides are configured to produce alert for all severities (to test).
We've seen this on Appliances and ASA IPS modules running 7.0(1)3, 6.0(5)E3 and other 6.x versions, the only common denominator we can see is the E3.
It's a difficult event to troubleshoot and I haven't found any reports from similar behavior, has anyone noticed something similar?
Any ideas on where to look will be greatly appreciated.
Regards,
08-03-2009 03:50 PM
Hi,
Question : the virtual sensor configured in all the cases u mentioned in default vs0 or did you create a new one ?
There is a known issue with non-vs0 sensor events not reported in net sec. gad.
hTh
Sushil
08-03-2009 03:54 PM
No, all of them have the default vs0.
But it's good to know that, thank you. Do you have any related documentation??
Any other ideas will be greatly appreciated.
Thanks!
08-03-2009 08:24 PM
How often are your alerts being generated?
If I remember right the counts are based on the alerts within the past 10 seconds.
If your sensor hasn't seen any signature triggers in the last 10 seconds, then the counts will be 0.
If your sensor is monitoring a fairly clean network (few attacks), or you've highly tuned your sensor to only monitor for a subset of signatures; then it is possible your sensor may only be triggering signatures every few seconds, or even every few minutes. In which case seeing counts of 0 for the past 10 seconds would be normal.
08-03-2009 08:31 PM
In addition if I remember right there was a bug introduced in some of the versions back when E3 was released.
And instead of counting based on the last 10 seconds, I think it incorrectly counted only base on the last 1/10th of a second.
This was fixed in the 6.1(2)E3 Service Pack, and I think was fixed for 7.0(1)E3 before it was released so I don't think you are running into this with your 7.0(1)E3 sensors.
08-07-2009 02:36 PM
Thanks for the reply, any other ideas?
Regards,
08-04-2009 06:45 AM
We are testing with a continuous ping and have the signature 2004 (ICMP request) enabled. This and other events are constantly showing on the event viewer, but nothing on the Dashboard.
Same configuration with version 6.1(1)E3 shows events on the Dashboard, but nothing if running version 7.0(1)E3.
Thanks!
08-04-2009 06:46 AM
I tested 6.0(5) and I'm having no problem with that one. 6.1(1)E3 is running fine. 7.0(1)E3 is not showing events on the Network security gadget on the dashboard.
I'm running tests with other versions to try to catch the issue.
Thanks
02-08-2010 03:08 PM
I am having a similiar issue.
i was running IDM 6.0 and Network Security Gadget was seeing all of the Events and displaying the Risk vs Threat Graph and # of Events Graph perfectly. The I upgraded to 7.0 and IPS Version 7.0(2)E3, and everything works except the Network Security Gadget. It scrolls Zero accross both Graphs. I have attached a snapshot:
02-08-2010 04:00 PM
Hi!
We could never find an answer or reported issues on that.
We ended up installing the IPS Manager Express for our customer and it seems to be working fine for them since then, maybe you can try that.
Regards,
02-09-2010 07:22 AM
Thank you for the quick response Daherrer.
I tried loading the Express software, which is great by the way, but it also has the exact same problem. Am i right in thinking that all events that show up under the event monitoring tool, should show up on the Network Security Graph?
02-16-2010 06:51 AM
We have found that using the older version of IME (6.1.1) will show all events from sensors running the 7.0 release, unfortunately you cannot make configuration changes. Anyone who has upgraded to the new 7.0.2 client cannot see the events from the sensor in real-time, but can make configuration changes.
02-16-2010 07:31 AM
FYI - I downgraded from the 7.0.2 client to the 7.0.1 client today and the event reporting began working again.
02-16-2010 08:09 AM
Thanks for the response.
Did you downgrade the IPS sensor software or the IME software? I dowgraded the IME to 7.0.1 and still have the IPS running 7.0(2)E3 and it still does not work.
Gino
02-16-2010 09:10 AM
I downgraded the IME software to 7.0.1 and left the sensor at 7.0.2 E3. Since you are still having difficulties.....maybe more detail of what I did will help? I uninstalled the IME 7.0.2, rebooted, then installed 7.0.1. IME didn't pickup the events right away, so I restarted the MySQL-IME service. I opened IME and choose realtime events, clicked apply and the events began appearing..... Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide