cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1129
Views
10
Helpful
13
Replies

MARS classifying IOS IPS messages as "Generic Syslog"

wandersen
Level 1
Level 1

Hello,

I have a 2821 router running IOS IPS in the 4.x signature format. 2821 IOS is 12.4(13)c

SDEE is configured on the router.

ip ips sdf location flash:256MB.sdf

ip ips notify SDEE

no ip ips notify log

ip ips signature 4620 0 disable

ip ips name IDS

ip sdee subscriptions 3

ip sdee alerts 1000

interface GigabitEthernet0/0.111

...

ip ips IDS in

ip ips IDS out

MARS is running 4.3.1

The router is configured in MARS and the IPS Option is configured as well. It discovers fine and is Activated.

I then light up across the router with an agressive NESSUS scan. The router reports lots of events:

RA-2821-1#sho ip sdee alerts

Alert storage: 1000 alerts using 272000 bytes of memory

SDEE Alerts

SigID Sig Name SrcIP:SrcPort DstIP:DstPort

or Summary Info

1: 3201:1 Unix Password File Acces 10.111.90.161:54965 10.111.101.27:80

2: 3201:1 Unix Password File Acces 10.111.90.161:55291 10.111.101.27:80

3: 3201:1 Unix Password File Acces 10.111.90.161:55291 10.111.101.27:80

4: 3201:1 Unix Password File Acces 10.111.90.161:55291 10.111.101.27:80

5: 5170:0 Null Byte In HTTP Reques 10.111.90.161:55338 10.111.101.27:80

6: 5170:0 Null Byte In HTTP Reques 10.111.90.161:55338 10.111.101.27:80

7: 5170:0 Null Byte In HTTP Reques 10.111.90.161:55338 10.111.101.27:80

8: 3201:1 Unix Password File Acces 10.111.90.161:55369 10.111.101.27:80

9: 3201:1 Unix Password File Acces 10.111.90.161:55369 10.111.101.27:80

10: 3201:1 Unix Password File Acces 10.111.90.161:55369 10.111.101.27:80

11: 5445:0 AWStats configdir Comman 10.111.90.161:55440 10.111.101.27:80

12: 5445:0 AWStats configdir Comman 10.111.90.161:55440 10.111.101.27:80

etc...

In MARS, I get the events, except they are classified as "Generic Syslog Events"

Drilling in, I get the raw message as "NR-5114/0 "

Note the space after the zero.

By the way, an AIP-10 reports correctly.

How do I get the IOS IPS to report correctly to MARS?

Ward

13 Replies 13

mhellman
Level 7
Level 7

I believe with the IOS IPS you have to collect the alarms using rdep/https (i.e. not syslog). See here:

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008074f213.html#wp1193691

You are absolutely correct. We are not sending them via syslog, only by rdep/https.

The IOS router config is:

ip ips sdf location flash:256MB.sdf

ip ips notify SDEE

no ip ips notify log

ip ips signature 4620 0 disable

ip ips name IDS

ip sdee subscriptions 3

ip sdee alerts 1000

Note that syslog is turned off and sdee is turned on.

Yet in MARS, the events show up as "Generic Syslog". The messages in mars look like "NR-3051/0 ".

Note the space at the end.

What am I doing wrong?

Ward

I don't see where you've enabled the https server (ip http secure-server) but I assume that was just left out. The raw events collected via SDEE and received via syslog, even for the same alarm, should look very different. Can you paste the raw message? I'm trying to understand why an event that was collected via HTTPS/SDEE would ever get mapped as "generic syslog". It should show up as "unknown device event" if the Mars doesn't parse it properly.

I do indeed have "ip https server-secure" enabled.

The exact classification of the event is "Generic IOS Syslog"

Here is a listing of a couple of raw events of this type.

"NR-3015/0 "

"NR-3015/1 "

Also classified as Generic IOS syslog are events such as:

"<190>437262: Dec 11 08:27:59.745 CST: %IPPHONE-6-REGISTER_NEW: ephone-5:SEP001D45059334 IP:10.­110.114.50 Socket:4 DeviceType:Phone has registered. "

which of course are IP phone syslog messages.

I also made sure that there wasn't a corresponding "good" message around the time period of the "Generic IOS Syslog" message.

Puzzled.

Ward

That's all there is in the raw message? Strange. It's just a hunch, but I suspect that this was received via syslog. You might try running tcpdump on Mars to verify what's coming in via syslog from the router.

tcpdump -X

See the attachment of the capture.

Here is the raw messages from MARS

303571827 Generic IOS syslog Dec 11, 2007 9:15:41 AM CST DR-2821-1.temp.com NR-4620/0

303571828 Generic IOS syslog Dec 11, 2007 9:15:41 AM CST DR-2821-1.temp.com NR-4620/0

303571829 Generic IOS syslog Dec 11, 2007 9:15:41 AM CST DR-2821-1.temp.com NR-4620/0

303571830 Generic IOS syslog Dec 11, 2007 9:15:41 AM CST DR-2821-1.temp.com NR-4620/0

303571831 Generic IOS syslog Dec 11, 2007 9:15:41 AM CST DR-2821-1.temp.com NR-4620/0

303571832 Generic IOS syslog Dec 11, 2007 9:15:41 AM CST DR-2821-1.temp.com NR-4620/0

303574436 Generic IOS syslog Dec 11, 2007 9:16:12 AM CST DR-2821-1.temp.com NR-4620/0

303574437 Generic IOS syslog Dec 11, 2007 9:16:12 AM CST DR-2821-1.temp.com NR-4620/0

303576944 Generic IOS syslog Dec 11, 2007 9:16:42 AM CST DR-2821-1.temp.com NR-4620/0

303594122 Generic IOS syslog Dec 11, 2007 9:19:44 AM CST DR-2821-1.temp.com NR-4620/0

303602356 Generic IOS syslog Dec 11, 2007 9:21:15 AM CST DR-2821-1.temp.com NR-4620/0

Given the encryption, it's hard to tell what's going on.

To reiterate, MARS 4.3.1, IOS 12.4(13c). This puts the IOS IPS format in 4.x if that makes a difference.

Ward

Well, based on the output at least you can be pretty sure that the actual messages are not being sent as syslog. So when you added the IDS/IPS in MARS to the existing router device, did you use the "add ips" button?

In MARS the ISR routers were added and the IPS was configured. Connectivity test works.

Submitted, Activated.

Ward

What I was getting at is that there might be [at least in my mind] some ambiguity about how they should be added (ie. "add ips" versus "add module"). In any event, I'm working off a very feeble memory. Perhaps someone with a production IOS device can help out here?

Add Module looks like a separate reporting IP address. Add IPS looks like the onboard reporting IP Address.

Ward

Hey Ward.

Load 4.3.2 on to see if that resolves your issue.

There is a bug (CSCsk44951:IOSIPS not working under IOS 12.4, unless that is your bug) and also 12.3 and 12.4 are now supported in MARS. It might just be part of your problem.

Cheers,

Brad

Hello Brad,

I'm upgrading as we speak. I think that is the bug we're running into.

Can you shoot me your e-mail at wandersen@forsythe.com?

Thanks!

Ward

Just got done with the upgrade from MARS 5.3.1 to 5.3.2. I enabled the ICMP signatures and -- now the IOS IPS signatures now show up with full details in MARS!

It look like the problem is solved by the MARS software upgrade.

Ward