Helpful show commands for IPS

athukral · ‎03-28-2011

Introduction: This document will list some useful show commands for IPS sensor.

Prerequisites:

1. IPS Sensor

2. Software Version 7.0(2)E3From IPSpedia

Jump to: navigation, search

1. show version

Application Partition:

Cisco Intrusion Prevention System, Version 7.0(2)E3

Host:

Realm Keys key1.0

Signature Definition:

Signature Update S455.0 2009-12-10

Virus Update V1.4 2007-03-02

OS Version: 2.4.30-IDS-smp-bigphys

Platform: IPS-4240-K9

Serial Number: JMX1327L0NR

Licensed, expires: 25-Sep-2013 UTC

Sensor up-time is 49 days.

Using 1441873920 out of 1984548864 bytes of available memory (72% usage)

system is using 17.4M out of 38.5M bytes of available disk space (45% usage)

application-data is using 46.5M out of 166.8M bytes of available disk space (29% usage)

boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)

application-log is using 123.5M out of 513.0M bytes of available disk space (24% usage)

MainApp B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running

AnalysisEngine B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running

CollaborationApp B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running

CLI B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500

Upgrade History:

* IPS-sig-S454-req-E3 14:06:45 UTC Wed Dec 09 2009

IPS-sig-S455-req-E3.pkg 22:06:44 UTC Fri Dec 11 2009

Recovery Partition Version 1.1 - 7.0(2)E3

Host Certificate Valid from: 22-Sep-2009 to 23-Sep-2011

Show version output is useful for identifying when the last update was applied to the sensor as well as identifying uptime and build. Many performance issues begin after a certain update is applied to the sensor.

2. show interface

MAC statistics from interface GigabitEthernet0/3

Interface function = Sensing interface

Description =

Media Type = TX

Default Vlan = 0

Inline Mode = Unpaired

Pair Status = N/A

Hardware Bypass Capable = No

Hardware Bypass Paired = N/A

Link Status = Up

Admin Enabled Status = Enabled

Link Speed = Auto_100

Link Duplex = Auto_Full

Missed Packet Percentage = 0

Total Packets Received = 198332757

Total Bytes Received = 21063643861

Total Multicast Packets Received = 3619411

Total Broadcast Packets Received = 15986832

Total Jumbo Packets Received = 0

Total Undersize Packets Received = 0

Total Receive Errors = 0

Total Receive FIFO Overruns = 0

Total Packets Transmitted = 0

Total Bytes Transmitted = 0

Total Multicast Packets Transmitted = 0

Total Broadcast Packets Transmitted = 0

Total Jumbo Packets Transmitted = 0

Total Undersize Packets Transmitted = 0

Total Transmit Errors = 0

Total Transmit FIFO Overruns = 0</code>

Show interface contains several useful pieces of information including link speed, link duplex, missed packet percentage, fifo overruns, jumbo packets, and undersized packets. The link speed and link duplex items should usually read auto_100 (or auto_1000 for gig interfaces) and auto_full for duplex. An auto_half is almost certainly the result of a misconfiguration on the opposite switchport and can cause serious performance issues. Verify that both sides are configured as auto detect if you see this. The missed packet percentage tells you what percentage of the packets received on the interface were dropped. This is essentially the overruns/total packets. If this number is anything greater than 0-1 then there is probably an oversubscription issue in play. Remember to check this value in conjunction with the total packets and FIFO counter as the missed packet percentage may be skewed heavily if there isn’t a significant sample size. Having a very low number of packets processed indicates a more fundamental problem in most cases. High numbers of Jumbo packets could also lead to performance issues due to defects in the IPS software. High numbers of undersized packets could indicate ethernet collisions. This is a very uncommon problem given today’s mostly switched infrastructure but it can still happen. Alternatively, high numbers of undersized packets may also indicate a physical problem with a cable or switch. Either way, these underlying issues could certainly cause blanket performance issues for traffic traversing the sensor.

3. show statistics authentication

General

totalAuthenticationAttempts = 8

failedAuthenticationAttempts = 0</code>

Authentication failures can indicate a misconfigured management workstation and in some cases can cause resource issues on a sensor. If this number is more than single digits, investigate which station is initiating the failed authentications and address ie.

4. show statistics analysis-engine

Analysis Engine Statistics

Number of seconds since service started = 4310

The rate of TCP connections tracked per second = 0

The rate of packets per second = 7

The rate of bytes per second = 653

Receiver Statistics

Total number of packets processed since reset = 34198

Total number of IP packets processed since reset = 12043

Transmitter Statistics

Total number of packets transmitted = 34198

Total number of packets denied = 0

Total number of packets reset = 0

Fragment Reassembly Unit Statistics

Number of fragments currently in FRU = 0

Number of datagrams currently in FRU = 0

TCP Stream Reassembly Unit Statistics

TCP streams currently in the embryonic state = 0

TCP streams currently in the established state = 1

TCP streams currently in the closing state = 0

TCP streams currently in the system = 1

TCP Packets currently queued for reassembly = 0

The Signature Database Statistics.

Total nodes active = 98

TCP nodes keyed on both IP addresses and both ports = 1

UDP nodes keyed on both IP addresses and both ports = 4

IP nodes keyed on both IP addresses = 23

Statistics for Signature Events

Number of SigEvents since reset = 3

Statistics for Actions executed on a SigEvent

Number of Alerts written to the IdsEventStore = 0

Inspection Stats

Inspector active call create delete createPct callPct

AtomicAdvanced 1 12043 1 0 0 35

Fixed 0 2688 1068 1068 3 7

FloodHostUDP 4 8638 287 283 0 25

Layer2ARP 1 19159 1 0 0 56

MSRPC_UDP 4 8638 1068 1064 3 25

MultiString 0 26 14 14 0 0

MultiStringSP 0 26 14 14 0 0

ServiceDnsUdp 1 8638 1 0 0 25

ServiceGeneric 4 12016 4 0 0 35

ServiceNtp 8 17276 2136 2128 6 50

ServiceP2PUDP 4 8842 2136 2132 6 25

ServiceRpcUDP 1 8638 1 0 0 25

ServiceSnmp 1 8638 1 0 0 25

SweepICMP 0 19 8 8 0 0

SweepTCP 3 688 222 219 0 2

SweepOtherTcp 1 344 115 114 0 1

TrafficIcmpDDOS 0 19 12 12 0 0

GlobalCorrelationStats

SwVersion = 7.0(2)E3

SigVersion = 456.0

DatabaseRecordCount = 3736825

DatabaseVersion = 1262879048

RuleVersion = 1262804047

ReputationFilterVersion = 1262877725

AlertsWithHit = 0

AlertsWithMiss = 0

AlertsWithModifiedRiskRating = 0

AlertsWithGlobalCorrelationDenyAttacker = 0

AlertsWithGlobalCorrelationDenyPacket = 0

AlertsWithGlobalCorrelationOtherAction = 0

AlertsWithAuditRepDenies = 0

ReputationForcedAlerts = 0

EventStoreInsertTotal = 0

EventStoreInsertWithHit = 0

EventStoreInsertWithMiss = 0

EventStoreDenyFromGlobalCorrelation = 0

EventStoreDenyFromOverride = 0

EventStoreDenyFromOverlap = 0

EventStoreDenyFromOther = 0

ReputationFilterDataSize = 179

ReputationFilterPacketsInput = 0

ReputationFilterRuleMatch = 0

DenyFilterHitsNormal = 0

DenyFilterHitsGlobalCorrelation = 0

SimulatedReputationFilterPacketsInput = 2613

SimulatedReputationFilterRuleMatch = 0

SimulatedDenyFilterInsert = 0

SimulatedDenyFilterPacketsInput = 2613

SimulatedDenyFilterRuleMatch = 0

TcpDeniesDueToGlobalCorrelation = 0

TcpDeniesDueToOverride = 0

TcpDeniesDueToOverlap = 0

TcpDeniesDueToOther = 0

SimulatedTcpDeniesDueToGlobalCorrelation = 0

SimulatedTcpDeniesDueToOverride = 0

SimulatedTcpDeniesDueToOverlap = 0

SimulatedTcpDeniesDueToOther = 0

LateStageDenyDueToGlobalCorrelation = 0

LateStageDenyDueToOverride = 0

LateStageDenyDueToOverlap = 0

LateStageDenyDueToOther = 0

SimulatedLateStageDenyDueToGlobalCorrelation = 0

SimulatedLateStageDenyDueToOverride = 0

SimulatedLateStageDenyDueToOverlap = 0

SimulatedLateStageDenyDueToOther = 0

AlertHistogram

RiskHistogramEarlyStage

RiskHistogramLateStage

ConfigAggressiveMode = 2

ConfigAuditMode = 0

MaliciousSiteDenyHitCounts

This command contains some useful information regarding which engines are inspecting traffic and how often. When the sensor is having a performance issue, check to see which inspectors are having may calls for a possible lead on which signatures may be causing a problem. This will often lead you to signatures which have been created/modified by the customer.

This output also gives you the uptime of the analysis engine in seconds. This can be useful for calculating various rates since almost all counters on the sensor will be relative to this value unless someone has manually cleared them.

5. show statistics denied-attackers

This output will show which IP addresses have been denied by the sensor. If a particular address (or addresses) are having problems accessing specific resources you can check here to see if it’s simply as a result of a deny action of one of the sensor signatures.

6. show statistics event-store

General information about the event store

The current number of open subscriptions = 3

The number of events lost by subscriptions and queries = 0

The number of filtered events not written to the event store = 4131

The number of queries issued = 0

The number of times the event store circular buffer has wrapped = 0

Number of events of each type currently stored

Status events = 11994

Shun request events = 0

Error events, warning = 1276

Error events, error = 19257

Error events, fatal = 18759

Alert events, informational = 72

Alert events, low = 431

Alert events, medium = 0

Alert events, high = 0

Alert events, threat rating 0-20 = 0

Alert events, threat rating 21-40 = 72

Alert events, threat rating 41-60 = 431

Alert events, threat rating 61-80 = 0

Alert events, threat rating 81-100 = 0

Cumulative number of each type of event

Status events = 12186

Shun request events = 0

Error events, warning = 1304

Error events, error = 19259

Error events, fatal = 18759

Alert events, informational = 72

Alert events, low = 431

Alert events, medium = 0

Alert events, high = 0

Alert events, threat rating 0-20 = 0

Alert events, threat rating 21-40 = 72

Alert events, threat rating 41-60 = 431

Alert events, threat rating 61-80 = 0

Alert events, threat rating 81-100 = 0

This output gives a summary of the signatures events that have been created on the sensor. Very large numbers here may indicate that too many signatures are enabled with logging (perhaps meta components) which could lead to performance issues. Also, this output shows the number of status events (non signature events generated by the sensor). A large number of error events may warrant further investigation in the “show tech”

7. show statistics host

General Statistics

Last Change To Host Config (UTC) = 13-Jan-2010 01:10:26

Command Control Port Device = Management0/0

Network Statistics

= ma0_0 Link encap:Ethernet HWaddr 00:25:45:38:76:34

= inet addr:172.18.124.97 Bcast:172.18.124.255 Mask:255.255.255.0

= UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

= RX packets:538817 errors:0 dropped:0 overruns:0 frame:0

= TX packets:73105 errors:0 dropped:0 overruns:0 carrier:0

= collisions:0 txqueuelen:1000

= RX bytes:73949322 (70.5 MiB) TX bytes:23753016 (22.6 MiB)

= Interrupt:16 Base address:0x9c00 Memory:f8300000-f8300038

NTP Statistics

status = Not Synchronized

Memory Usage

usedBytes = 1424846848

freeBytes = 559702016

totalBytes = 1984548864

Summertime Statistics

start = 03:00:00 UTC Sun Mar 14 2010

end = 01:00:00 EST Sun Nov 07 2010

CPU Statistics

Usage over last 5 seconds = 0

Usage over last minute = 3

Usage over last 5 minutes = 9

Memory Statistics

Memory usage (bytes) = 1424846848

Memory free (bytes) = 559702016

Auto Update Statistics

lastDirectoryReadAttempt = 13:37:09 EST Wed Jan 13 2010

= Read directory: http://catwo@198.133.219.243//swc/esd/03/273556262/contract/

= Success

lastDownloadAttempt = 13:37:10 EST Wed Jan 13 2010

= Download: http://catwo@198.133.219.243//swc/esd/03/273556262/contract/IPS-sig-S459-req-E3.pkg

= Success

lastInstallAttempt = 13:39:33 EST Wed Jan 13 2010

= IPS-sig-S459-req-E3: Update completed successfully

= Success

nextAttempt = 13:37:00 EST Thu Jan 14 2010

Auxilliary Processors Installed</code>

8. show statistics virtual-sensor

Virtual Sensor Statistics

Statistics for Virtual Sensor vs0

Name of current Signature-Defintion instance = sig0

Name of current Event-Action-Rules instance = rules0

List of interfaces monitored by this virtual sensor = GigabitEthernet0/3 subinterface 0

General Statistics for this Virtual Sensor

Number of seconds since a reset of the statistics = 147540

MemoryAlloPercent = 28

MemoryUsedPercent = 28

MemoryMaxCapacity = 1350000

MemoryMaxHighUsed = 538624

MemoryCurrentAllo = 385627

MemoryCurrentUsed = 378362

Processing Load Percentage = 1

Total packets processed since reset = 626673

Total IP packets processed since reset = 297246

Total IPv4 packets processed since reset = 297168

Total IPv6 packets processed since reset = 78

Total IPv6 AH packets processed since reset = 0

Total IPv6 ESP packets processed since reset = 0

Total IPv6 Fragment packets processed since reset = 0

Total IPv6 Routing Header packets processed since reset = 0

Total IPv6 ICMP packets processed since reset = 39

Total packets that were not IP processed since reset = 329427

Total TCP packets processed since reset = 7911

Total UDP packets processed since reset = 223968

Total ICMP packets processed since reset = 489

Total packets that were not TCP, UDP, or ICMP processed since reset = 64878

Total ARP packets processed since reset = 327068

Total ISL encapsulated packets processed since reset = 0

Total 802.1q encapsulated packets processed since reset = 0

Total packets with bad IP checksums processed since reset = 0

Total packets with bad layer 4 checksums processed since reset = 0

Total number of bytes processed since reset = 68084892

The rate of packets per second since reset = 4

The rate of bytes per second since reset = 461

The average bytes per packet since reset = 108

Denied Address Information

Number of Active Denied Attackers = 0

Number of Denied Attackers Inserted = 0

Number of Denied Attacker Victim Pairs Inserted = 0

Number of Denied Attacker Service Pairs Inserted = 0

Number of Denied Attackers Total Hits = 0

Number of times max-denied-attackers limited creation of new entry = 0

Number of exec Clear commands during uptime = 0

Denied Attackers and hit count for each.

Denied Attackers with percent denied and hit count for each.

The Signature Database Statistics.

The Number of each type of node active in the system

Total nodes active = 125

TCP nodes keyed on both IP addresses and both ports = 4

UDP nodes keyed on both IP addresses and both ports = 8

IP nodes keyed on both IP addresses = 31

The number of each type of node inserted since reset

Total nodes inserted = 408997

TCP nodes keyed on both IP addresses and both ports = 2335

UDP nodes keyed on both IP addresses and both ports = 64248

IP nodes keyed on both IP addresses = 100166

The rate of nodes per second for each time since reset

Nodes per second = 2

TCP nodes keyed on both IP addresses and both ports per second = 0

UDP nodes keyed on both IP addresses and both ports per second = 0

IP nodes keyed on both IP addresses per second = 0

The number of root nodes forced to expire because of memory constraints

TCP nodes keyed on both IP addresses and both ports = 0

Packets dropped because they would exceed Database insertion rate limits = 0

Fragment Reassembly Unit Statistics for this Virtual Sensor

Number of fragments currently in FRU = 0

Number of datagrams currently in FRU = 0

Number of fragments received since reset = 0

Number of fragments forwarded since reset = 0

Number of fragments dropped since last reset = 0

Number of fragments modified since last reset = 0

Number of complete datagrams reassembled since last reset = 0

Fragments hitting too many fragments condition since last reset = 0

Number of overlapping fragments since last reset = 0

Number of Datagrams too big since last reset = 0

Number of overwriting fragments since last reset = 0

Number of Inital fragment missing since last reset = 0

Fragments hitting the max partial dgrams limit since last reset = 0

Fragments too small since last reset = 0

Too many fragments per dgram limit since last reset = 0

Number of datagram reassembly timeout since last reset = 0

Too many fragments claiming to be the last since last reset = 0

Fragments with bad fragment flags since last reset = 0

TCP Normalizer stage statistics

Packets Input = 0

Packets Modified = 0

Dropped packets from queue = 0

Dropped packets due to deny-connection = 0

Duplicate Packets = 0

Current Streams = 0

Current Streams Closed = 0

Current Streams Closing = 0

Current Streams Embryonic = 0

Current Streams Established = 0

Current Streams Denied = 0

Statistics for the TCP Stream Reassembly Unit

Current Statistics for the TCP Stream Reassembly Unit

TCP streams currently in the embryonic state = 1

TCP streams currently in the established state = 3

TCP streams currently in the closing state = 0

TCP streams currently in the system = 4

TCP Packets currently queued for reassembly = 0

Cumulative Statistics for the TCP Stream Reassembly Unit since reset

TCP streams that have been tracked since last reset = 1790

TCP streams that had a gap in the sequence jumped = 3

TCP streams that was abandoned due to a gap in the sequence = 1

TCP packets that arrived out of sequence order for their stream = 16

TCP packets that arrived out of state order for their stream = 462

The rate of TCP connections tracked per second since reset = 0

SigEvent Preliminary Stage Statistics

Number of Alerts received = 101

Number of Alerts Consumed by AlertInterval = 38

Number of Alerts Consumed by Event Count = 0

Number of FireOnce First Alerts = 0

Number of FireOnce Intermediate Alerts = 0

Number of Summary First Alerts = 0

Number of Summary Intermediate Alerts = 0

Number of Regular Summary Final Alerts = 0

Number of Global Summary Final Alerts = 0

Number of Active SigEventDataNodes = 3

Number of Alerts Output for further processing = 63

Per-Signature SigEvent count since reset

Sig 2100.0 = 3

Sig 3002.0 = 50

Sig 3030.0 = 10

Sig 6187.0 = 38

SigEvent Action Override Stage Statistics

Number of Alerts received to Action Override Processor = 63

Number Of Meta Components Input = 0

Number of Alerts where an override was applied = 0

Actions Added

deny-attacker-inline = 0

deny-attacker-victim-pair-inline = 0

deny-attacker-service-pair-inline = 0

deny-connection-inline = 0

deny-packet-inline = 0

modify-packet-inline = 0

log-attacker-packets = 0

log-pair-packets = 0

log-victim-packets = 0

produce-alert = 0

produce-verbose-alert = 0

request-block-connection = 0

request-block-host = 0

request-snmp-trap = 0

reset-tcp-connection = 0

request-rate-limit = 0

SigEvent Action Filter Stage Statistics

Number of Alerts received to Action Filter Processor = 0

Number of Alerts where an action was filtered = 0

Number of Filter Line matches = 0

Number of Filter Line matches causing decreased DenyPercentage = 0

Actions Filtered

deny-attacker-inline = 0

deny-attacker-victim-pair-inline = 0

deny-attacker-service-pair-inline = 0

deny-connection-inline = 0

deny-packet-inline = 0

modify-packet-inline = 0

log-attacker-packets = 0

log-pair-packets = 0

log-victim-packets = 0

produce-alert = 0

produce-verbose-alert = 0

request-block-connection = 0

request-block-host = 0

request-snmp-trap = 0

reset-tcp-connection = 0

request-rate-limit = 0

Filter Hit Counts

SigEvent Action Handling Stage Statistics.

Number of Alerts received to Action Handling Processor = 63

Number of Alerts where produceAlert was forced = 0

Number of Alerts where produceAlert was off = 0

Number of Alerts using Auto One Way Reset = 0

Actions Performed

deny-attacker-inline = 0

deny-attacker-victim-pair-inline = 0

deny-attacker-service-pair-inline = 0

deny-connection-inline = 0

deny-packet-inline = 0

modify-packet-inline = 0

log-attacker-packets = 0

log-pair-packets = 0

log-victim-packets = 0

produce-alert = 63

produce-verbose-alert = 0

request-block-connection = 0

request-block-host = 0

request-snmp-trap = 0

reset-tcp-connection = 0

request-rate-limit = 0

Deny Actions Requested in Promiscuous Mode

deny-packet not performed = 0

deny-connection not performed = 0

deny-attacker not performed = 0

deny-attacker-victim-pair not performed = 0

deny-attacker-service-pair not performed = 0

modify-packet not performed = 0

Number of Alerts where deny-connection was forced for deny-packet action = 0

Number of Alerts where deny-packet was forced for non-TCP deny-connection action = 0

Anomaly Detection Statistics

Number of Received Packets:

TCP = 6965

UDP = 199638

Other = 65275

TOTAL = 271878

Number of Overrun Packets:

TCP = 0

UDP = 0

Other = 0

TOTAL = 0

Number of Ignored Packets = 24344

Number of Events = 49014

Number of Recurrent Events:

TCP = 494

UDP = 20920

Other = 12779

TOTAL = 34193

Number of Worms = 0

Number of Scanners = 0

Number of Scanners Under Worm = 0

Internal Zone

Number of Events:

TCP = 0

UDP = 0

Other = 0

TOTAL = 0

Number of Overrun Events:

TCP = 0

UDP = 0

Other = 0

TOTAL = 0

External Zone

Number of Events:

TCP = 1232

UDP = 34724

Other = 13058

TOTAL = 49014

Number of Overrun Events:

TCP = 0

UDP = 0

Other = 0

TOTAL = 0

Illegal Zone

Number of Events:

TCP = 0

UDP = 0

Other = 0

TOTAL = 0

Number of Overrun Events:

TCP = 0

UDP = 0

Other = 0

TOTAL = 0

Global Utilization Percentage

Unestablished Connections DB

TCP = 0

UDP = 0

Other = 0

Recurrent Events DB

TCP = 0

UDP = 0

Other = 0

Scanners DB

TCP = 0

UDP = 0

Other = 0

Scenario 2:

Problem:

User have IDSM with 100% inspection load on busy hour and followed by missed packets percentage increasing at that time.

The IDSM interface is setting as promiscuous interface Is it means my network throughput will limited by IDSM max inspection load / throughput which is 600Mbps?

Solution:

No, the throughput will not be limited in the network when you are in promiscous mode. But your visibility for attacks is highly limited. You should configure your span/capture settings on the 6k5 to only send as much traffic to the IDSM as this module can handle.Just remember that the IDSM-2 is a ten years old system and can't catch up with the typical traffic-demand we are having nowadays. It's time to change the IDSM against an actual external sensor.

haivrajesh · ‎07-23-2011

Good show

Rajeswar