You want to do a VACL capture on the 6500: http://www.cisco.com/c/en/us/support/docs/lan-switching/vlan-access-lists-vacls/89962-vacl-capture.html monitor session 50 source vlan 100 , 200 monitor session 50 destination interface Fa3/30   ... View more

It all depends on your Fail Open setting and your security posture. If your primary ASA is set to Fail Closed, then taking the AIP-SSM off line for an upgrade will cause traffic to fail over to the standby ASA. If you are set for Fail Open then traffic will continue to pass thru your primary ASA without IPS inspection untill the AIP-SSM comes back. Your security posture will dictate how important IPS inspection/dropping is to your organization. Is mainting IPS inspection more important than failing over to the standby rail? - Bob   ... View more

It would be possible to create a TCP session signature that would trigger on the string "del" or "rm" with the destination IP address of your FTP server, but those text strings could appear in other traffic you may not want blocked. The more reasonable way to accomplish this goal is to edit the user accounts on the FTP server to allow or deny the permissions you want the users to have. That way a privileged account could still manage your FTP server and perform all ftp functions. - Bob ... View more

You need to do this on a per-signature basis. There is no global "send all my signature events via SNMP traps". http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_definitions.html#wp1119516 - Bob ... View more

I don't have any experience with Splunk and Cisco IPS, but there is a Wiki for it, so I assume other people have it working:  http://wiki.splunk.com/Set_up_Splunk_for_Cisco_IPS I would imagine all commercial SEM vendors should support Cisco's implementation of SDEE, I have experience with Trustwave (formerly Intelitactics) and Arcsight. How many sensors are you attempting to monitor? The free Cisco IME can pull events from up to 5 sensors. - Bob ... View more

Daniel - Your two most common options for getting event data off your sensors are: 1. Get/build/buy a SIEM that will pull the evetns via the SDEE protocol. 2. Edit the action of the signatures in question (>85% RR) to generate an SNMP trap for the event. For real analysis you will also want to grab a PCAP of both sides of the attack (so you can tell if it was sucessful or a false positive). - Bob ... View more

Rene - Enabling all the signatures on your IPS may not be in your best interests. Even with ample sensor bandwidth, you should be performing analysis on the signatures that fire to determine of they are true or false positives (and take the necessary remedial actions if true of course). With a pile of unnecessary signatures that can (and many eventually will) fire, you will burn up your (human) analysis resources. By all means enable any signature or family of signatures that you think apply to what you are running in production, but be ready to tune them (disable) when you discover that the false positive rate isn;t worth seeing those events. Beating your signature set into a good working Best Practices set of solid, actionable signature takes constant work and time. No IPS sensor gives you their best out of the box. A good analysis tool is to configure the sensor to capture PCAPs surrounding the event. This will allow your analysts to determine if there was truly a compromise and possibly determine if it was successful. Good luck - Bob ... View more

Your IPS appliance will bridge the traffic between the two VLANS. Assign your VLAN ports like this: VLAN 10 internet connection Outside interface of IPS sensor VLAN 20 Inside connection to your network Inside interface of your IPS sensor PLEASE put your sensor on the inside of your firewall. - Bob ... View more