Global correlation of IPS

When I manually update the IPS signatures, will be updated features of global correlation of Cisco IPS?

But I don't, because I think that with this kind of update, the signature will be updated

No, when you update the IPS signature, it will update the IPS on the IPS himself signing.

Global correlation functionality will not be updated. It is an update of the separate database.

Tags: Cisco Security

Similar Questions

IPS version 7.0.1 and global correlation

Tomorrow night I will be moving an appliance IPS-4240 to the new version 7.0.1. Global correlation seems to be a huge advantage as long as it does not produce a swarm of false positives.

Will there be still necessary to apply updates the signature on the IPS, once we are on the new 7.0.1?

Global correlation is not a replacement for traditional signature analysis and is rather just an improvement for her.

There are 2 aspects to overall correlation.

The first is what we call reputation internally. IP address known to be the origin of the attacks receive a Score of negative reputation.

When a signature is triggered, the source of the signature is compared to the reputation database. If the source address has a negative reputation score then the level of risk so that an alert is increased. With the increased risk, the sensor can take a decision to move forward and to deny traffic.

BUT because it is based on this initial release of the signature, this means that you should always keep your signatures up-to-date.

The second part of overall correlation is the reputation filter.

With the offender the worst reputation filter Internet IP addresses are placed in a special list.

The worst offense addresses IP is automatically filtered to the sensor without the need of a signature never triggered. These packages are refused by the sensor for early treatment and works in a similar way as the event action deny attacking InLine.

So the reputation filter didn't need signatures in order to work properly and deny traffic. However, the reputation filter is only for the worst known IP addresses and only a small subset of the strikers in liquidation in the reputation filter list.

Global correlation not updated.

I'm having a problem with our IPS modules. Who have updated for a long time, but stopped for some reason any update. He claims that it is connected, but if keep updates.

Note the following from the IPS Release notes:
- You need IPS 7.3 (5) to use the automatic update, global correlation and the participation of the network after the migration of the Certificate SHA-2 on Cisco websites.
There is also a view of land on this issue:

http://www.Cisco.com/c/en/us/support/docs/field-notices/640/fn64080.html

Global correlation test site

Hi people,

I try IPS 7.0.1 and global correlation on one of my small remote offices, but I want to confirm to happen in fact malicious traffic before rolling out to 15 + other sensors.

I have configured the sensor and used 'see global Stats' and 'motor show in stat analysis' to ensure that I get the latest databases.

However, as I said it is a small office and (fortunately) there is no malicious traffic to the IPS sensor to drop. I'm kind of in a catch-22 here.

I was about to set up a test PC to use the remote desktop proxy server (so through its traffic in the IPS sensor) and then try to hit certain known malicious domains. This, of course, runs the risk of infection and is in any way random.

There are test sites or IP addresses in the Ironport database that I can use to prove that his work (a bit like the EICAR virus test file)

Something like testGC.ironport.com which goes to a single unused IP address somewhere.

If this is not the case, can you guys add? It would certainly accelerate our deployment process and may be useful for TAC, also. This could also be used by the filter of the botnet ASA.

Thank you!!

Now I understand more what you need.

It's good for us customer feedback.

I entered an enhancement request to add a command to test connectivity from the sensors to the overall correlation servers. Thus, it can be considered for a future version of the IPS.

Events of global correlation

I have a 5510 ASA with a module of SSM - 10. I have the overall correlation to market and update. When I look at 'Overall correlation report' from the dashboard I see packages which have been refused by the overall correlation. Can someone tell me how global correlation events are saved? I would like to be able to see the raw data associated with the overall correlation.

Thank you.

Hello

Take a look at this:

http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_collaboration.html#wp1065809

As can be seen, all the times that causes of "overall correlation" no matter what kind of measures to be taken by the IPS it produces an alert if the package is refused by "reputation filtering" which produces any type of alert. In addition, "this feature applies only to the inspection of overall correlation where traffic is allowed if no specific signature is put in correspondence".

I'm not sure of all these fields on the alert then but I saw at least some of them. If you do not see an alert with these fields, then the overall correlation can be not to see all the instances where he had to change the dimensions of risk and take appropriate measures to him, in other words, you will not receive any kind of malicious hosts such packages in the first place.

In addition, if you have "reputation filtering", you can turn off to make sure that it is not this problem.

Rregards,

Assia

global correlation does not refresh.

Hi all

I have a problem to update the overall correlation. I do get updates for signatures in the IPS but see output below about the overall correlation.

==========================================

global correlation statistics
Participation in the network:
Counters:
Total connection attempts = 0
Total connection failures = 0
Since the last success = 0 connection failures
History of connection:
Updates:
Status of the last attempt to update = failure
Time since last successful update = never
Counters:
Failures since the last successful update = 8
Total attempts to update = 8
Total failure of the update = 8
Update interval in seconds = 300
Update server = updated - manifests.ironport.com
Update server address = 204.15.82.17
Current versions:
config = 0
Drop = 0
IP = 0
rule = 0
Warnings:

===========================================

Material used:

ASA-ssm-10 (version 7.0 (4) E4)

ASA - 5520 (version 8.4 (1))

I see all the traffic from the firewall and routers ISP.

I hope someone can help me with this question or tips.

Thanks in advance,

Erik Verkerk.

You allowed overall correlation?

You can check if you do under the part of the license. Without a global correlation license, you will not be able to update.

Global correlation error

Hi all

recently, I have activated global correlation on my IPS-4240. the overall correlation worked very well for several days.

Suddenly, it's no harder, even if the config is not changed.

1 - mgt interface can resolve the address.

2-clock is not synchronized with ntp, but she is set manually on the same as ntp server (internet)

3-no proxy used.

I disabled / enabled global config always the same question.

SH-global statistical correlation

Participation in the network:

Counters:

Total connection attempts = 0

Total connection failures = 0

Since the last success = 0 connection failures

History of connection:

Updates:

Status of the last attempt to update = failure

Time since last successful update = minutes 7392

Counters:

Update failures since the last successful = 1478

Total attempts to update = 3060

Total failure of the update = 1481

Update interval in seconds = 300

Update server = updated - manifests.ironport.com

Update server address = 204.15.82.17

Current versions:

config = 0

Drop = 0

IP = 0

rule = 0

Please advice.

If there is no change in network, I suggest you reload the IPS and see if that solves the problem.

If you want to deepen the question, I would say that you open a case with TAC, then it can be more studied.

Global correlation and the Application failed

Hi, people.

I have IPS4270-20-K9 with version 3,0000 E4 and signature version 572.

Sensor health show me a critical problem, with:

-Application has failed
-Global correlation

probe #sh - global statistical correlation

Error: getGlobalCorrelationStatistics: ct - collaborationApp.459 does not, please check the processes in the system - failed to connect to the specified Io::ClientPipe.

How to solve these problems?

TKS.

This error message indicates that a software process required for the overall correlation function (CollaborationApp) does not (stop / is crushed, hanging, etc.). You'll need to reboot ("reset") the sensor to restore the process to a status of "Running".

There are several defects in the software version you are running (the 7.0 (3) E4) who are the likely culprits/causes that have been fixed in later versions (E4 7.0 (4) and 7.0(5a) E4). After restarted the sensor and restored service, you can upgrade to a fixed version (7.0(5a) E4).

Policy global config use IPS (ASA 5520)

I get an error... ERROR: Global_policy political map is already configured as a service policy when I try to configure the IP addresses. How can I fix this config?

-Change in Config attempt-

HO1ASA01 # conf t

HO1ASA01 (config) # IPS ip access list allow a whole

Class-map IPS-CLASS of HO1ASA01 (config) #.

HO1ASA01(config-CMAP) # match access-list IPS

HO1ASA01(config-CMAP) # policy - map IPS POLICY

HO1ASA01(config-pmap) # IPS - class

HO1ASA01(config-pmap-c) # ips overcrowding relief

HO1ASA01(config-pmap-c) # service - IPS - comprehensive POLICY

ERROR: Global_policy political map is already configured as a service policy

HO1ASA01 (config) #.

HO1ASA01 (config) #.

-During the running Config.

IPS-CLASS class-map

corresponds to the IP access list

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

message-length maximum 1024

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the icmp

IPS-POLICY policy-map

IPS-class

IPS overcrowding relief

!

global service-policy global_policy

The reason why you got the warning is because you already had the global "service-policy global_policy" line in the config. You didn't have to be reintroduced in this one.

You must get rid of "policy-map IPS-POLICY.".

Nightmare config of SSM - AIP 7.0 (1) overall correlation.

Thank you, Cisco, for the creation of a nightmare of management with your "Overall Correlation" option in version 7.0...

Lets start with the management interface of the AIP-SSM-20...

We have an OOB management network, with a single PI in this by another device of PIX515E. Both the ASA5540 AND the AIP-SSM-20 are in this network.

The first issue was in routing, as the ASA sees the "directly attached" management network, and we ROUTE traffic via the PIX of updates on the SSM module, we had to add translation entries in the PIX515E for the SSM (management 10.x.x.x, translated of 172.x.x.x) module.

It wasn't a big deal, but this is where the nightmare begins...

First a note: we have locked network management CLOSE, only a few network management stations authorized in this network to access these devices.

I activated the overall correlation in test mode, but it was 'impossible' whenever he tried to update... Reading other posts, I created ACLs and static NAT in the PIX515E for these IP addresses:

204.15.82.17 (IP listed in the IME global correlation update server)

97.65.135.170 et.137 (from another post in these forums)

207.15.82.17 (IP found in a trace)

Still no update. Research in the papers of PIX, I found "no translation" entries for the following addresses:

198.133.219.25

209.107.213.40

208.90.57.73

I put these in, and he started to be updated! FIXED? NOT!

This morning, he wasn't yet... Looked again into the PIX logs and found these:

77.67.85.33

77.67.85.9

Registered, and the SSM is happy again. How long? Who knows?

So, now I have NINE holes in my 'secure' network, and who knows what Cisco will change or add new IP addresses to this list.

Cisco, if you listen - ALL access to the overall correlation with a single IP address? PLEASE?

(use the one listed in the IME - 204.15.82.17 for the URL "manifests.ironport.com" - updated)

Some of the addresses are owned by Cisco (initially ironport.com addresses the acquisition of ironport) and are used as clear servers to provide the sensor a list of files to download.

The sensor then downloads the files from servers Akamai. Akamai has a large number of servers around the world. Cisco sends the update of Akamai, and they reproduce on their servers. When the sensors are trying to connect to the Akamai server it is a DNS query and by controlling the DNS response, it can lead more sensors to an Akamai server located near the sensor. This allows better load balancing, response time and download speeds.

However, Akamai has a large number of global servers (in thousands I think), and you can't predict what your specific sensor server is directed to.

Sensor for connections to the servers from cisco for the manifest (list of files) is on port 443 and usually the update URL - manifests.ironport.com.

Sensor connections to Akamai servers for actual file downloads are on port 80, and usually to the updates.ironport.com URL.

The above is based on my limited knowledge of the operation between the updates. I may have gotten the details slightly wrong, but should at least give you a general idea.

I will work with development to get to this better documented in the Release Notes and the Readme with the next version of the IPS software.

What is the difference between the IPSv6 and IPS v7?

Dear experts, Hello

I would like to ask about the difference between v6 and v7 ips ips

all documents mentioned here who?

Thank you

rebel

Here is a list of release on new notes features are supported on each version for your reference:

http://www.Cisco.com/en/us/products/HW/vpndevc/PS4077/prod_release_notes_list.html

Global correlation is the main feature that is supported in version 7.0.1 (E3).

Hope that helps.

IPS (7.0 (7) E4) on ASA-SSM-10 block DNS without alerts

Hi all

I have the IPS module:

Build version: 1.1 - 7, 0000 E4

ASA 5500 Series Security Services Module-10

Update of the signature S652.0 2012-06-20

Journal of the ASDM inferred events:

4 June 26, 2012 18:21:47 193.227.240.38 53 IPS 65347 sd-out asked to drop the UDP packet from outside:193.227.240.38/53 to dmz1:sd - outside/65347

But the IPS not deducted from alerts - it does not explain why blocking these packets. DNS requests cannot just one network.

! ------------------------------

! Current configuration last modified Tue Jun 26 18:01:58 2012

! ------------------------------

! Version 7.0(7)

! Host:

! Realm Keys key1.0

! Signature Definition:

! Signature Update S652.0 2012-06-20

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

filters edit PROXY

attacker-address-range 192.168.72.7

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters edit Q00000

signature-id-range 5684

attacker-address-range 95.190.8.0-95.190.8.255

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters edit Q00001

signature-id-range 5684

victim-address-range 95.190.8.0-95.190.8.255

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters edit USERS

signature-id-range 1102,5237,2152,5684,2100,5581,3030,6061,3030,11020,5403,5474,20020,60000-60100

attacker-address-range 192.168.0.0-192.168.255.255

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters edit USERS2

signature-id-range 5575-5591,2151,21619,2150-2151

attacker-address-range 192.168.0.0-192.168.255.255

victim-address-range 192.168.0.0-192.168.255.255

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters move PROXY begin

filters move USERS after PROXY

filters move Q00000 after USERS

filters move Q00001 after Q00000

filters move USERS2 after Q00001

general

global-deny-timeout 14400

exit

target-value low target-address 192.168.0.0-192.168.255.255

target-value medium target-address 192.168.1.0-192.168.1.255,192.168.64.0-192.168.64.255,192.168.3.0-192.168.3.49,192.168.65.128-192.168.65.255

target-value high target-address 192.168.72.2-192.168.72.254,192.168.66.0-192.168.67.255,192.168.2.0-192.168.2.255

target-value mission-critical target-address 192.168.65.0-192.168.65.127

os-identification

calc-arr-for-ip-range 192.168.0.0-192.168.255.255

exit

! ------------------------------

service host

network-settings

host-ip 192.168.64.194/24,192.168.64.1

host-name gw1-ips

telnet-option disabled

access-list 192.168.0.0/16

dns-primary-server enabled

address 192.168.66.2

exit

dns-secondary-server enabled

address 192.168.72.19

exit

dns-tertiary-server enabled

address 192.168.72.20

exit

time-zone-settings

offset 360

standard-time-zone-name GMT+06:00

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 192.168.64.1

exit

summertime-option disabled

auto-upgrade

cisco-server enabled

schedule-option calendar-schedule

times-of-day 04:20:00

days-of-week sunday

days-of-week tuesday

days-of-week thursday

days-of-week saturday

exit

user-name dimaonline

cisco-url https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

general

enable-acl-logging true

never-block-networks 192.168.0.0/16

exit

! ------------------------------

service signature-definition sig0

signatures 60000 0

alert-severity low

sig-fidelity-rating 50

sig-description

sig-name XPress Administrator Service

sig-string-info Access to Administrator Service

sig-comment External user open Admin

sig-creation-date 20120622

exit

engine service-http

max-field-sizes

specify-max-uri-field-length no

exit

regex

specify-uri-regex yes

uri-regex [Aa]dministrator[Ss]ervice[.]asmx

exit

service-ports 80

exit

event-counter

event-count 1

event-count-key Axxx

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

summary-interval 15

summary-key Axxx

specify-global-summary-threshold no

exit

vulnerable-os windows-nt-2k-xp

specify-mars-category yes

mars-category Info/Misc/Login

exit

signatures 60000 1

alert-severity low

sig-fidelity-rating 50

sig-description

sig-name Xpress Bridge

sig-string-info Service URL

sig-comment External Access to bridge

sig-creation-date 20120625

exit

engine service-http

regex

specify-uri-regex yes

uri-regex [Bb]ridge[/][Ss]ervice[.]asmx

exit

service-ports 80

exit

event-counter

event-count 1

event-count-key Axxx

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

summary-interval 15

summary-key Axxx

specify-global-summary-threshold no

exit

status

enabled true

exit

specify-mars-category yes

mars-category Info/Misc/Login

exit

signatures 60001 0

alert-severity high

sig-fidelity-rating 90

sig-description

sig-name FreePBX Display Extentions

sig-string-info Acces to Extentions settings

sig-comment Weak Password Detection

sig-creation-date 20120622

exit

engine service-http

event-action produce-alert|deny-attacker-inline

regex

specify-uri-regex yes

uri-regex [/]admin[/]config[.]php

exit

specify-arg-name-regex yes

arg-name-regex display

specify-arg-value-regex yes

arg-value-regex (extensions)|(trunks)

exit

service-ports 80

exit

event-counter

event-count 1

event-count-key Axxx

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

summary-interval 15

summary-key Axxx

specify-global-summary-threshold no

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls false

port 80

exit

! ------------------------------

service anomaly-detection ad0

internal-zone

enabled true

ip-address-range 192.168.0.0-192.168.255.255

tcp

enabled true

exit

udp

enabled true

exit

other

enabled true

exit

illegal-zone

enabled false

tcp

enabled false

exit

udp

enabled false

exit

other

enabled false

exit

ignore

source-ip-address-range 192.168.0.0-192.168.255.255

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

signature-update-policy

enable false

exit

license-expiration-policy

enable false

exit

event-retrieval-policy

enable false

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

I confirmed with the Ironport team that this IP is a bad host in sensorbase. This is the reason for the traffic of this host being removed. There could be several reasons for this subnet to the list, for example, it could be part of a controlled host known by spammers. You must reach out to the development team for a confirmation however.

ASA-SSM-20 error: update automatic exception: failed connect HTTP

Automatic update has worked for years, but it's not.

I checked the sensor establishes a connection with the peer to https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl

ORC creds have not changed.

What is happening here? I have two sensors behave this way, btw.

Thank you.

John

I had this at one of my clients. I dug into it and discovered the following:

Cisco updated their SSL certificates certificates signed earlier this year to use SHA2. They are signed by a different root certification authority (Verizon if I remember correctly) and the IPS system image must be updated to the latest version (7.3 (5)) to approve of this CA root certificates.

This is mentioned in the IPS 7.3 release notes (5):

http://www.Cisco.com/c/en/us/TD/docs/security/IPS/7-3/release/notes/rele...
- You need IPS 7.3 (5) to use the automatic update, global correlation and the participation of the network after the migration of the Certificate SHA-2 on Cisco websites.

Failed to update of the signing of the AIP-SSM-10

I hope someone can help me, I am unable to get the signature autoupdate working on our ASA 5510 IPS. We have a valid support contract, our user name does not include and special characters, and I am able to download the files of signature on the site by using our BCC.

When trying to get through Auto/cisco.com update if I get the following in the event logs each attempt update:

evError: eventId = 1319467413849005289 = severity = error Cisco vendor

Author:

hostId: xxxx

appName: mainApp

appInstanceId: 354

time: October 26, 2011 11:40:01 UTC offset = 60 timeZone = GMT00:00

errorMessage: AutoUpdate exception: failed to connect HTTP [1 111] name = errSystemError

I've included a conf 'show' and a 'facilitator stat"below.

See the XXXXXX conf #.

! ------------------------------

! Current configuration last modified Wed Oct 26 10:48:07 2011

! ------------------------------

! Version 7.0 (6)

! Host:

! Domain keys key1.0

! Definition of signature:

! Update of the signature S604.0 2011-10-20

! ------------------------------

service interface

output

! ------------------------------

authentication service

output

! ------------------------------

rules0 rules for event-action service

output

! ------------------------------

service host

the network settings

Host-ip 10.x.x.x/24,10.x.x.x

hostname xxxxxx

Telnet-option turned off

access-list 10.x.x.x/32

access-list 10.x.x.x/16

access-list 10.x.x.x/32

primary-active DNS server

address 10.x.x.x

output

secondary-server DNS disabled

tertiary-disabled DNS server

output

time zone settings

offset 0

standard time-zone-name-GMT00:00

output

NTP-option enabled-ntp-no authenticated

Server NTP 10.x.x.x

output

Summertime-recurring option

Summertime-zone-name GMT00:00

Start-summertime

last week of the month

output

end-summertime

month October

last week of the month

output

end-summertime

month October

last week of the month

output

output

automatic update

Cisco-Server enabled

scheduling periodic-calendar option

beginning 00:40:00

interval 1

output

username xxxxxxxxxxxxxxx

Cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

output

output

output

! ------------------------------

service recorder

output

! ------------------------------

network access service

output

! ------------------------------

notification services

output

! ------------------------------

Service signature-definition sig0

output

! ------------------------------

Service ssh-known-hosts

output

! ------------------------------

trust-certificates of service

output

! ------------------------------

web-server service

output

! ------------------------------

Service-ad0 anomaly detection

output

! ------------------------------

service interface external product

output

! ------------------------------

health-monitor service

output

! ------------------------------

service global correlation

output

! ------------------------------

aaa service

output

! ------------------------------

service-analysis engine

vs0 virtual sensor

Physics-interface GigabitEthernet0/1

output

output

XXXXXX # host stat

General statistics

Last updated to host Config (UTC) = 27 October 2011 08:27:10

Control device control Port = GigabitEthernet0/0

Network statistics

= ge0_0 link encap HWaddr 00:12:D9:48:F7:44

= inet addr:10.x.x.x Bcast:10.x.x.x.x mask: 255.255.255.0

= RUNNING UP BROADCAST MULTICAST MTU:1500 metric: 1

= Dropped packets: 470106 RX errors: 0:0 overruns: 0 frame: 0

= Dropped packets: 139322 TX errors: 0:0 overruns: 0 carrier: 0

= collisions: 0 txqueuelen:1000

= RX bytes: 40821181 (38.9 MiB) TX bytes: 102615325 (97.8 MiB)

= Address: 0xbc00 memory: f8200000 of base-f8220000

NTP statistics

= distance refid st t when poll reach delay offset jitter

= * time.xxxx.x 195.x.x.x 3 u 142 1024 377 1, 825 - 0.626 0.305

= L LOCAL (0) LOCAL (0) 15 59 64 377 0.000 0.000 0.001

= ind assID status conf scope auth condition last_event cnt

= 1 43092 b644 Yes Yes No sys.peer 4 available

= 2 43093 9044 Yes Yes No accessible release 4

status = synchronized

Memory usage

usedBytes = 664383488

freeBytes = 368111616

totalBytes = 1032495104

Statistics of Summertime

Start = GMT00:00 03:00 Sunday, March 27, 2011

end = GMT00:00 01:00 Sunday October 30, 2011

Statistics of the processor

Its use in the last 5 seconds = 51

Its use during the last minute = 44

Its use in the last 5 minutes = 50

Memory statistics

Use of memory (bytes) = 664383488

Free MEMORY (bytes) = 368111616

Auto Update Statistics

lastDirectoryReadAttempt = 08:40 GMT00:00 Thursday, October 27, 2011

= Reading directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

= Error: Auto update an exception: failed to connect HTTP [1 111]

lastDownloadAttempt = n/a

lastInstallAttempt = n/a

nextAttempt = GMT00:00 09:28 Thursday, October 27, 2011

Auxiliary processors installed

Thank you very much.

Your error message indicates "HTTP connection failed."

Management interface you can access the internet via HTTP sensor?

You have a proxy between the sensor and the internet?

Can you ping the sensor to open internet IP addresses (like google.com)?

-Bob

AIP SSM-10 and tests

In my lab, I have a new 5510 with AIP - SSM card.

In my view, it is configured correctly to assess traffic, but I can't be sure.

This is part of the configuration of the ASA:

Global class-card class

match any

class-map inspection_default

match default-inspection-traffic

World-Policy policy-map

class inspection_default

inspect the ftp, etc.,

Global category

IPS inline help

global service-policy global_policy

I have a PC to a switch, go to the ASA (inside interface)

The ASA outside interface goes to a VLAN separate on the switch.

Both interfaces VLANS configured.

Is there a command ping, or other traffic I can generate from PC that will throw an alert?

I tried Ping s of a bogus address, but which did not cause an event.

How will I know if the traffic actually crosses the ID?

Thank you.

Hello Jimmy

Lass-map: global-class

IPS: Status of card upward, inline mode rescue

Package of 0 Packet output 0 0 drop, discount entry to zero - drop 0

No package get the IPS module

You have told me is assigned to virtual sensor 0 on the right side of the AIP - SSM?

Global correlation of IPS

Similar Questions

Maybe you are looking for