How to tune the signatures of the AIP-SSM-20

Similar Questions

• Cannot access the AIP SSM via ASDM

  CISCO recommendations below:

  Cannot access the AIP SSM via ASDM

  Problem:

  This error message appears on the GUI.

  Error connecting to sensor. Error Loading Sensor error

  Solution:

  Make sure that the IPS SSM management interface is up/down and check his IP address configured, default gateway and the subnet mask. It is the interface to access the software from Cisco Adaptive Security Device Manager (ASDM) on the local computer. Try to ping the address of management of IPS SSM IP interface on the local computer that you want to access the ASDM. If it is impossible to do a ping check the ACLs on the sensor

  ----------------------------------------------------------------------------------------------------------------------------------------------

  I've tried everything recommended above. I can ping the host ASDM the FW and the SSM-10 module. Well, I ping the host machine and the SSM of the ASDM. I opened as wide as possible ACL. I changed the IP addresses and masks several times. The management of the ASA port and the SSM and the PC are on the same subnet.

  A trace of package from the PC to the SSM shows that it is blocked by an ACL rule, and yet I opened wide.   I've seen this kind of problem before and it was solved by applying the double static NAT, but I don't know how to do that if all the IP addresses are on the same subnet.

  Tried everything, need help from high level.

  The IDM software that comes with ASDM does not support java 1.7. The portion of the ASDM ASA supports 1.7 but launch the IPS cmdlet works only with 1.6. The TAC enginner suggested that I use the IME (IPS Manager Express) which is available for free on the Cisco's (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html) Web site.

  I've been playing with it today, and so far it seems to work pretty well.

• The AIP - SSM to unused ASA connection interface

  Hi people,

  Perhaps, someone has already raised this issue, but I was unable to find anything relevant. We have an ASA with an unused interface (gig0/3). The sensor of the AIP - SSM is physically connected to this interface with the following IP settings:

  Sensor (192.168.2.2/30,192.168.2.1)---interface ASA (192.168.2.1/30)

  It's basically point to point connectivity, and I can reach the ASA of the sensor and the other way around.

  This design is dictated by the lack of a free port on the switch.

  Technically, it should work without any problems, but I can't seem to be able to reach the sensor. There is a switch between my PC and the sensor and the switch has the corresponding static route added. I can reach the switch sensor.

  Is there a security feature hidden I don't know that prevent communication with the sensor.

  And ACL of the sensor allows the traffic to all networks (0.0.0.0/0)

  With the sensor acl set to 0.0.0.0/0, the sensor must be allowing connectivity.

  You can use the 'View of package' command on the sensor to look at packets on the interface command and control to see if the packets are what makes the sensor.

  You say that you have a static route on your switch for the switch reach your sensor. Do you know if your PC is configured to use the switch as the computer's default router. If the PC is to use a different default router, then the other router should also the static route.

  The other possibility is that the SAA itself can be deny traffic.

  Since this is an ASA connected to the MSS interface, the traffic must be routed through the ASA. Standard firewall rules apply to this traffic. The security level of the interfaces can prevent traffic, and an ACL may be necessary in order to allow the circulation of your PC be routed to the SSM.

  NOTE: If you don't want to have to worry about roads, the other alternative is to make the network between the ASA and SSM to be an isolated network that only 2 machines know.

  You can then use PAT static to map a port on the inside of the ASA interface with the address of the SSM 443 https port and map a second port of the SAA within the interfaces to the address of the SSM SSH port.

  How your home PC would simply plug the ASA IP using these specific ports and the ASA would do the translation of port and transmit on the MSS.

  The SSM address could also be dynamically PAT would have on the SAA within the address, so SSM could start the connection to other machines on the inside network.

  Another alternative if you have addresses available on your inside network IP is to use static NAT instead of PAT. And just go forward and has the ASA statically map an IP network on IP of the SSM on the network that only the ASA and the SSM inside could know.

  In both cases the network between the ASA and SSM would not routable at, and you wouldn't have to worry of reproducing static routes anywhere.

  SIDE NOTE: A separate network for the SSM you Becase you will also need to NAT or PAT address of the SSM for the ASA to outside interface. In this way the SSM will be able to connect to Internet to download cisco.com auto updates, and/or pull overall correlation of servers cisco information. It's probably the same configuration that you would already other internal addresses, and just to be sure, you cover the SSM since you have it on a separate subnet.

• Interface of the AIP - SSM

  What is the configuration of the AIP - SSM interface indicates?

  If this indicates that trafficking of this interface will be done, then what is the purpose to divert the traffic of asa good political order.

  Thanks, hope that I have answered your questions.

• To access the AIP-SSM-10 through the ACS

  Hye,

  Please, I would like to know if you can access the AIP-SSM-10 using a Cisco ACS account.

  Thank you

  IPS module does not support authentication to the ACS server.

  Please find the only authentication method for IPS in the following document:

  http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_sensor_management.html

  Hope that answers your question.

• Support for hardware and signature to the AIP SSM-10

  We have a 5510 which we bought a map AIP SSM-10 for the SAA, which is already the subject of a support contract. We now want to add the hardware maintenance for the new card AIP SSM-10 as signature updates. Our Cisco provider is confirmed we will receive that updates of signature with hardware support (we tried to get a response from them since June or July now).

  Could someone let us know what is the correct part number, and so we can ask the specific option that will allow both the material cover and signature updates.

  I think it is need you

  CON-SU1-AS1A1PK9

  IPS, NBD SVC, AR ASA5510-AIP10SP-K9

  support for Cisco smartnet

• Reloading of the AIP - SSM

  reload the module AIP - SSM affect the ASA?

  Exactly. If you don't have a political card by using the SSM module, then you can reload the module SSM and it does not affect the traffic passing by ASA. To give you more information, here is a link that gives you information on how to configure ASA to use the SSM module:

  http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/SSM.htm#wp1050744

  Hope that helps.

  Kind regards

  Maryse.

• Question of the clock of the AIP - SSM

  We have configured our AIP - SSM and synchronized with our command NTP servers.show clock shows the time corrcet in the CLI

  See the sensor clock #.
  16:42:35 GMT + 05:30 Sunday, March 28, 2010

  probe # show clock detai
  16:53:25 GMT + 05:30 Sunday, March 28, 2010
  Time source is NTP

  But the time indicated in the last TAB update shows the hour UTC. Even in my case logs are updated with the time information UTC only. I set the time zone correctly.

  

  What do I need to configure something else to update my timestamp in the event log.

  In the second version of the IPS, a new column has been added for "time sensor" in the event viewer.

• Signature update version: AIP - SSM GUI

  How can I see the latest version of signature on AIP - SSM via GUI. CLI I see on 'Show version' output.

  Thank you.

  You can see through the monitor tab. The exact location is:

  Monitoring > support information > information system

  You can also view this information in IME.

  Please rate if useful.

  Concerning

  Farrukh

• How to tune the parameters IDS MC GIS

  Via the web interface of MC ID, the only signature I can edit parameters AlarmSeverity and EventAction. To adjust other settings, I have to go through the IDM. The problem is, after a deployment of the IDS MC configuration, these parameters are replaced by the default settings of IDS MC.

  I would like to know if it is possible to adjust these settings manually by editing the files on the system IDS MC. I noticed there are some possible files contained in CSCOpx\MDC\etc\ids\xml\sig_data, but not all signatures are defined in those files. Maybe sig settings are stored in one of the Sybase DBs?

  Its becoming a true PITA business IDS by IDS MC due to its limitations.

  To change the settings of the engine in IDSMC, click on the name of engine.

• How to tune the concurrent Manager

  Hello
  I work R12.1.2.i submitting a query to run the report and simultaneous Manager gets stuck.last night I submit an application for export AP report but it not yet.i full am facing this problem couple of days.any help in this regard is highly appreciated.
  
  Kind regards
  Umair

  Salvation;

  I work R12.1.2.i submitting a query to run the report and simultaneous Manager gets stuck.last night I submit an application for export AP report but it not yet.i full am facing this problem couple of days.any help in this regard is highly appreciated.

  Is there an error on con. Manager of newspaper files? Please follow threads that might be useful for your question below:

  Concurrent Manager in time real tune
  Oracle applications database

  tune simultaneous Manager
  Oracle applications database

  Very slow competitor Manager
  Several step error caused by SQL syntax?

  Respect of
  HELIOS

• How to tune the EBS R12 TEST SERVER

  Hi hussein.
  
  I have a test server with EBS R12.1 on Linux 4.6
  
  His demo only, I want to accelerate by minimizing the SGA and the deactivation of some modules apps.
  You told me about this before on 11i. How do you please on R12. I think that there is a different style to do with it.
  
  Are there separate processes on R12.1. While I can connect a little more quickly. I want financials demo and disable the other modules.
  
  
  Thank you very much
  
  Ms. K
  
  Published by: user_unlimited on July 16, 2010 09:55

  Hello

  SGA_TARGET should not be placed less than 1 GB - see Note: 396009.1 for more details.

  Thank you
  Hussein

• How to tune the loading using SQL LOADER

  Hi all
  
  I use SQLLDR to load the file into the target. All the files I am receving is ' | ' delimited. Some of the files size more than 3 GB. It takes a lot of time during loading.
  
  Help me to know if it is possible of tuner SQLLDR.
  
  Here is the example of control file.
  
  DOWNLOAD THE DATA
  UTF8 CHARACTER
  INFILE ' / var/hulu/ptp/ABC.txt'
  BADFILE ' / var/hulu/ptp/ABC.bad'
  DISCARDFILE ' / var/hulu/ptp/ABC.dsc'
  
  IN THE TABLE "PTP_ABC".
  TRUNCATE
  
  FIELDS TERMINATED BY ' |'
  TRAILING NULLCOLS
  (
  CODE,
  DESCRIPTION,
  FILLING,
  COKE
  )

  Change you your current sqlldr using external tables, this make the parallel load automatically, or launch sqlldr processes in the background of a single script.

  We doing something similar to this with the help of a shell like this script:

  nohup sqlldr userid=/ data=data01.dat log=my1.log control=my.ctl bad=my1.bad direct=yes silent=all parallel=true &
  nohup sqlldr userid=/ data=data02.dat log=my2.log control=my.ctl bad=my2.bad direct=yes silent=all parallel=true &
  nohup sqlldr userid=/ data=data03.dat log=my3.log control=my.ctl bad=my3.bad direct=yes silent=all parallel=true &
  nohup sqlldr userid=/ data=data04.dat log=my4.log control=my.ctl bad=my4.bad direct=yes silent=all parallel=true &
  nohup sqlldr userid=/ data=data05.dat log=my5.log control=my.ctl bad=my5.bad direct=yes silent=all parallel=true &
  nohup sqlldr userid=/ data=data06.dat log=my6.log control=my.ctl bad=my6.bad direct=yes silent=all parallel=true &
  nohup sqlldr userid=/ data=data07.dat log=my7.log control=my.ctl bad=my7.bad direct=yes silent=all parallel=true &
  ...
  

  We are currently opening 20 simultaneous processes and we get an overal 400 000 platelets per second speed. You test what is the maximum number of concurrent processes, you can open.

  Course which you need a first step to split the log into smaller chuncks. In my example, the file data.dat got cut into 20 smaller files, and each of them at the same time got loaded in parallel in the database. If you can not split the file, then you should go for external tables.

  You can always test direct = true without any parallel option. This should be more than noticiable.

  LW

• Reset password for the AIP - SSM-10

  Hello

  I have an ASA5520 with 7.2 v 2 running.

  but the IPS module spftware is 5.1

  When I tried to connect to the > session 1

  He asked me a login and a password.

  I tried the cisco and a few other combinations... but no luck.

  How to reset it? also the procedure to reset on the docs said its password resets or the cisco of the user...

  How can I be sure that the cisco of the user still exists about it or not?

  any help please?

  The only way to get the software for your module is to download via the software centre of Cisco.com. You will need a Smartnet contract or account of the BCC to access downloads.

  You'll be able to reimage the module with the 6.0 software, but it is advisable to reimage it with the most basic image. You can always switch from there!

  Information on the site is in the following document:

  http://www.Cisco.com/en/us/products/HW/vpndevc/PS4077/products_configuration_guide_book09186a008055dbb1.html

  Hope this information helps, if it does; Please note!

  Kind regards

  Michael

• Failed to update of the signing of the AIP-SSM-10

  I hope someone can help me, I am unable to get the signature autoupdate working on our ASA 5510 IPS. We have a valid support contract, our user name does not include and special characters, and I am able to download the files of signature on the site by using our BCC.

  When trying to get through Auto/cisco.com update if I get the following in the event logs each attempt update:

  evError: eventId = 1319467413849005289 = severity = error Cisco vendor

  Author:

  hostId: xxxx

  appName: mainApp

  appInstanceId: 354

  time: October 26, 2011 11:40:01 UTC offset = 60 timeZone = GMT00:00

  errorMessage: AutoUpdate exception: failed to connect HTTP [1 111] name = errSystemError

  I've included a conf 'show' and a 'facilitator stat"below.

  See the XXXXXX conf #.

  ! ------------------------------

  ! Current configuration last modified Wed Oct 26 10:48:07 2011

  ! ------------------------------

  ! Version 7.0 (6)

  ! Host:

  !     Domain keys key1.0

  ! Definition of signature:

  !     Update of the signature S604.0 2011-10-20

  ! ------------------------------

  service interface

  output

  ! ------------------------------

  authentication service

  output

  ! ------------------------------

  rules0 rules for event-action service

  output

  ! ------------------------------

  service host

  the network settings

  Host-ip 10.x.x.x/24,10.x.x.x

  hostname xxxxxx

  Telnet-option turned off

  access-list 10.x.x.x/32

  access-list 10.x.x.x/16

  access-list 10.x.x.x/32

  primary-active DNS server

  address 10.x.x.x

  output

  secondary-server DNS disabled

  tertiary-disabled DNS server

  output

  time zone settings

  offset 0

  standard time-zone-name-GMT00:00

  output

  NTP-option enabled-ntp-no authenticated

  Server NTP 10.x.x.x

  output

  Summertime-recurring option

  Summertime-zone-name GMT00:00

  Start-summertime

  last week of the month

  output

  end-summertime

  month October

  last week of the month

  output

  end-summertime

  month October

  last week of the month

  output

  output

  automatic update

  Cisco-Server enabled

  scheduling periodic-calendar option

  beginning 00:40:00

  interval 1

  output

  username xxxxxxxxxxxxxxx

  Cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

  output

  output

  output

  ! ------------------------------

  service recorder

  output

  ! ------------------------------

  network access service

  output

  ! ------------------------------

  notification services

  output

  ! ------------------------------

  Service signature-definition sig0

  output

  ! ------------------------------

  Service ssh-known-hosts

  output

  ! ------------------------------

  trust-certificates of service

  output

  ! ------------------------------

  web-server service

  output

  ! ------------------------------

  Service-ad0 anomaly detection

  output

  ! ------------------------------

  service interface external product

  output

  ! ------------------------------

  health-monitor service

  output

  ! ------------------------------

  service global correlation

  output

  ! ------------------------------

  aaa service

  output

  ! ------------------------------

  service-analysis engine

  vs0 virtual sensor

  Physics-interface GigabitEthernet0/1

  output

  output

  XXXXXX # host stat

  General statistics

  Last updated to host Config (UTC) = 27 October 2011 08:27:10

  Control device control Port = GigabitEthernet0/0

  Network statistics

  = ge0_0 link encap HWaddr 00:12:D9:48:F7:44

  = inet addr:10.x.x.x Bcast:10.x.x.x.x mask: 255.255.255.0

  = RUNNING UP BROADCAST MULTICAST MTU:1500 metric: 1

  = Dropped packets: 470106 RX errors: 0:0 overruns: 0 frame: 0

  = Dropped packets: 139322 TX errors: 0:0 overruns: 0 carrier: 0

  = collisions: 0 txqueuelen:1000

  = RX bytes: 40821181 (38.9 MiB) TX bytes: 102615325 (97.8 MiB)

  = Address: 0xbc00 memory: f8200000 of base-f8220000

  NTP statistics

  = distance refid st t when poll reach delay offset jitter

  = * time.xxxx.x 195.x.x.x 3 u 142 1024 377 1, 825 - 0.626 0.305

  = L LOCAL (0) LOCAL (0) 15 59 64 377 0.000 0.000 0.001

  = ind assID status conf scope auth condition last_event cnt

  = 1 43092 b644 Yes Yes No sys.peer 4 available

  = 2 43093 9044 Yes Yes No accessible release 4

  status = synchronized

  Memory usage

  usedBytes = 664383488

  freeBytes = 368111616

  totalBytes = 1032495104

  Statistics of Summertime

  Start = GMT00:00 03:00 Sunday, March 27, 2011

  end = GMT00:00 01:00 Sunday October 30, 2011

  Statistics of the processor

  Its use in the last 5 seconds = 51

  Its use during the last minute = 44

  Its use in the last 5 minutes = 50

  Memory statistics

  Use of memory (bytes) = 664383488

  Free MEMORY (bytes) = 368111616

  Auto Update Statistics

  lastDirectoryReadAttempt = 08:40 GMT00:00 Thursday, October 27, 2011

  = Reading directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl

  = Error: Auto update an exception: failed to connect HTTP [1 111]

  lastDownloadAttempt = n/a

  lastInstallAttempt = n/a

  nextAttempt = GMT00:00 09:28 Thursday, October 27, 2011

  Auxiliary processors installed

  Thank you very much.

  Your error message indicates "HTTP connection failed."

  Management interface you can access the internet via HTTP sensor?

  You have a proxy between the sensor and the internet?

  Can you ping the sensor to open internet IP addresses (like google.com)?

  -Bob