IPS (7.0 (7) E4) on ASA-SSM-10 block DNS without alerts
Hi all
I have the IPS module:
Build version: 1.1 - 7, 0000 E4
ASA 5500 Series Security Services Module-10
Update of the signature S652.0 2012-06-20
Journal of the ASDM inferred events:
4 June 26, 2012 18:21:47 193.227.240.38 53 IPS 65347 sd-out asked to drop the UDP packet from outside:193.227.240.38/53 to dmz1:sd - outside/65347
But the IPS not deducted from alerts - it does not explain why blocking these packets. DNS requests cannot just one network.
! ------------------------------
! Current configuration last modified Tue Jun 26 18:01:58 2012
! ------------------------------
! Version 7.0(7)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S652.0 2012-06-20
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
filters edit PROXY
attacker-address-range 192.168.72.7
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters edit Q00000
signature-id-range 5684
attacker-address-range 95.190.8.0-95.190.8.255
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters edit Q00001
signature-id-range 5684
victim-address-range 95.190.8.0-95.190.8.255
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters edit USERS
signature-id-range 1102,5237,2152,5684,2100,5581,3030,6061,3030,11020,5403,5474,20020,60000-60100
attacker-address-range 192.168.0.0-192.168.255.255
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters edit USERS2
signature-id-range 5575-5591,2151,21619,2150-2151
attacker-address-range 192.168.0.0-192.168.255.255
victim-address-range 192.168.0.0-192.168.255.255
actions-to-remove deny-attacker-inline|deny-packet-inline
os-relevance relevant|not-relevant|unknown
exit
filters move PROXY begin
filters move USERS after PROXY
filters move Q00000 after USERS
filters move Q00001 after Q00000
filters move USERS2 after Q00001
general
global-deny-timeout 14400
exit
target-value low target-address 192.168.0.0-192.168.255.255
target-value medium target-address 192.168.1.0-192.168.1.255,192.168.64.0-192.168.64.255,192.168.3.0-192.168.3.49,192.168.65.128-192.168.65.255
target-value high target-address 192.168.72.2-192.168.72.254,192.168.66.0-192.168.67.255,192.168.2.0-192.168.2.255
target-value mission-critical target-address 192.168.65.0-192.168.65.127
os-identification
calc-arr-for-ip-range 192.168.0.0-192.168.255.255
exit
exit
! ------------------------------
service host
network-settings
host-ip 192.168.64.194/24,192.168.64.1
host-name gw1-ips
telnet-option disabled
access-list 192.168.0.0/16
dns-primary-server enabled
address 192.168.66.2
exit
dns-secondary-server enabled
address 192.168.72.19
exit
dns-tertiary-server enabled
address 192.168.72.20
exit
exit
time-zone-settings
offset 360
standard-time-zone-name GMT+06:00
exit
ntp-option enabled-ntp-unauthenticated
ntp-server 192.168.64.1
exit
summertime-option disabled
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 04:20:00
days-of-week sunday
days-of-week tuesday
days-of-week thursday
days-of-week saturday
exit
user-name dimaonline
cisco-url https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl
exit
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
general
enable-acl-logging true
never-block-networks 192.168.0.0/16
exit
exit
! ------------------------------
service signature-definition sig0
signatures 60000 0
alert-severity low
sig-fidelity-rating 50
sig-description
sig-name XPress Administrator Service
sig-string-info Access to Administrator Service
sig-comment External user open Admin
sig-creation-date 20120622
exit
engine service-http
max-field-sizes
specify-max-uri-field-length no
exit
regex
specify-uri-regex yes
uri-regex [Aa]dministrator[Ss]ervice[.]asmx
exit
exit
service-ports 80
exit
event-counter
event-count 1
event-count-key Axxx
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
summary-interval 15
summary-key Axxx
specify-global-summary-threshold no
exit
exit
vulnerable-os windows-nt-2k-xp
specify-mars-category yes
mars-category Info/Misc/Login
exit
exit
signatures 60000 1
alert-severity low
sig-fidelity-rating 50
sig-description
sig-name Xpress Bridge
sig-string-info Service URL
sig-comment External Access to bridge
sig-creation-date 20120625
exit
engine service-http
regex
specify-uri-regex yes
uri-regex [Bb]ridge[/][Ss]ervice[.]asmx
exit
exit
service-ports 80
exit
event-counter
event-count 1
event-count-key Axxx
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
summary-interval 15
summary-key Axxx
specify-global-summary-threshold no
exit
exit
status
enabled true
exit
specify-mars-category yes
mars-category Info/Misc/Login
exit
exit
signatures 60001 0
alert-severity high
sig-fidelity-rating 90
sig-description
sig-name FreePBX Display Extentions
sig-string-info Acces to Extentions settings
sig-comment Weak Password Detection
sig-creation-date 20120622
exit
engine service-http
event-action produce-alert|deny-attacker-inline
regex
specify-uri-regex yes
uri-regex [/]admin[/]config[.]php
exit
specify-arg-name-regex yes
arg-name-regex display
specify-arg-value-regex yes
arg-value-regex (extensions)|(trunks)
exit
exit
exit
service-ports 80
exit
event-counter
event-count 1
event-count-key Axxx
specify-alert-interval no
exit
alert-frequency
summary-mode summarize
summary-interval 15
summary-key Axxx
specify-global-summary-threshold no
exit
exit
exit
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
enable-tls false
port 80
exit
! ------------------------------
service anomaly-detection ad0
internal-zone
enabled true
ip-address-range 192.168.0.0-192.168.255.255
tcp
enabled true
exit
udp
enabled true
exit
other
enabled true
exit
exit
illegal-zone
enabled false
tcp
enabled false
exit
udp
enabled false
exit
other
enabled false
exit
exit
ignore
source-ip-address-range 192.168.0.0-192.168.255.255
exit
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
signature-update-policy
enable false
exit
license-expiration-policy
enable false
exit
event-retrieval-policy
enable false
exit
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service aaa
exit
! ------------------------------
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit
I confirmed with the Ironport team that this IP is a bad host in sensorbase. This is the reason for the traffic of this host being removed. There could be several reasons for this subnet to the list, for example, it could be part of a controlled host known by spammers. You must reach out to the development team for a confirmation however.
Tags: Cisco Security
Similar Questions
-
ASA-SSM-20/40 IPS Software upgrade quesiton
I'm looking to upgrade the IPS modules (ASA-SSM-20 and ASA-SSM-40) on two different ASA to ver 7.1 (11) E4 under this field notice:
http://www.Cisco.com/c/en/us/support/docs/field-notices/640/fn64080.html
My question is around if traffic through the firewall is affected during this update and subsequent restart of the IPS module.
On the ASAs, a service policy is in place that will allow the traffic in the case where the IPS module becomes unavailable. It comes, it will actually happen during the update?
Suggestions and comments are welcome.
Thanks in advance.
John
If your IPS is inline and as a whole do not open then the traffic through the ASA (in assuming an ASA standalone and do not form part of a pair of HA) will not be affected when the service IPS module reload.
If an SAA is in a pair of HA and a service (ips, cxsc, or sfr) module fails, it will be by default triggers a failover event. (ASA 9.5 introduces the possibility to change this behavior.) The result is the same - no service interruption (Although TCP connections may need to restore if you have not configured stateful failover).
-
Recording capacity for ASA firewall using ASA-SSM-20 IPS module.
Hello
Please could someone give some tips on how to get the ASA-SSM-20 to record information about something like Kiwi Syslog services etc. We just need to get the IPS alerts to generate the SMS/email feature to alert the various intervention teams.
Thank you
unfortantely, no syslog support
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807335ca.shtml
You can configure rules to send snmp traps, and you can pull events using CETS, IPS Manager Express and Cisco.
If you have logging enabled on the ASA a syslog msg appears when the IPS is asking or blocking traffic.
Here is a link to IPS configuration guides
http://www.Cisco.com/en/us/products/HW/vpndevc/PS4077/tsd_products_support_configure.html
-
20 IPS ASA - SSM password reset
Hi all
Must reset/recover the password to get rid, for some reason, we lost the password for the IPS 20 ASA - SSM module
Please let us know the procedure that the reset of password hw-module command does not work.
Use the reset passwrod hw-module command, you must have ASA 7.2.2 or later version.
-
Update license of IPS ASA - SSM
Hello
We have an ASA-SSM-20 IPS, the license has expired and we purchased a Smartnet contract for the device.
I would like to know how to upgrade the license.
We tried to do the ASDM, and chose the option updates to cisco.com.we got the following error.
internal error. Unable to send the license request. -4: unable to proxy transparent tunnel. Proxy returns "HTTP/1.1 403 Forbidden.
How to solve this problem or how to do when you use the other option, how to get the license file.
Best regards
It seems that your AIP-SSM20 is configured to use an http proxy to connect to the Internet. If you allow the IP address of the AIP-SSM20 management in your web proxy, it may solve your problem.
If this isn't the issue, you can always apply a license manually. Download your license file here:
https://Tools.Cisco.com/swift/LicensingUI/home
and apply via the ASDM or the CLI
-Bob
-
ASA-SSM-10 improvement no license or signatures
I successfully upgraded our ASA-5510 with the latest version of the software.
Our IPS module however ASA-SSM-10 seems to be the settings to factory default with only an IP address that is configured without any permission or certificates. The ASA-SSM-10 module can be improved with the lack of licenses or certificates? In addition, by using PuTTY I am able to connect to the ASA-SSM-10 module and ping the module and my laptop that I have connected via the management port. I am unable to ping from the laptop to the module of ASA-SSM-10 well.
Continuing the investigation in addition to the configuration of the management port IP address there is no VLAN, GW, image url or ip address of the configured port. Is there a simple way to upgrade the software on the ASA-SSM-10 without affecting our two ASA - 5510 that are configured for failover?
I suppose I can do up to a VLAN, GW and port address to get my cell phone to ping to the ASA-SSM-10 module to upgrade without affecting our ASA-5510 that are configured for failover. ***
You can attach more licenses for the legacy IPS until April 26. But the question is whether it is worth spending time and money in the present. The IPS legacy is dead and you should focus on firepower for IPS. But who does not work on your hardware.
-
recharge an ASA - SSM the firewall itself effect?
We lost the connection information for the IPS - SSM on our ASA 5520. It seems we should re image module with a version more recent software. It is currently not in use i.e. no rules for it on the firewall. This process will take the firewall offline at all?
Sh command output:
See the module of Firewall03 # 1
Model serial number of map mod
--- -------------------------------------------- ------------------ -----------
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 xxxxxxx
MAC mod Fw Sw Version Version Version Hw address range
--- --------------------------------- ------------ ------------ ---------------
1 001b.0ce2.xxxx to 001b.0ce2.xxxx 1.0 1.0 (11) 2 5,0000 E1
The Application name of the SSM status Version of the Application of SSM mod
--- ------------------------------ ---------------- --------------------------
1 FPS up to 5.1 (5) E1
Data on the State of mod aircraft compatibility status
--- ------------------ --------------------- -------------
1 up Up
Firewall03 # display module 1 recover
Module 1 retrieve parameters...
Start the recovery Image: No.
Image URL:ftp://0.0.0.0/ t
Port IP address: 0.0.0.0
IP gateway address: 0.0.0.0
VLAN ID: 0
No, it should not affect the operation of the firewall at all. He would suffer only if you use it inline with firm failure mode is activated.
-
ASA-SSM-20 on the active failover configuration
You can synchronize configuration between two IPS systems data?
I have two ASA-SSM-20 (6.1.1 E3) one in each of my the SAA. Of the SAA is the shift in assets. During the configuration of the IPS module I always make these same changes also in the standby unit. Is it possible to synchronize to the top of these two survey periods, so when it is configured the other is updated?
Thank you very much
Unlike the SAA, there not an automatic function to preserve the configuration synchronization through SSMs 2.
A few options:
You can use the command copy to copy the configuration of a sensor to a ftp/scp server.
Then use the copy on the second sensor command to copy the configuration on the second sensor. During the copy, it will ask whether to change the IP of the probe to what is in the configuration file. You will need to tell it to NOT change IP of the probe, otherwise you end up with 2 SSMs with the same IP address and are struggling to connect to them.
Another option is to use the CSM. CSM has configuration that applies to simple sensors, but also the group configuration that can be applied across multiple sensors.
If you have used the group configuration, then you could make one change to the configuration of the Group and apply it in all the sensors in the Group (you will place your SSMs 2 in the same group).
-
ASA-SSM-10 inspection load 100% (version 7.0 (5 a) E4)
Hi all
I have a challenge with the IPS module in ASA5520, ASA-SSM-10. When we start a try to connect to Web servers, I get a load of 100% inspection and will slow down the traffic/performance.
We test with 63000 sessions per minute making a load of: the test-servers (clients) on the web servers of 20,000 Kbps and traffic from servers web-back to the test-servers (clients) 75.000 kbits/sec.
Can you please advise what to do because we cannot live with this environment only when this is fixed.
Thanks in advance,
Erik Verkerk.
We have not used charge of inspection in order to determine the appropriate sensor performance, instead, we have relied on "percentage of failed package" reported by the sensor. When the sensor gets into trouble, that they will begin to run out of packets for inspection, this causes the sensor wrong determination of the TCP State for some of the connections. This causes the sensor to use more resources than necessary to inspect traffic, leading to lack more packages.
It is its called the "death spiral" and we try to avoid it as much as possible.
Cisco has a long and proud history of providing performance numbers 'blue sky' for their products. We used to refresh their numbers of performance of the IPS sensor by half, but they made improvements over the years and now we take only about 1/3 wide of reported values. You can see for yourself with real, live production traffic.
I'm havn; t found the number of signatures in a meaningful way sensor effect performance unless you touch abnormally difficult or lit a large number or tuned to perform many actions per second.
-Bob
-
Cisco ASA-SSM-20 analysis engine error...
I get this error on my IPS, I restarted the couple times sensor but it stops again and signature updates do not move during this time, or it looks like. I've heard great Cisco ID: CsCuc34812 but there isn't really any information available on this subject. Any another race ASA-SSM-20 has experienced this problem and managed to resolve it?
Hello
All sensors should have a virtual sensor attributed to them, so they can inspect the traffic.
I have connected the IPS2 and ran the following commands to assign the virtual sensor
service-analysis engine
vs0 virtual sensor
physical interface gi0/1
That's right!
I guess that's how it should be? How 2 IPS has managed to send me notifications if there is no virtual sensors assigned to him?
We need to determine the type of notifications witch was the sending IPS (could be linked to the IPS himself, system notifications)
Is there a CLI to confirm the IPS is active? I have to assume that my upgrade caused these problems?
The SAA
Do sh-service policy and determine the number of packets is exchanged between IP addresses and ASA
Kind regards
-
Equivalent to show disk0: ASA-SSM-10
Hi, are you able to see the contents of the disc on an ASA-SSM-10 module? As the show disk0: command on my 5510? I know that it is an internal flash drive... Is that where the image files and configuration and software? Can we see these files and copy them to TFTP server?
See you soon
Phil
Hi Philippe,.
You can view this content through the service of IPS account. The downside is that you can access only with the supervision of TAC. If you want to see the configuration you can do a show config; If you want to see what version you are using you can do this through the show version command.
HTH
Luis Silva
"If you need IDP (planning, design, implementation) assistance do not hesitate to contact us.
-
Dear support,
I need to configure Security Services Module-10 (model: ASA-SSM-10) on my ASA 5510 firewall. Could you provide configuration step and how to connect to the module?
Here is the information on the module
ciscoasa (config) # sh Details of module 1
The details of the Service module, please wait...
ASA 5500 Series Security Services Module-10
Model: ASA-SSM-10
Hardware version: 1.0
Serial number: JAF1115066U
Firmware version: 1.0 (11) 2
Software version: 1.0000 E1
MAC address range: 001a.e268.5aa9 to 001a.e268.5aa9
App name: IPS
App status. : to the top
App status. / / Desc:
App version: 1.0000 E1
Data of aircraft status: Up
Status: to the top
Mgmt IP addr: 133.1.9.144
Web to MGMT ports: 443
Mgmt TLS enabled: trueyour help is very appreciate.
Thank you
Best regards
Hi Sothengse,
Please find the samlpe on AIP SSM module configurations. You can go through this to begin with.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
https://www.YouTube.com/watch?v=FgYU5ZXwk4g
Concerning
Knockaert
-
Upgrade path 5500 series ASA-SSM-10
Can anyone provide the proper for the 5500 series ASA-SSM-10 upgrade path of
6.0 (5) E2
TO
7.1 (10) E4
The release notes state that you must run just least 6,0000 e4 could so I just spend 6,0000 E4 5,0000 E2 then directly to 7.1 (10) E4?
Also, the SSM-10 is able to effectively run the 7.1 (10) E4?
Hello
Yes, you can directly upgrade 6.0.5E2 to 6.0.6 E4 and then directly to version 7.1. (10) E4. After the upgrade for the latter, you might even go to latest available patch as well.
-Yes, SSM1 - is able to effectively execute the 7.1.0E4.
Kind regards
Akshay Rouanet
-
the upgrade of IPS chains, ASA-SSM - 10 module
I'll have a difficult time, the upgrade of the module ASA IPS SSM-10. I down loaded the IPS-GIS-s327-req - e1.pkg to the FTP Win XP (my workstation). The following does not work: http://download-sj.cisco.com/cisco/ciscosecure/ips/6.x/sigup/IPS-sig-S327.readme.txt
"error: execUpgradeSoftware: connection failed. Any suggestion would be appreciated.
Also, have you been able to update your signature?
-
I use an IPS SSM - 10 ASA. Currently he is recording these event alerts.
Whence the IPS keeps all the event logs? In disk space?
Where can I see how much space I left?
Is he got off, if the space is full?
You don't need to delete it, its CIRCULAR and will replace itself. More information can be found here:
http://www.Cisco.com/en/us/docs/security/IPS/6.0/Configuration/Guide/CLI/cliArch.html#wp1010399
The command is "clear events.
You cannot remove "individual" events Its all or nothing.
Yes, the best way is to set the IP addresses for the false positives either edit/disable unwanted signature or use event action filters.
Concerning
Farrukh
Maybe you are looking for
-
My makeup is slow, how can I clear cache?
-
If there is someone who has this app. Need more information on how to to save on it. Can get record playback, but not me.
-
How to access my bookmarks saved in Firefox for Android?
-
Satellite A110-195 lan crashes
Hello My satellite a110-195 crashes when I send files to another computer on the local network. There is nothing wrowng with another computer on the local networkbecause I have also tested it with an a100-906 and works very well.I have hard drive for
-
Where can I ask a question?
Firefox thinks I want to download something when I just want to open a web page. URL of affected sites http://Forex-foryou.com/introduces/Xtreme-PIP-poacher