Problems IPS alert reporting

ms4561 · ‎02-09-2007

My IPS is not reporting scanning alerts to either the console or syslog. IPS appears to be configured & working correctly. When I started using the router with the built-in signatures, alerts were seen on the console/syslog. Could the problem be with the logging level (see config)? I've reported this to TAC, they have been unable to resolve the issue. Any help would be appreciated. Thanks

ymzhang · ‎02-09-2007

IOS IPS will send alert messages to SDEE and syslog. Syslog is enabled by default (use CLI 'ip ips notify log') and SDEE is disabled by default ('ip ips notify sdee).

To see the ips alert messages in console:

1. make sure logging console is enabled

2. make sure syslog level is set to information and above.

To see the ips alert message in syslog:

1. make sure logging is enabled

2. make sure syslog level is set to information and above.

And after all, the signature has to be triggered by certain traffic in your network. Once that happens, it should send alert message to syslog/sdee.

Thanks,

-Chris

ms4561 · ‎02-09-2007

Hi Chris

As you can see in my config my logging level is already aet at 6 (your points 1 & 2 are already set). It has been set at this level for months & within this time frame I should have been able to see IPS alerts.

Regards

Mike

ymzhang · ‎02-09-2007

Mike,

Could you please check whether you see ips alert messages in 'show logging' output. If you see the ips alert messages in the logging buffer but not on the syslog server, then it might be a configuration issue. If you do not see the ips alert messages in logging buffer, that means there is no ips alert messages has been fired.

BTW, which IOS version and router platform are you using?

Thanks,

-Chris

ms4561 · ‎02-09-2007

Their are no alerts messages in showlog output.

12.4(9)T1

ymzhang · ‎02-09-2007

I would say there are no real matching attacks happening in your network. I saw you have a solid firewall configured as first line of defense. Then you have ips inbound configured. I would also suggest you to configure ips outbound direction on the same interface.

Thanks,

-Chris

ms4561 · ‎02-09-2007

Hi Chris

Thanks for input. I'll enable the IPS outbound. I'm still think I've a reporting issue hear, because a can't believe that over a 2-3 months period not 1 IPS alert would be activated.

Any further thoughts are appreciated.

Regards

Mike

ms4561 · ‎02-09-2007

I've just enabled IPS outbound. Log (this is outbound alert)immediately show following output:

Feb 10 11:47:59.135 Brisban: %IPS-4-SIGNATURE: Sig:4620 Subsig:0 Sev:2 DNS Limited Broadcast Query [192.168.1.20:1034 -> 203.21.20.20:53]

Feb 10 11:48:35.823 Brisban: %IPS-4-SIGNATURE: Sig:4620 Subsig:0 Sev:2 DNS Limited Broadcast Query [192.168.1.10:1026 -> 203.21.20.20:53]

Feb 10 11:48:35.827 Brisban: %IPS-4-SIGNATURE: Sig:4620 Subsig:0 Sev:2 DNS Limited Broadcast Query [192.168.1.10:1026 -> 203.21.20.20:53]

ymzhang · ‎02-09-2007

great! please let me know if you have any further questions or issues.

btw, I would also recommend you to consider using the new 5.x signature format based IOS IPS. You can find detailed document at http://www.cisco.com/go/iosips. In the white paper section, there is also a newly updated getting started guide.

Hope this helps,

Thanks,

-Chris

ms4561 · ‎02-09-2007

I'm already planning on an IOS upgrade so I use the new 5X sig. Thanks for the link.

Regards

Mike