ips to csc ssm

Unanswered Question
Feb 20th, 2007


I have a ASA 5520 running IPS but with no license .But I have a trend micro with all the required license .

How to erase the IPS module that is running in the inline mode and instead install and configure the trend micro instead of the existing ips configuration ?

Thanks in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rajbhatt Sun, 02/25/2007 - 20:27


There was an attack on the servers with blaster worm(quite old and known worm) and the IPS was not able to detect it .

Is there a command to find out the Ip address of the attacker and see if IPS recognised the attack or not or some logging info that i can see .

It was also not able to prevent it also.

What are the revelant commands related to it .

I am pasting my config .Is this config functional at all as it was unable to detect the attack ?



edwakim Sun, 02/25/2007 - 20:53

Hi Raj,

How does your ASA config look like?

Was it setup to send traffic to IPS? Is it configured Promiscuous mode or Inline mode?

ACL, Class-Map, Policy-Map defined and applied?

You can find configuration guide here.


Also, you are running 5.0(2) code. It is very old and buggy. Latest code in 5.x track is 5.1(4).


rajbhatt Mon, 02/26/2007 - 01:37

Hi Edward,

Thanks for ur reply.

yes traffic goes to IPS .It is in inline mode with acl policy map class map and it is applied to the outside interface .

What I need to know is the command to check if IPS detcted the attack and also what is the ip address of the attacker and what are the signatures present on the ips and stattus of those signatures .Basically need to find out if the IPS is fuctional or not with the current config ?

And do u have a sample real life config of a functional IPS ?


edwakim Tue, 02/27/2007 - 10:15

Hi Raj,

'sh stat v' will show you if the sensor is working or not.

There are many ways to see the alert details.

in CLI you can do 'sh events alert' and you can use '?' to fine tune your search.

i.e) sh events alert past 02:00 -> show any alerts for last 2 hours

You can use IEV, SecMon (VMS) or MARS to view them as well.

Thank you.



This Discussion