02-20-2007 02:25 AM - edited 03-10-2019 03:28 AM
HI,
I have a ASA 5520 running IPS but with no license .But I have a trend micro with all the required license .
How to erase the IPS module that is running in the inline mode and instead install and configure the trend micro instead of the existing ips configuration ?
Thanks in advance
Raj
02-20-2007 05:31 AM
Hi Raj,
If you have CSC license, you should be able to reimage your SSM module and use it.
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080693b38.html
Please make sure you remove the ips related commands in ASA before doing so.
Thank you.
Edward
02-20-2007 09:25 PM
Hi,
thanks for your answere
Raj
02-25-2007 08:27 PM
Hi,
There was an attack on the servers with blaster worm(quite old and known worm) and the IPS was not able to detect it .
Is there a command to find out the Ip address of the attacker and see if IPS recognised the attack or not or some logging info that i can see .
It was also not able to prevent it also.
What are the revelant commands related to it .
I am pasting my config .Is this config functional at all as it was unable to detect the attack ?
Thanks
Raj
02-25-2007 08:53 PM
Hi Raj,
How does your ASA config look like?
Was it setup to send traffic to IPS? Is it configured Promiscuous mode or Inline mode?
ACL, Class-Map, Policy-Map defined and applied?
You can find configuration guide here.
Also, you are running 5.0(2) code. It is very old and buggy. Latest code in 5.x track is 5.1(4).
Edward
02-26-2007 01:37 AM
Hi Edward,
Thanks for ur reply.
yes traffic goes to IPS .It is in inline mode with acl policy map class map and it is applied to the outside interface .
What I need to know is the command to check if IPS detcted the attack and also what is the ip address of the attacker and what are the signatures present on the ips and stattus of those signatures .Basically need to find out if the IPS is fuctional or not with the current config ?
And do u have a sample real life config of a functional IPS ?
Raj
02-27-2007 09:37 AM
Hi,
Any on has any leads ?
Thanks in advance
Raj
02-27-2007 10:15 AM
Hi Raj,
'sh stat v' will show you if the sensor is working or not.
There are many ways to see the alert details.
in CLI you can do 'sh events alert' and you can use '?' to fine tune your search.
i.e) sh events alert past 02:00 -> show any alerts for last 2 hours
You can use IEV, SecMon (VMS) or MARS to view them as well.
Thank you.
Edward
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide