Hi,

thanks for your answere

Raj

Hi,

There was an attack on the servers with blaster worm(quite old and known worm) and the IPS was not able to detect it .

Is there a command to find out the Ip address of the attacker and see if IPS recognised the attack or not or some logging info that i can see .

It was also not able to prevent it also.

What are the revelant commands related to it .

I am pasting my config .Is this config functional at all as it was unable to detect the attack ?

Thanks

Raj

Hi Raj,

How does your ASA config look like?

Was it setup to send traffic to IPS? Is it configured Promiscuous mode or Inline mode?

ACL, Class-Map, Policy-Map defined and applied?

You can find configuration guide here.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df98.html

Also, you are running 5.0(2) code. It is very old and buggy. Latest code in 5.x track is 5.1(4).

Edward

Hi Edward,

Thanks for ur reply.

yes traffic goes to IPS .It is in inline mode with acl policy map class map and it is applied to the outside interface .

What I need to know is the command to check if IPS detcted the attack and also what is the ip address of the attacker and what are the signatures present on the ips and stattus of those signatures .Basically need to find out if the IPS is fuctional or not with the current config ?

And do u have a sample real life config of a functional IPS ?

Raj

Hi,

Any on has any leads ?

Thanks in advance

Raj

Hi Raj,

'sh stat v' will show you if the sensor is working or not.

There are many ways to see the alert details.

in CLI you can do 'sh events alert' and you can use '?' to fine tune your search.

i.e) sh events alert past 02:00 -> show any alerts for last 2 hours

You can use IEV, SecMon (VMS) or MARS to view them as well.

Thank you.

Edward