IPS + CBAC problem

Unanswered Question
Nov 2nd, 2007
User Badges:

Hi guys,


I've got a strange problem here - I activated IOS IPS on both internal and external interfaces in incoming direction and also had to run CBAC on the incoming direction of the external interface. The result of all these things is that the IPS is counting connections from the internal network and it's overwriting for some reason the statistics generated by CBAC, no matter that CBAC is enabled only on the external interface in incoming direction. I'm using 1812 router with 12.4(2)XA IOS. Searched for bugs in the Bug Toolkit, nothing showed up. Here are the outputs:


interface FastEthernet0

description WAN

bandwidth 6000

ip address xxx

ip access-group 102 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip nat outside

ip inspect Web in

ip ips IPS in

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

duplex auto

speed auto

service-policy output TrafficPolicy-OUT

end


interface Vlan1

description LAN

bandwidth 6000

ip address xxx

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow egress

ip nat inside

ip ips IPS in

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

service-policy output TrafficPolicy-IN

end


ip inspect name Web http alert on audit-trail off


sh ip inspect statistics

Packet inspection statistics [process switch:fast switch]

tcp packets: [1315:117238]

udp packets: [4681:36103]

packets: [12:54]

packets: [4747:119509]

http packets: [0:829]

Interfaces configured for inspection 1

Session creations since subsystem startup or last reset 5024

Current session counts (estab/half-open/terminating) [739:78:0]

Maxever session counts (estab/half-open/terminating) [815:96:8]

Last session created 00:00:00

Last statistic reset 00:10:08

Last session creation rate 487

Last half-open session total 78


sh ip ips statistics

Signature statistics [process switch:fast switch]

signature 3050:0 packets checked: [4:0]

signature 3173:0 packets checked: [18:0]

signature 5477:2 packets checked: [0:3]

signature 6253:0 packets checked: [0:159]

signature 6064:0 packets checked: [1:0]

signature 6056:0 packets checked: [1:0]

signature 5170:1 packets checked: [0:11]

signature 5322:1 packets checked: [0:2013]

signature 4620:0 packets checked: [0:339822]

signature 2157:1 packets checked: [1:37077]

signature 2157:0 packets checked: [0:2]

signature 1102:0 packets checked: [50:0]

Interfaces configured for ips 2

Session creations since subsystem startup or last reset 5153

Current session counts (estab/half-open/terminating) [744:72:0]

Maxever session counts (estab/half-open/terminating) [815:96:8]

Last session created 00:00:00

Last statistic reset 00:10:26


Any idea about that? I'm pretty sure it's a bug but still can't prove it. As you can see I'm monitoring only http traffic entering the internal network with CBAC (they have a single web server which for sure cannot handle that much connections). I'll be glad if you can help but anyway if we can't find the truth behind this I'll simply disable the IPS on the internal interface and I think I'll get statistics pretty closer to the reality (I need them to tune CBAC TCP Intercept values). Besides that it's pretty nasty that you can't see separate statistics for each interface but anyway - I can live with that if I manage to get accurate statistics with limited security in that case. Thanks in advance!


Best Regards,


Stefan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thegrave2000 Sat, 11/03/2007 - 04:46
User Badges:

Latest update: I found a bug for IPS 5.0 which I think is related to my problem, but I'm using IPS v4 signatures cause I need something like 12.4(15)T for IPS 5.0 signatures so I'm not sure that's my case.


Headline IPS5.0 : Signature statistics not displayed correctly

Product IOS

Feature OTHERS Components Duplicate of

Severity 3 Severity help Status Resolved Status help

First Found-in Version 12.4(10.8)T01 All affected versions First Fixed-in Version 12.4(12.15)T Version help

Release Notes

Symptoms:

This is a CLI display bug


Conditions:

idConf/IPS 5.0 is configured on the IOS router


Workaround:

None


Further Problem Description:

None


First thing that disturbs me - it's for 5.0, second thing - sounds like IPS statistics are not correct and in my case we are talking about CBAC statistics. Any idea?

Actions

This Discussion