IPS - Startup

Unanswered Question
Dec 4th, 2008

Hi All,

We have recently purchased an AIP-SSM-10 module for our ASA5520. I have installed the module run through the initial configuration and updated the software / signatures to the latest version via the ASDM.

I am about to run through the following...Send Network Traffic from the ASA to the AIP SSM...

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

but would like to know a little more about what will happen once traffic is redirected, my qusetions are as follows...

Does the IPS start blocking traffic by default? or does it just report?

Can we enbale the IPS so that its just reports on what action would have been taken?

Ideally we would like to run traffic through the IPS for a week or so without any blocking, so we can analyze it to reduce false positives.

Is there any documentation expalaining this?

Thanks for all you help

Steve

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Thu, 12/04/2008 - 14:16

The default actions of an in-line IPS is to drop the packets that match signatures set to drop. There are a few signatures that are not set to generate an alert when dropped.

I think you want to start with your sensor in promiscious mode, not in-line. Then you can watch what signatures fire that would be dropped in an in-line mode.

AxiomConsulting Tue, 12/09/2008 - 02:04

Thanks for that, I ended up throwing caution to the wind and processing all traffic (inline) all looks good so far.

I am using IPS Event Viewer for 'Real Time' analysis and reporting.

Does anyone have any other recommendations?

Actions

This Discussion