Unable to retrieve IPS events via SDEE

Unanswered Question
Jul 15th, 2009

Hi,

I have added Cisco ASA with AIP-SSM in MARS and the SDEE is enabled by default on AIP-SSM. Yet I am not able to see any events during MARS query.

I had similarly added the IDSM module and I can see the events coming thru to MARS.

What could be wrong with AIP-SSM setup etc.

Very limited information is available on this part. Please assist.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 07/15/2009 - 06:29

Have you checked on the AIP-SSM itself, whether any events are coming?

Once you added the device in MARS, did it give you any error? You can rediscover/update the device in MARS to see.

Regards

Farrukh

tech_trac Wed, 07/15/2009 - 11:18

Thanks Farrukh.

When I do 'show events past 00:01:00' on AIP-SSM CLI, I can see the events.

While adding the device in MARS, all the connectivity/discovery tests were successful.

What more could I do to check why events are not pushed through to MARS ? I have added the Cisco ASA and then IPS as its module.

Farrukh Haroon Wed, 07/15/2009 - 23:52

You should run a query for unknown device events, perhaps the IPS is using another IP address to send the events.

Or you can select the IPS device, and run a query for 'Raw Events' for that device.

Regards

Farrukh

tech_trac Thu, 07/16/2009 - 02:35

Farrukh,

What I have noticed is that AIP-SSM is only generating Error and Status Events but not Alert Events.

And MARS pulls Alert Events only.

Could you please let me know how can I generate signature triggers/alerts on AIP-SSM. I have opened all traffic going thru the ASA to be sent to AIP-SSM (policy-map). I have tried ICMP Echo sigs but they aren't triggering i.e. when I check thru 'show events alert past 01:00:00'.

Please suggest.

Thanks

tech_trac Thu, 07/16/2009 - 03:22

Ok. I am continuosuly getting Inline Data ByPass has stopped. Please see below

IPS-SENSOR1-PROD# sh events error past 01:00:00

evError: eventId=1247673741206420461 severity=warning vendor=Cisco

originator:

hostId: IPS-SENSOR1-PROD

appName: sensorApp

appInstanceId: 466

time: 2009/07/16 10:54:23 2009/07/16 14:54:23 GMT+04:00

errorMessage: name=errUnclassified AnalysisEngine reconfiguration starting.

evError: eventId=1247673741206420464 severity=warning vendor=Cisco

originator:

hostId: IPS-SENSOR1-PROD

appName: interface

appInstanceId: 418

time: 2009/07/16 10:54:24 2009/07/16 14:54:24 GMT+04:00

errorMessage: name=errWarning Inline data bypass has started.

evError: eventId=1247673741206420467 severity=warning vendor=Cisco

originator:

hostId: IPS-SENSOR1-PROD

appName: sensorApp

appInstanceId: 466

time: 2009/07/16 10:54:25 2009/07/16 14:54:25 GMT+04:00

errorMessage: name=errUnclassified AnalysisEngine reconfiguration complete.

evError: eventId=1247673741206420469 severity=warning vendor=Cisco

originator:

hostId: IPS-SENSOR1-PROD

appName: interface

appInstanceId: 418

time: 2009/07/16 10:54:25 2009/07/16 14:54:25 GMT+04:00

errorMessage: name=errWarning Inline data bypass has stopped.

Also, when I do 'show statistics analysis-engine', the inspection Stats is completely blank.

Also, 'show statistics virtual-sensor' shows all zero values against all signature based events. Believe IPS is not running. How can I check that all the IPS processes are working as expected.

Farrukh Haroon Thu, 07/16/2009 - 05:45

Few of these messages are normal, could it be possible you are sending more traffic to the module then it can handle?

In any case,triggering the ECHO or ECHO REPLY signatures is usually straight forward, did you enable the signatures (they are disabled by default)?

Try rebooting the module once. Also do a 'show version' to see if the analysis engine is running.

I usually login to the box using the service account and run the 'top' command.

Regards

Farrukh

Actions

This Discussion