>NeedHelp< Is it bug at IDSM-2 with IPS-K9-7.0-2-E3.pkg??

Unanswered Question
Jul 28th, 2010
User Badges:

Dear All,


i have idsm with IPS-K9-7.0-2-E3.pkg installed,
i use inline mode for this idsm, and idsm place is front on server farm


but i have some problem that one segment in my network cant access the server
but another segment can access that server,
that server is oracle database aplication (real time)

in this is happend only for that server.


when i filter the traffic with idsm, the result that transaction match with
signature number 7000, evenly that signature dont have action to deny the traffic,
the traffic still cannot bypass, then ill try to disable but nothing impact to that segment
evenly other segment can access that server normally.
anyone can explain to me why this happen??


ill try to downgrade to IPS-K9-7.0-2-E3.pkg with IME but always error..
anyone can help me please..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jobordel Wed, 07/28/2010 - 07:23
User Badges:
  • Cisco Employee,

Arika,


First off, you cannot downgrade the version  without a re-image.  You can only downgrade signatures.  Second, you  mention 7.0(2)E3 as the version you are on and the version you want to  downgrade to.  Can you verify what version you are running?


On  the traffic not passing issue, if you put the sensor in bypass does  that resolve the issue.  That will eliminate any signature related  actions from impacting the traffic.  If you are still unable to access  the servers then you should look for a routing or network layer issue.   If that clears things up, the next step would be to create an Event  Action Override to produce alert for all signatures.  Then you can  review IME for any signatures firing related to these servers.  Please  remove the Override once you are done testing as this can have a  performance impact on the sensor over time and should only be used  temporarily to troubleshoot a specific issue.


If you  are still having trouble, if may help to get some info about the config  of the sensor and the switch.  Specifically, how the VLAN or Interface  Pairs are setup, etc.


Good Luck,

JoshB

arikawahyono Thu, 07/29/2010 - 00:11
User Badges:

Hi Josh..


This is my answer


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

First off, you cannot downgrade the version  without a re-image.  You can only downgrade signatures.  Second, you  mention 7.0(2)E3 as the version you are on and the version you want to  downgrade to.  Can you verify what version you are running?


Im not yet  downgrade to 7.0(2) because I don’t have yet permission from my bos . And now my isdm still use 7.0(2)E3


This is capture from my isdm

OTIDSM# sh ver

Application Partition:

Cisco Intrusion Prevention System, Version 7.0(2)E3

Host:                                                        

    Realm Keys          key1.0                               

Signature Definition:                                        

    Signature Update    S425.0                   2009-08-17  

    Virus Update        V1.4                     2007-03-02  

OS Version:             2.4.30-IDS-smp-bigphys               

Platform:               WS-SVC-IDSM-2                        

Serial Number:          SAD132802TL                          

Licensed, expires:      20-Oct-2010 UTC                      

Sensor up-time is 2 days.

Using 1415421952 out of 1983504384 bytes of available memory (71% usage)

system is using 17.4M out of 38.5M bytes of available disk space (45% usage)

application-data is using 38.6M out of 166.8M bytes of available disk space (24% usage)

boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)

MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  

AnalysisEngine     B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  

CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running  

CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500            

Upgrade History:

  IPS-K9-7.0-2-E3   07:43:07 UTC Thu Oct 15 2009  

Maintenance Partition Version 2.1(3)

Recovery Partition Version 1.1 - 7.0(2)E3

Host Certificate Valid from: 27-Apr-2010 to 27-Apr-2012



On  the traffic not passing issue, if you put the sensor in bypass does  that resolve the issue. That will eliminate any signature related  actions from impacting the traffic.  If you are still unable to access  the servers then you should look for a routing or network layer issue


What you mean about bypass? Is it to released the idsm from network? If that so, I had do that and the server can access from segment that before cant access it. I had done to check the network layer problem but everything is ok,

And I want to clarify the other segment that cant access the server only for some application (real time application) in that server but the server can ping and telnet from that segment ( I think this is to clarify the network issue problem)


If that clears things up, the next step would be to create an Event  Action Override to produce alert for all signatures.  Then you can  review IME for any signatures firing related to these servers.  Please  remove the Override once you are done testing as this can have a  performance impact on the sensor over time and should only be used  temporarily to troubleshoot a specific issue.


Well, I will try your suggestion, But I will wait permission to execute it. I hope this is work for my idsm-2

If you  are still having trouble, if may help to get some info about the config  of the sensor and the switch.  Specifically, how the VLAN or Interface  Pairs are setup, etc.


Oke,  I will…

Btw, thanks for your help boss

GBU …

arikawahyono Wed, 08/18/2010 - 01:06
User Badges:

This is really strange,.
IDSM now is work properly after im erase the configuration, reload the module and reconfigure again with same configuration like before..,
why with this methode the IDSM is work properly???

evenly before i write my case in this forum, i had try with the same methode but thats not work..


is it bug or something??


Thanks...

Actions

This Discussion