07-28-2010 05:15 AM - edited 03-10-2019 05:04 AM
Dear All,
i have idsm with IPS-K9-7.0-2-E3.pkg installed,
i use inline mode for this idsm, and idsm place is front on server farm
but i have some problem that one segment in my network cant access the server
but another segment can access that server,
that server is oracle database aplication (real time)
in this is happend only for that server.
when i filter the traffic with idsm, the result that transaction match with
signature number 7000, evenly that signature dont have action to deny the traffic,
the traffic still cannot bypass, then ill try to disable but nothing impact to that segment
evenly other segment can access that server normally.
anyone can explain to me why this happen??
ill try to downgrade to IPS-K9-7.0-2-E3.pkg with IME but always error..
anyone can help me please..
07-28-2010 07:23 AM
Arika,
First off, you cannot downgrade the version without a re-image. You can only downgrade signatures. Second, you mention 7.0(2)E3 as the version you are on and the version you want to downgrade to. Can you verify what version you are running?
On the traffic not passing issue, if you put the sensor in bypass does that resolve the issue. That will eliminate any signature related actions from impacting the traffic. If you are still unable to access the servers then you should look for a routing or network layer issue. If that clears things up, the next step would be to create an Event Action Override to produce alert for all signatures. Then you can review IME for any signatures firing related to these servers. Please remove the Override once you are done testing as this can have a performance impact on the sensor over time and should only be used temporarily to troubleshoot a specific issue.
If you are still having trouble, if may help to get some info about the config of the sensor and the switch. Specifically, how the VLAN or Interface Pairs are setup, etc.
Good Luck,
JoshB
07-29-2010 12:11 AM
Hi Josh..
This is my answer
First off, you cannot downgrade the version without a re-image. You can only downgrade signatures. Second, you mention 7.0(2)E3 as the version you are on and the version you want to downgrade to. Can you verify what version you are running?
Im not yet downgrade to 7.0(2) because I don’t have yet permission from my bos . And now my isdm still use 7.0(2)E3
This is capture from my isdm
OTIDSM# sh ver
Application Partition:
Cisco Intrusion Prevention System, Version 7.0(2)E3
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S425.0 2009-08-17
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: WS-SVC-IDSM-2
Serial Number: SAD132802TL
Licensed, expires: 20-Oct-2010 UTC
Sensor up-time is 2 days.
Using 1415421952 out of 1983504384 bytes of available memory (71% usage)
system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
application-data is using 38.6M out of 166.8M bytes of available disk space (24% usage)
boot is using 41.5M out of 68.6M bytes of available disk space (64% usage)
MainApp B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running
AnalysisEngine B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running
CollaborationApp B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500 Running
CLI B-BEAU_2009_OCT_15_08_07_7_0_1_111 (Ipsbuild) 2009-10-15T08:09:06-0500
Upgrade History:
IPS-K9-7.0-2-E3 07:43:07 UTC Thu Oct 15 2009
Maintenance Partition Version 2.1(3)
Recovery Partition Version 1.1 - 7.0(2)E3
Host Certificate Valid from: 27-Apr-2010 to 27-Apr-2012
On the traffic not passing issue, if you put the sensor in bypass does that resolve the issue. That will eliminate any signature related actions from impacting the traffic. If you are still unable to access the servers then you should look for a routing or network layer issue
What you mean about bypass? Is it to released the idsm from network? If that so, I had do that and the server can access from segment that before cant access it. I had done to check the network layer problem but everything is ok,
And I want to clarify the other segment that cant access the server only for some application (real time application) in that server but the server can ping and telnet from that segment ( I think this is to clarify the network issue problem)
If that clears things up, the next step would be to create an Event Action Override to produce alert for all signatures. Then you can review IME for any signatures firing related to these servers. Please remove the Override once you are done testing as this can have a performance impact on the sensor over time and should only be used temporarily to troubleshoot a specific issue.
Well, I will try your suggestion, But I will wait permission to execute it. I hope this is work for my idsm-2
If you are still having trouble, if may help to get some info about the config of the sensor and the switch. Specifically, how the VLAN or Interface Pairs are setup, etc.
Oke, I will…
Btw, thanks for your help boss
GBU …
08-18-2010 01:06 AM
This is really strange,.
IDSM now is work properly after im erase the configuration, reload the module and reconfigure again with same configuration like before..,
why with this methode the IDSM is work properly???
evenly before i write my case in this forum, i had try with the same methode but thats not work..
is it bug or something??
Thanks...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: