09-22-2010 01:16 AM - edited 03-10-2019 05:08 AM
Hi ,
i have installed IPS 4255 with version 7.0(2)E4 and using IME 7.0.2.
i am not able to see the logs in the IME (Event Monitoring), but when i access it by CLI (show events) i can see the logs.
i also tried to tune a signature for ICMP large packet to log and deny traffic (using deny packet inlne and deny attaker inline), and ping
a server from inside to outside with a large packet. In this case, IME showed the logs but it did not deny the traffic.
i am missing something here ?
One more question, does IPS at least log the traffic for ip that are configured for "never block ip addresses"
Please i need some help.
Thank you and Regards,
George
Solved! Go to Solution.
09-28-2010 08:26 AM
George;
1- OK, it's good that the event status is connected.
2- By checking all four severities in the device properties you have instructed IME not to retrieve events of those four severities. You need to uncheck those severities to allow IME to retrieve all event severities. Please note, the text with IME is worded,"Exclude alerts of the following severity level(s)".
3- If there are no real-time events, you will likely not have historical events.
4- As your sensor is configured for both inline and promiscuous operation, the deny actions will only take effect on signature events generated by the inline interface pair. If the signature event is generated by the promiscuous interface, the deny action cannot be actioned.
While your network may be completely IPv4; it is possible for systems running Windows and Mac OS X to have IPv6 enabled by default, and in turn generate this traffic on your network.
If a signature event fires and has an action of 'Produce Alert' assigned, the IPS should log the activity regardless of the host being listed as do not block or not.
Scott
09-28-2010 03:37 AM
George;
Let me try to address your many questions in order:
You indicate not being able to see logs within IME, but you do see them on the IPS-4255's CLI:
You indicate you attempted deny traffic using the "Deny Packet Inline" action:
The IPS-4255 will only log traffic for signature events that are triggered, if the signature event triggers for a host that is included in the 'never block' list, it should be logged.
Scott
09-28-2010 08:09 AM
Hi Scott,
Thank you for your reply and i will answer the questions that you asked for.
1- yes the Event status shows connected
2- in the Event Monitoring , i have checked all 4 levels to be retrieved by IME.
3- i did not checked for historical events, due to the fact that logs are not being shown in the IME Event Monitoring
Actually i can see very shy events in the IME every few hours but with IPv6 as source and destination. I don't know
where it is coming from, the whole network is IPv4. while on the CLI i can see many many events (using show events).
4- The IPS is configured as inline and promiscuous.
Sorry but i did not undestand the last sentence: "The IPS-4255 will only log traffic for signature events that are triggered, if the signature event triggers for a host that is included in the 'never block' list, it should be logged"
you mean that only events that are triggered are logged and if the ip address is in the "never block address" the IPS will not log it, since it will not fire any signature for that ip address.
i am posting the configuration if this helps.
Thank you in advance for your help.
Regards,
George
09-28-2010 08:26 AM
George;
1- OK, it's good that the event status is connected.
2- By checking all four severities in the device properties you have instructed IME not to retrieve events of those four severities. You need to uncheck those severities to allow IME to retrieve all event severities. Please note, the text with IME is worded,"Exclude alerts of the following severity level(s)".
3- If there are no real-time events, you will likely not have historical events.
4- As your sensor is configured for both inline and promiscuous operation, the deny actions will only take effect on signature events generated by the inline interface pair. If the signature event is generated by the promiscuous interface, the deny action cannot be actioned.
While your network may be completely IPv4; it is possible for systems running Windows and Mac OS X to have IPv6 enabled by default, and in turn generate this traffic on your network.
If a signature event fires and has an action of 'Produce Alert' assigned, the IPS should log the activity regardless of the host being listed as do not block or not.
Scott
10-05-2010 10:09 AM
Hi Scott ,
i have unchecked the information severity to allow IME to retrieve all event severities. i don't know why i have checked it in the first place, but the logs became visible in the IME. i don't know why 98% of the firing signature are informational ? Maybe because the IPS is installed behine an ASA!!!!
one more question if not too much trouble, if i close the IME will the logs be lost? how much the IPS keeps the logs before it override new ones?
Anyway thank you very much for your help.
Regards,
George
10-05-2010 10:45 AM
George;
I'm glad you were able to get the event retrieval corrected, and are now seeing events within IME.
In regard to your follow-on question; IME has two (2) services that run regardless of whether the GUI is running or not. The two services are the 'Cisco IPS Manager Express Service' and the 'MySQL-IME' service. The first service retreives events from the sensor as long as the Windows host system has connectivity to the managed sensor. The second service is the database service which maintains the IME event database. IME defaults to saving 1,000,000,000 events per database file, with a default of 100 files (these values are configurable).
The IPS sensor itself has a ~32 MB circular buffer which holds events locally; once full it will begin overwriting older events. As long as the IME service is pulling events, this should not be an issue.
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: