IPS Sensor not seeing all traffic

Unanswered Question
Sep 24th, 2010

We upgraded all our ASA's last weekend to 8.2.3.  The IPS modules were left on the version of code they were using when the ASA's were on 8.0.4.32.

Since the upgrade, I am seeing something on the IPS sensors that doesnt make sense.  When looking at the real time monitor, I am only seeing internal traffic addresses showing up in the attacker column and outside ip addresses showing up on the victim column in IPS ME.

Here is the config lines from the ASA as it concerns the IPS Module -

access-list ips extended permit ip any any

class-map ips
match access-list ips

policy-map global_policy
class ips
  ips inline fail-open sensor vs0

As I understand it, how you control what traffic the IPS Sensor sees is controlled at the ASA, not the IPS module.

The ASA is operating normally and I can see the traffic I would expect to on the inside and outside interfaces.  I am starting to suspect a bug in the new ASA code but wanted to see if anyone else had seen this before I  called TAC.

Thanks,

Ron

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Tue, 09/28/2010 - 04:03

Ron;

  You are correct that the configured policy map controls the traffic that is diverted to the AIP-SSM for inspection.

  I've not encountered the behavior you are decribing.  What version of software is present on the AIP-SSM?

  What is the most common signature event that is firing (possibly 3030/0)?  It is possible that you have internal traffic that is frequently matching on a signature and this will cause those addresses to be listed as the attackers.

  From the CLI of the AIP-SSM, if you issue the following command, do you see traffic sourced from both internal and external hosts:

packet display gigabitethernet0/1

  You can terminate this output by issuing ctrl-c.  If this output does include traffic sourced from both internal and external hosts, the ASA is sending the traffic as expected.  It will be necessary at this point to dig further into the firing events on the AIP-SSM to verify expected output.

Scott

Ronald Nutter Tue, 09/28/2010 - 08:54

Thanks for the command.  I can see two way traffic.  That confirms that I am seeing in IPS ME.  I have 5 IPS sensors I am watching. They are running 6.2.2.E4.  I have a test sensor in the lab that is on 7.0.2.E4.  I am considering moving to 7.x but our local Cisco office has advised me to wait for the time being (that conversation was a while back - havent seen a reason to move from the 6.2 train to 7.x).

I normally dont go more than a day with getting an alert about a signature firing.  It has been quiet for a while now.  That change in behavior occured around the same time as the upgarde on the ASA to 8.2.3.  It may be purely coincidental.  Just trying to err on the side of caution.  Maybe a finally have it tuned to an optimal level.

Ron

Scott Fringer Tue, 09/28/2010 - 08:58

Ron;

  It does sounds like it may have been coincidental - but should you have concern over the behavior in the future, just let us know.

  As for reasons to upgrade from 6.2 to 7.0 IPS software, the addition of global correlation allows additional defensive mechanisms for protecting you network.  You can find out more about global correlation here:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_collaboration.html#wp1056492

Scott

Actions

This Discussion