New IDS Implementation AIP-SSM-40 Noob Questions?

Unanswered Question
Mar 2nd, 2012
User Badges:

So - I am new to IDS but not so new to everything else Cisco.  We replaced our edge network with New ASA 5520 and also ordered the IDS/IPS AIP-SSM-40 Module.  Got it installed and it is looking at packets.  I decided to go with promiscuous as the documentation states that we could experience some netwrok delay with INLINE mode.  We have a 100meg pipe coming into ASA Outside interface   I am running IDS firmware 7 with IPS Manager 7.2


My Questions are :


1.) I have the module running in promiscuous mode and there is a default HIGH RISK Deny Packet Inline (inline) policy enabled. Am I correct in assuming that, even tho in Promiscous mode, the sensor will block all packets that it determines are "HIGHRISK"?


2.) What is the process for setting up a block rule for other types of signatures.  For Instance, I am seeing :


VLAN ID0
InterfaceGigabitEthernet0/1
Attacker IP192.168.5.244
Protocoltcp
Attacker Port59980
Attacker LocalityOUT
Target IP66.220.158.62
Target Port80
Target LocalityOUT
Target OSunknown unknown (unknown)
Actions
Risk RatingTVR=medium
Risk Rating Value37
Threat Rating37
Reputation
Context DataFrom attacker: Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2012-03-01 10:26:58.207 ---- Ether: Ether: dst = 30:25:32:32:25:32 Ether: src = 43:25:32:32:61:70 Ether: proto = 0x7073 Ether: Data: 0000 25 32 32 25 33 41 25 32 32 53 45 4c 45 43 54 2b %22%3A%22SELECT+ Data: 0010 64 69 73 70 6c 61 79 5f 6e 61 6d 65 25 32 43 6c display_name%2Cl Data: 0020 6f 67 6f 5f 75 72 6c 25 32 43 61 70 70 5f 69 64 ogo_url%2Capp_id Data: 0030 2b 46 52 4f 4d 2b 61 70 70 6c 69 63 61 74 69 6f +FROM+applicatio Data: 0040 6e 2b 57 48 45 52 45 2b 61 70 70 5f 69 64 2b 49 n+WHERE+app_id+I Data: 0050 4e 2b 25 32 38 73 65 6c 65 63 74 2b 61 70 70 5f N+%28select+app_ Data: 0060 69 64 2b 46 52 4f 4d 2b 25 32 33 6e 6f 74 69 66 id+FROM+%23notif Data: 0070 69 63 61 74 69 6f 6e 73 25 32 39 25 32 32 25 32 ications%29%22%2 Data: 0080 43 25 32 32 70 6f 73 74 73 25 32 32 25 33 41 25 C%22posts%22%3A% Data: 0090 32 32 53 45 4c 45 43 54 2b 6d 65 73 73 61 67 65 22SELECT+message Data: 00a0 25 32 43 61 63 74 6f 72 5f 69 64 25 32 43 74 61 %2Cactor_id%2Cta Data: 00b0 67 67 65 64 5f 69 64 73 25 32 43 6c 69 6b 65 73 gged_ids%2Clikes Data: 00c0 25 32 43 61 70 70 5f 69 64 25 32 43 61 74 74 61 %2Capp_id%2Catta Data: 00d0 63 68 6d 65 6e 74 25 32 43 70 6f 73 74 5f 69 64 chment%2Cpost_id Data: 00e0 25 32 43 63 72 65 61 74 65 64 5f 74 69 6d 65 25 %2Ccreated_time% Data: 00f0 32 43 2C Data: From victim: Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2012-03-01 10:26:58.207 ---- Ether: Ether: dst = 2d:41:6c:69:76:65 Ether: src = d:a:43:6f:6e:74 Ether: proto = 0x656e Ether: Data: 0000 74 2d 4c 65 6e 67 74 68 3a 20 32 32 35 0d 0a 0d t-Length: 225... Data: 0010 0a 5b 7b 22 6e 61 6d 65 22 3a 22 75 73 65 72 22 .[{"name":"user" Data: 0020 2c 22 66 71 6c 5f 72 65 73 75 6c 74 5f 73 65 74 ,"fql_result_set Data: 0030 22 3a 5b 7b 22 6c 61 73 74 5f 6e 61 6d 65 22 3a ":[{"last_name": Data: 0040 22 50 65 6e 72 6f 64 22 2c 22 75 69 64 22 3a 35 "Penrod","uid":5 Data: 0050 31 37 38 38 38 30 32 30 2c 22 66 69 72 73 74 5f 17888020,"first_ Data: 0060 6e 61 6d 65 22 3a 22 4d 61 72 69 61 68 22 2c 22 name":"Mariah"," Data: 0070 70 69 63 5f 73 71 75 61 72 65 22 3a 22 68 74 74 pic_square":"htt Data: 0080 70 3a 5c 2f 5c 2f 70 72 6f 66 69 6c 65 2e 61 6b p:\/\/profile.ak Data: 0090 2e 66 62 63 64 6e 2e 6e 65 74 5c 2f 68 70 72 6f .fbcdn.net\/hpro Data: 00a0 66 69 6c 65 2d 61 6b 2d 73 6e 63 34 5c 2f 33 36 file-ak-snc4\/36 Data: 00b0 39 37 38 36 5f 35 31 37 38 38 38 30 32 30 5f 31 9786_517888020_1 Data: 00c0 32 31 35 39 32 32 39 38 30 5f 71 2e 6a 70 67 22 215922980_q.jpg" Data: 00d0 2c 22 6e 61 6d 65 22 3a 22 4d 61 72 69 61 68 20 ,"name":"Mariah Data: 00e0 53 68 65 6c 62 79 20 50 65 6e 72 6f 64 22 7d 5d Shelby Penrod"}] Data: 00f0 7d 5d }] Data:


3.)  The above packet is actually from our internal WebFilter Box and I am seeing a lot of these.  Is there anybody using webfilter that sees the same thing?  Should I just be adding exceptions for these types of boxes?  What would the process be be for adding those exceptions?  Shoud I be excluding all of my internal devices in the sensor?


4.) I read something about putting the sensor into "learning" mode for a week or so.  Can someone comment on that along with any details on how that is done?


Anybody that has any ideas along these lines - please chime in and thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
svaish Mon, 03/05/2012 - 02:42
User Badges:

1.) I have the module running in promiscuous mode and there is a default HIGH RISK Deny Packet Inline (inline) policy enabled. Am I correct in assuming that, even tho in Promiscous mode, the sensor will block all packets that it determines are "HIGHRISK"?


No as this setting is only aplicable when the IPS is in INLINE mode


2) What is the process for setting up a block rule for other types of signatures?


In promiscuous mode you have the follong options when you try to edit a signature>>

Request block host

Request block connection


etc..


Because in Promiscuous the IPS itself can not block the attacker but it needs to request other devices to block the attacker on his behalf.


Refer to this link

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_blocking.html


3.)  The above packet is actually from our internal WebFilter Box and I am seeing a lot of these.  Is there anybody using webfilter that sees the same thing?  Should I just be adding exceptions for these types of boxes?  What would the process be be for adding those exceptions?  Shoud I be excluding all of my internal devices in the sensor?


I see that you are using anomoly detection and hence seeing these message.


4.) I read something about putting the sensor into "learning" mode for a week or so.  Can someone comment on that along with any details on how that is done?


Learning mode is required for your sensor to understand what is the normal network activity in your network. In learning mode it will only see what is going on in the network and will build a Standary database, it does not block any host in this mode; when the IPS is put is detect mode it checks the network activity against the already built database and will match the traffic for anomolies in pattern. It can request to block host in this mode.


Refer to this for more information

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_anomaly_detection.html


Sachin

Actions

This Discussion