IPS-4240-K9 IDM 6.2 Monitoring Events issue

Answered Question
May 4th, 2012

hi, everyone

i've noticed one tangled fact on idm monitoring events dashboard. it doesn't show alerts, which i notice on main page home/netwrok security health sensor cyrcle. In the past 5 minutes sensor show for example 10 red alerts, but when i switch on event dashboard - there are nothing on this table.....

several days ago i saw some periodical alerts about 4003 signature - nmap udp sweep. it was happening during week, and i think that quaintity of real tine alerts on sensor health cyrcle and on events table were the same.

only that i'm noticing now, 3041 signature and some times errorMessage: - the event store wrapped around [IdsEventStore::writeEvent(), index = 19531]  name=errWarning 

i've read about this error some notes,but don't understand what should i change for viewing real-time alerts and 4003 signature (when idm works correct, it was the main attack). practically all confoguration on default values. ips works in promiscious mode

thanks for any help and advices

I have this problem too.
0 votes
Correct Answer by sawgupta about 1 year 11 months ago

For signatures firing a lot, you can use IPS CLI command "show stats virtual-sensor"

or

"show statistics virtual-sensor | be SigEvent count"

Regards,

Sawan Gupta

Correct Answer by sawgupta about 1 year 11 months ago

Regarding the message "errorMessage: - the event store wrapped around "

Events are stored in a circular buffer. Once the buffer if full, we would simply overwrite the oldest event. If you are seeing multiple such messages, it means that the number of events is really high. You might want to set Alert Frequency > Summary Mode for the signatures which are firing a lot.

Refer to the following link to configure Summary Mode:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080838bcf.shtml#IDM

Regards,

Sawan Gupta

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
sawgupta Sun, 05/06/2012 - 04:05

Regarding the message "errorMessage: - the event store wrapped around "

Events are stored in a circular buffer. Once the buffer if full, we would simply overwrite the oldest event. If you are seeing multiple such messages, it means that the number of events is really high. You might want to set Alert Frequency > Summary Mode for the signatures which are firing a lot.

Refer to the following link to configure Summary Mode:

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080838bcf.shtml#IDM

Regards,

Sawan Gupta

Ruslan_Mansurov Wed, 05/09/2012 - 23:31

one more question - how can i reveal definite signatures which are firing a lot? because this message appears in all tables which I choose (show monitoring events dashboard - for example only high or only medium or only low notifications)

and could you give me pieces of  advice for primary configuring ips (any books, notes, examples), please? i've explored several on cisco.com, but only what i've found is general opportunities of ips

p.s. for beginners in security)

Correct Answer
sawgupta Thu, 05/10/2012 - 01:52

For signatures firing a lot, you can use IPS CLI command "show stats virtual-sensor"

or

"show statistics virtual-sensor | be SigEvent count"

Regards,

Sawan Gupta

Ruslan_Mansurov Thu, 05/10/2012 - 04:40

thanks one more time

ok, i've found big quantity in some signature, but this signature hasn't changed for producing alerts (by default). so can it make this wrapping error? or i should find those signature which produces alerts to monitoring events dashboard and after that change state for appearing this alert from Fire all to Summarize as you said at the first answer?

sawgupta Thu, 05/10/2012 - 05:57

You can verify the events using command "show events"

- If it is a false positve, then you might want to report it to Cisco TAC.

- Or summarize the signature event.

- If the signature is not relevant then you may retire and disable it.

Regards,

Sawan Gupta

Actions

Login or Register to take actions

This Discussion

Posted May 4, 2012 at 1:26 AM
Stats:
Replies:5 Avg. Rating:5
Views:768 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5
5