IPS (7.0(7)E4) on ASA-SSM-10 block DNS without alerts

Answered Question
Jun 26th, 2012

Hi All

I have IPS module:

  Build Version: 1.1 - 7.0(7)E4

  ASA 5500 Series Security Services Module-10

  Signature Update      S652.0    2012-06-20

ASDM log deduces events :

4    Jun 26 2012    18:21:47        193.227.240.38    53    sd-outside    65347    IPS requested to drop UDP packet from outside:193.227.240.38/53 to dmz1:sd-outside/65347

But IPS don't deduces alerts - It does not explain why blocks these packages. DNS inquiries are blocked only from one network.

! ------------------------------      

! Current configuration last modified Tue Jun 26 18:01:58 2012

! ------------------------------

! Version 7.0(7)

! Host:                                        

!     Realm Keys          key1.0               

! Signature Definition:                        

!     Signature Update    S652.0   2012-06-20  

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

filters edit PROXY

attacker-address-range 192.168.72.7

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters edit Q00000

signature-id-range 5684

attacker-address-range 95.190.8.0-95.190.8.255

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters edit Q00001

signature-id-range 5684

victim-address-range 95.190.8.0-95.190.8.255

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters edit USERS

signature-id-range 1102,5237,2152,5684,2100,5581,3030,6061,3030,11020,5403,5474,20020,60000-60100

attacker-address-range 192.168.0.0-192.168.255.255

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters edit USERS2

signature-id-range 5575-5591,2151,21619,2150-2151

attacker-address-range 192.168.0.0-192.168.255.255

victim-address-range 192.168.0.0-192.168.255.255

actions-to-remove deny-attacker-inline|deny-packet-inline

os-relevance relevant|not-relevant|unknown

exit

filters move PROXY begin

filters move USERS after PROXY

filters move Q00000 after USERS

filters move Q00001 after Q00000

filters move USERS2 after Q00001

general

global-deny-timeout 14400

exit

target-value low target-address 192.168.0.0-192.168.255.255

target-value medium target-address 192.168.1.0-192.168.1.255,192.168.64.0-192.168.64.255,192.168.3.0-192.168.3.49,192.168.65.128-192.168.65.255

target-value high target-address 192.168.72.2-192.168.72.254,192.168.66.0-192.168.67.255,192.168.2.0-192.168.2.255

target-value mission-critical target-address 192.168.65.0-192.168.65.127

os-identification

calc-arr-for-ip-range 192.168.0.0-192.168.255.255

exit

exit

! ------------------------------

service host

network-settings

host-ip 192.168.64.194/24,192.168.64.1

host-name gw1-ips

telnet-option disabled

access-list 192.168.0.0/16

dns-primary-server enabled

address 192.168.66.2

exit

dns-secondary-server enabled

address 192.168.72.19

exit

dns-tertiary-server enabled

address 192.168.72.20

exit

exit

time-zone-settings

offset 360

standard-time-zone-name GMT+06:00

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 192.168.64.1

exit

summertime-option disabled

auto-upgrade

cisco-server enabled

schedule-option calendar-schedule

times-of-day 04:20:00

days-of-week sunday

days-of-week tuesday

days-of-week thursday

days-of-week saturday

exit

user-name dimaonline

cisco-url https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl

exit

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

general

enable-acl-logging true

never-block-networks 192.168.0.0/16

exit

exit

! ------------------------------

service signature-definition sig0

signatures 60000 0

alert-severity low

sig-fidelity-rating 50

sig-description

sig-name XPress Administrator Service

sig-string-info Access to Administrator Service

sig-comment External user open Admin

sig-creation-date 20120622

exit

engine service-http

max-field-sizes

specify-max-uri-field-length no

exit

regex

specify-uri-regex yes

uri-regex [Aa]dministrator[Ss]ervice[.]asmx

exit

exit

service-ports 80

exit

event-counter

event-count 1

event-count-key Axxx

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

summary-interval 15

summary-key Axxx

specify-global-summary-threshold no

exit

exit

vulnerable-os windows-nt-2k-xp

specify-mars-category yes

mars-category Info/Misc/Login

exit

exit

signatures 60000 1

alert-severity low

sig-fidelity-rating 50

sig-description

sig-name Xpress Bridge

sig-string-info Service URL

sig-comment External Access to bridge

sig-creation-date 20120625

exit

engine service-http

regex  

specify-uri-regex yes

uri-regex [Bb]ridge[/][Ss]ervice[.]asmx

exit

exit

service-ports 80

exit

event-counter

event-count 1

event-count-key Axxx

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

summary-interval 15

summary-key Axxx

specify-global-summary-threshold no

exit

exit

status

enabled true

exit

specify-mars-category yes

mars-category Info/Misc/Login

exit   

exit

signatures 60001 0

alert-severity high

sig-fidelity-rating 90

sig-description

sig-name FreePBX Display Extentions

sig-string-info Acces to Extentions settings

sig-comment Weak Password Detection

sig-creation-date 20120622

exit

engine service-http

event-action produce-alert|deny-attacker-inline

regex

specify-uri-regex yes

uri-regex [/]admin[/]config[.]php

exit

specify-arg-name-regex yes

arg-name-regex display

specify-arg-value-regex yes

arg-value-regex (extensions)|(trunks)

exit

exit

exit

service-ports 80

exit

event-counter

event-count 1

event-count-key Axxx

specify-alert-interval no

exit

alert-frequency

summary-mode summarize

summary-interval 15

summary-key Axxx

specify-global-summary-threshold no

exit

exit

exit

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls false

port 80

exit

! ------------------------------

service anomaly-detection ad0

internal-zone

enabled true

ip-address-range 192.168.0.0-192.168.255.255

tcp

enabled true

exit

udp

enabled true

exit

other

enabled true

exit

exit

illegal-zone

enabled false

tcp

enabled false

exit

udp

enabled false

exit

other

enabled false

exit

exit

ignore

source-ip-address-range 192.168.0.0-192.168.255.255

exit

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

signature-update-policy

enable false

exit

license-expiration-policy

enable false

exit

event-retrieval-policy

enable false

exit

exit   

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

exit

I have this problem too.
0 votes
Correct Answer by ruppala about 1 year 9 months ago

I have confirmed with the Ironport team that this IP is a known bad host in sensorbase. This is the reason for the traffic from this host being dropped. There might be many reasons for this subnet to be in the list , for example it might be part of a known host contolled by spammers. You will need to reach out to the development team for a confirmation though.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
sawgupta Thu, 06/28/2012 - 01:57

Check the output of

"show statistics virtual-sensor".

It should show which all signatures are firing. You can add action produce-alert for those signatures.

Regards,

Sawan Gupta

dimaonline Thu, 06/28/2012 - 03:03

         Per-Signature SigEvent count since reset

            Sig 5474.0 = 7

            Sig 6131.6 = 44

            Sig 6403.1 = 69

            Sig 6409.1 = 16

            Sig 6409.2 = 52

            Sig 20059.1 = 1227

            Sig 21619.1 = 212

            Sig 23782.2 = 292

            Sig 24199.1 = 1

            Sig 28481.1 = 5

            Sig 30260.1 = 2

There are no signatures with UDP

If I ping with dns request (ping -a 193.227.240.38) then Sig 20059.1 = 1321 counter increases

But If I disable this signature then the problem does not dare and also 420002 alert generated in addition:

4    Jun 28 2012    15:56:55        193.227.240.38    0    ASA55xx-outside    0    IPS requested to drop ICMP packet from outside:193.227.240.38/0 to inside:ASA55xx-outside/0

ruppala Mon, 07/02/2012 - 11:29

dimaonline, signature 20059-1 is a component of signature 20059-0 and is disabled and retired by default. You mentioned that you disabled this signature. Did you enable it earlier ? This component signature detects benign traffic and only functions best as a component signature.   It would be possible that this signature may block benign traffic when its enabled.  Did you also enable any of the ICMP signatures ? "Ping" uses ICMP as its underlying protocol.

dimaonline Mon, 07/02/2012 - 20:39

The signatures 20059-1 and 20059-0 is not disabled by default. They is on by default now.

I setup all signatures by default for troubleshuting this problem:

I have shown a configuration above - there was not present changed signatures

dimaonline Mon, 07/02/2012 - 23:05

I set the policy for generation of alerts for all signatures:

Allerts in ASDM:

But not alerts into IPS:

dimaonline Sun, 07/08/2012 - 20:50

I do commands :

show statistics virtual-sensor clear

ping -a 193.227.240.38 (from workstation)

show statistics virtual-sensor :

Virtual Sensor Statistics

   Statistics for Virtual Sensor vs0

      Name of current Signature-Defintion instance = sig0

      Name of current Event-Action-Rules instance = rules0

      List of interfaces monitored by this virtual sensor = GigabitEthernet0/1 subinterface 0

      General Statistics for this Virtual Sensor

         Number of seconds since a reset of the statistics = 48

         MemoryAlloPercent = 57

         MemoryUsedPercent = 56

         MemoryMaxCapacity = 600000

         MemoryMaxHighUsed = 401408

         MemoryCurrentAllo = 344636

         MemoryCurrentUsed = 339771

         Inspection Load Percentage = 4

         Total packets processed since reset = 116008

         Total IP packets processed since reset = 116008

         Total IPv4 packets processed since reset = 116008

         Total IPv6 packets processed since reset = 0

         Total IPv6 AH packets processed since reset = 0

         Total IPv6 ESP packets processed since reset = 0

         Total IPv6 Fragment packets processed since reset = 0

         Total IPv6 Routing Header packets processed since reset = 0

         Total IPv6 ICMP packets processed since reset = 0

         Total packets that were not IP processed since reset = 0

         Total TCP packets processed since reset = 76816

         Total UDP packets processed since reset = 39143

         Total ICMP packets processed since reset = 49

         Total packets that were not TCP, UDP, or ICMP processed since reset = 0

         Total ARP packets processed since reset = 0

         Total ISL encapsulated packets processed since reset = 0

         Total 802.1q encapsulated packets processed since reset = 2

         Total GRE Packets processed since reset = 0

         Total GRE Fragment Packets processed since reset = 0

         Total GRE Packets skipped since reset = 0

         Total packets with bad IP checksums processed since reset = 0

         Total packets with bad layer 4 checksums processed since reset = 0

         Total number of bytes processed since reset = 67447436

         The rate of packets per second since reset = 2416

         The rate of bytes per second since reset = 1405154

         The average bytes per packet since reset = 581

      Denied Address Information

         Number of Active Denied Attackers = 0

         Number of Denied Attackers Inserted = 0

         Number of Denied Attacker Victim Pairs Inserted = 0

         Number of Denied Attacker Service Pairs Inserted = 0

         Number of Denied Attackers Total Hits = 0

         Number of times max-denied-attackers limited creation of new entry = 0

         Number of exec Clear commands during uptime = 0

      Denied Attackers and hit count for each.

      Denied Attackers with percent denied and hit count for each.

      The Signature Database Statistics.

         The Number of each type of node active in the system

            Total nodes active = 18998

            TCP nodes keyed on both IP addresses and both ports = 3530

            UDP nodes keyed on both IP addresses and both ports = 157

            IP nodes keyed on both IP addresses = 2163

         The number of each type of node inserted since reset

            Total nodes inserted = 8821

            TCP nodes keyed on both IP addresses and both ports = 1720

            UDP nodes keyed on both IP addresses and both ports = 759

            IP nodes keyed on both IP addresses = 843

         The rate of nodes per second for each time since reset

            Nodes per second = 183

            TCP nodes keyed on both IP addresses and both ports per second = 35

            UDP nodes keyed on both IP addresses and both ports per second = 15

            IP nodes keyed on both IP addresses per second = 17

         The number of root nodes forced to expire because of memory constraints

            TCP nodes keyed on both IP addresses and both ports = 0

         Packets dropped because they would exceed Database insertion rate limits = 0

      Fragment Reassembly Unit Statistics for this Virtual Sensor

         Number of fragments currently in FRU = 0

         Number of datagrams currently in FRU = 0

         Number of fragments received since reset = 14

         Number of fragments forwarded since reset = 14

         Number of fragments dropped since last reset = 0

         Number of fragments modified since last reset = 0

         Number of complete datagrams reassembled since last reset = 7

         Fragments hitting too many fragments condition since last reset = 0

         Number of overlapping fragments since last reset = 0

         Number of Datagrams too big since last reset = 0

         Number of overwriting fragments since last reset = 0

         Number of Inital fragment missing since last reset = 0

         Fragments hitting the max partial dgrams limit since last reset = 0

         Fragments too small since last reset = 0

         Too many fragments per dgram limit since last reset = 0

         Number of datagram reassembly timeout since last reset = 0

         Too many fragments claiming to be the last since last reset = 0

         Fragments with bad fragment flags since last reset = 0

      TCP Normalizer stage statistics

         Packets Input = 76819

         Packets Modified = 0

         Dropped packets from queue = 0

         Dropped packets due to deny-connection = 0

         Duplicate Packets = 0

         Current Streams = 3530

         Current Streams Closed = 0

         Current Streams Closing = 0

         Current Streams Embryonic = 0

         Current Streams Established = 0

         Current Streams Denied = 0

         Total SendAck Limited Packets = 0

         Total SendAck Limited Streams = 0

         Total SendAck Packets Sent = 0

      Statistics for the TCP Stream Reassembly Unit

         Current Statistics for the TCP Stream Reassembly Unit

            TCP streams currently in the embryonic state = 0

            TCP streams currently in the established state = 0

            TCP streams currently in the closing state = 0

            TCP streams currently in the system = 0

            TCP Packets currently queued for reassembly = 0

         Cumulative Statistics for the TCP Stream Reassembly Unit since reset

            TCP streams that have been tracked since last reset = 0

            TCP streams that had a gap in the sequence jumped = 0

            TCP streams that was abandoned due to a gap in the sequence = 0

            TCP packets that arrived out of sequence order for their stream = 0

            TCP packets that arrived out of state order for their stream = 0

            The rate of TCP connections tracked per second since reset = 0

      SigEvent Preliminary Stage Statistics

         Number of Alerts received = 3

         Number of Alerts Consumed by AlertInterval = 0

         Number of Alerts Consumed by Event Count = 0

         Number of FireOnce First Alerts = 0

         Number of FireOnce Intermediate Alerts = 0

         Number of Summary First Alerts  = 2

         Number of Summary Intermediate Alerts  = 1

         Number of Regular Summary Final Alerts  = 0

         Number of Global Summary Final Alerts  = 0

         Number of Active SigEventDataNodes  = 33

         Number of Alerts Output for further processing = 3

         Per-Signature SigEvent count since reset

            Sig 6409.2 = 1

            Sig 21619.1 = 2

      SigEvent Action Override Stage Statistics

         Number of Alerts received to Action Override Processor = 0

         Number Of Meta Components Input = 3

         Number of Alerts where an override was applied = 0

         Actions Added

            deny-attacker-inline = 0

            deny-attacker-victim-pair-inline = 0

            deny-attacker-service-pair-inline = 0

            deny-connection-inline = 0

            deny-packet-inline = 0

            modify-packet-inline = 0

            log-attacker-packets = 0

            log-pair-packets = 0

            log-victim-packets = 0

            produce-alert = 0

            produce-verbose-alert = 0

            request-block-connection = 0

            request-block-host = 0

            request-snmp-trap = 0

            reset-tcp-connection = 0

            request-rate-limit = 0

      SigEvent Action Filter Stage Statistics

         Number of Alerts received to Action Filter Processor = 0

         Number of Alerts where an action was filtered = 0

         Number of Filter Line matches = 0

         Number of Filter Line matches causing decreased DenyPercentage = 0

         Actions Filtered

            deny-attacker-inline = 0

            deny-attacker-victim-pair-inline = 0

            deny-attacker-service-pair-inline = 0

            deny-connection-inline = 0

            deny-packet-inline = 0

            modify-packet-inline = 0

            log-attacker-packets = 0

            log-pair-packets = 0

            log-victim-packets = 0

            produce-alert = 0

            produce-verbose-alert = 0

            request-block-connection = 0

            request-block-host = 0

            request-snmp-trap = 0

            reset-tcp-connection = 0

            request-rate-limit = 0

         Filter Hit Counts

      SigEvent Action Handling Stage Statistics.

         Number of Alerts received to Action Handling Processor = 0

         Number of Alerts where produceAlert was forced = 0

         Number of Alerts where produceAlert was off = 0

         Number of Alerts using Auto One Way Reset = 0

         Actions Performed

            deny-attacker-inline = 0

            deny-attacker-victim-pair-inline = 0

            deny-attacker-service-pair-inline = 0

            deny-connection-inline = 0

            deny-packet-inline = 0

            modify-packet-inline = 0

            log-attacker-packets = 0

            log-pair-packets = 0

            log-victim-packets = 0

            produce-alert = 0

            produce-verbose-alert = 0

            request-block-connection = 0

            request-block-host = 0

            request-snmp-trap = 0

            reset-tcp-connection = 0

            request-rate-limit = 0

         Deny Actions Requested in Promiscuous Mode

            deny-packet not performed = 0

            deny-connection not performed = 0

            deny-attacker not performed = 0

            deny-attacker-victim-pair not performed = 0

            deny-attacker-service-pair not performed = 0

            modify-packet not performed = 0

         Number of Alerts where deny-connection was forced for deny-packet action = 0

         Number of Alerts where deny-packet was forced for non-TCP deny-connection action = 0

      Anomaly Detection Statistics

         Number of Received Packets:

            TCP = 40589

            UDP = 16944

            Other = 17

            TOTAL = 57550

         Number of Overrun Packets:

            TCP = 0

            UDP = 0

            Other = 0

            TOTAL = 0

         Number of Ignored Packets = 58431

         Number of Events = 1027

         Number of Recurrent Events:

            TCP = 276

            UDP = 285

            Other = 1

            TOTAL = 562

         Number of Worms = 0

         Number of Scanners = 0

         Number of Scanners Under Worm = 0

         Internal Zone

            Number of Events:

               TCP = 478

               UDP = 541

               Other = 7

               TOTAL = 1026

            Number of Overrun Events:

               TCP = 0

               UDP = 0

               Other = 0

               TOTAL = 0

         External Zone

            Number of Events:

               TCP = 0

               UDP = 1

               Other = 0

               TOTAL = 1

            Number of Overrun Events:

               TCP = 0

               UDP = 0

               Other = 0

               TOTAL = 0

         Illegal Zone

            Number of Events:

               TCP = 0

               UDP = 0

               Other = 0

               TOTAL = 0

            Number of Overrun Events:

               TCP = 0

               UDP = 0

               Other = 0

               TOTAL = 0

         Global Utilization Percentage

            Unestablished Connections DB

               TCP = 0

               UDP = 0

               Other = 0

            Recurrent Events DB

               TCP = 2

               UDP = 2

               Other = 0

            Scanners DB

               TCP = 1

               UDP = 2

               Other = 0

ASDM event log:

4    Jul 09 2012    09:35:47        193.227.240.38    0    ASA55xx-outside    0    IPS requested to drop ICMP packet from outside:193.227.240.38/0 to inside:ASA55xx-outside/0

4    Jul 09 2012    09:35:24        193.227.240.37    53    ASA55xx-outside    33881    IPS requested to drop UDP packet from outside:193.227.240.37/53 to inside:ASA55xx-outside/33881

dimaonline Sun, 07/08/2012 - 21:08

show statistics analysis-engine after reset IPS and ping -a 193.227.240.38(from workstation):

Analysis Engine Statistics

   Number of seconds since service started = 325

   The rate of TCP connections tracked per second = 0

   The rate of packets per second = 1622

   The rate of bytes per second = 856866

   Receiver Statistics

      Total number of packets processed since reset = 527197

      Total number of IP packets processed since reset = 527197

   Transmitter Statistics

      Total number of packets transmitted = 527189

      Total number of packets denied = 2

      Total number of packets reset = 1

   Fragment Reassembly Unit Statistics

      Number of fragments currently in FRU = 0

      Number of datagrams currently in FRU = 0

   TCP Stream Reassembly Unit Statistics

      TCP streams currently in the embryonic state = 0

      TCP streams currently in the established state = 0

      TCP streams currently in the closing state = 0

      TCP streams currently in the system = 0

      TCP Packets currently queued for reassembly = 0

   The Signature Database Statistics.

      Total nodes active = 13707

      TCP nodes keyed on both IP addresses and both ports = 2488

      UDP nodes keyed on both IP addresses and both ports = 180

      IP nodes keyed on both IP addresses = 1627

   Statistics for Signature Events

      Number of SigEvents since reset = 125

   Statistics for Actions executed on a SigEvent

      Number of Alerts written to the IdsEventStore = 1

   Inspection Stats

         Inspector            active   call     create   delete   createPct   callPct   loadPct  

         AtomicAdvanced       1        527187   1        0        0           99        7        

         Fixed                342      37034    28425    28083    5           7         0        

         MSRPC_TCP            207      13290    4259     4052     0           2         0        

         MultiString          2710     93354    15300    12590    2           17        49       

         MultiStringSP        1        117      47       46       0           0         0        

         ServiceDnsUdp        1        193599   1        0        0           36        0        

         ServiceGeneric       1        204395   10796    10795    2           38        0        

         ServiceHttp          1859     36807    7316     5457     1           6         21       

         ServiceNtp           694      387198   16416    15722    3           73        0        

         ServiceP2PTCP        62       21659    10795    10733    2           4         0        

         ServiceRpcUDP        1        193599   1        0        0           36        0        

         ServiceRpcTCP        2412     68654    10692    8280     2           13        0        

         ServiceSMBAdvanced   2        161      7        5        0           0         0        

         ServiceSnmp          1        193602   1        0        0           36        0        

         ServiceTNS           75       7714     7242     7167     1           1         0        

         String               2945     101300   15797    12852    2           19        20       

         SweepICMP            8        216      78       70       0           0         0        

         SweepTCP             2840     666600   8786     5946     1           126       0        

         SweepOtherTcp        1456     333300   4522     3066     0           63        0        

   GlobalCorrelationStats

      SwVersion = 7.0(8)E4

      SigVersion = 652.0

      DatabaseRecordCount = 1864815

      DatabaseVersion = 1341805747

      RuleVersion = 1341778387

      ReputationFilterVersion = 1341803012

      AlertsWithHit = 0

      AlertsWithMiss = 1

      AlertsWithModifiedRiskRating = 0

      AlertsWithGlobalCorrelationDenyAttacker = 0

      AlertsWithGlobalCorrelationDenyPacket = 0

      AlertsWithGlobalCorrelationOtherAction = 0

      AlertsWithAuditRepDenies = 0

      ReputationForcedAlerts = 0

      EventStoreInsertTotal = 1

      EventStoreInsertWithHit = 0

      EventStoreInsertWithMiss = 1

      EventStoreDenyFromGlobalCorrelation = 0

      EventStoreDenyFromOverride = 1

      EventStoreDenyFromOverlap = 0

      EventStoreDenyFromOther = 0

      ReputationFilterDataSize = 429

      ReputationFilterPacketsInput = 115716

      ReputationFilterRuleMatch = 2

      DenyFilterHitsNormal = 0

      DenyFilterHitsGlobalCorrelation = 0

      SimulatedReputationFilterPacketsInput = 0

      SimulatedReputationFilterRuleMatch = 0

      SimulatedDenyFilterInsert = 0

      SimulatedDenyFilterPacketsInput = 0

      SimulatedDenyFilterRuleMatch = 0

      TcpDeniesDueToGlobalCorrelation = 0

      TcpDeniesDueToOverride = 0

      TcpDeniesDueToOverlap = 0

      TcpDeniesDueToOther = 0

      SimulatedTcpDeniesDueToGlobalCorrelation = 0

      SimulatedTcpDeniesDueToOverride = 0

      SimulatedTcpDeniesDueToOverlap = 0

      SimulatedTcpDeniesDueToOther = 0

      LateStageDenyDueToGlobalCorrelation = 0

      LateStageDenyDueToOverride = 1

      LateStageDenyDueToOverlap = 0

      LateStageDenyDueToOther = 0

      SimulatedLateStageDenyDueToGlobalCorrelation = 0

      SimulatedLateStageDenyDueToOverride = 0

      SimulatedLateStageDenyDueToOverlap = 0

      SimulatedLateStageDenyDueToOther = 0

      AlertHistogram

      RiskHistogramEarlyStage

         RiskHistoEarly RiskVal 94

            RepVal 0 = 1

      RiskHistogramLateStage

         RiskHistoLate RiskVal 94

            RepVal 0 = 1

      ConfigAggressiveMode = 2

      ConfigAuditMode = 0

   MaliciousSiteDenyHitCounts

     193.227.240.0/23 = 2

   MaliciousSiteDenyHitCountsAUDIT

But I don't know that is it "MaliciousSiteDeny" !

ckamath Sun, 07/08/2012 - 21:54

Hello dima,

Looks like this IP address is being denied as a result of reputation-filtering, thats why its showing under -

MaliciousSiteDenyHitCounts

193.227.240.0/23 = 2

and thats why packets from this subnet are being dropped.

4 Jul 09 2012 09:35:47 193.227.240.38 0 ASA55xx-outside 0 IPS requested to drop ICMP packet from outside:193.227.240.38/0 to inside:ASA55xx-outside/0

4 Jul 09 2012 09:35:24 193.227.240.37 53 ASA55xx-outside 33881 IPS requested to drop UDP packet from outside:193.227.240.37/53 to inside:ASA55xx-outside/33881

Can you check the output of "show statistics global-correlation" as well?

Alternately, you can disable reputation-filtering feature under service global-correlation and check if your packets are going through.

dimaonline Mon, 07/09/2012 - 00:37

I have switched global-correlation in a test mode and the problem has dared.

However how to define why this network has got in Malicious Sites on update-manifests.ironport.com?

Correct Answer
ruppala Mon, 07/09/2012 - 10:49

I have confirmed with the Ironport team that this IP is a known bad host in sensorbase. This is the reason for the traffic from this host being dropped. There might be many reasons for this subnet to be in the list , for example it might be part of a known host contolled by spammers. You will need to reach out to the development team for a confirmation though.

Actions

Login or Register to take actions

This Discussion

Posted June 26, 2012 at 5:54 AM
Stats:
Replies:11 Avg. Rating:5
Views:2197 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5
5