Ask the Expert: Cisco Intrusion Prevention System (IPS)

Unanswered Question
Aug 24th, 2012

Read the bioWith Robert Albach

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about security best practices and management for the Cisco Intrusion Prevention System (IPS) with Robert Albach. The Cisco Intrusion Prevention System is a context aware threat prevention system for your networked environments. A critical part of the SecureX architecture, the module unobtrusively detects and prevents problematic traffic from reaching its target; uses contextual inputs to determine the proper level of response; and tightly integrates with the ASA firewall for greater network security.

Robert Albach is a product manager in the Security Business Unit at Cisco, responsible  for intrusion prevention offerings. Before joining Cisco in 2010 he held product management positions for intrusion prevention offerings at Hewlett-Packard/TippingPoint. He has more than 15 years of experience with systems management and security product offerings and has presented at the RSA trade show and other security venues.

Remember to use the rating system to let Robert know if you have received an adequate response. 

Robert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Security sub-community discussion forum shortly after the event. This event lasts through through September 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (7 ratings)
Carlos Lesaige Mon, 08/27/2012 - 08:47

Hello Robert,

I would like to undertand the main differences between a firewall and IDS/IPS system.... Are there any issues that can only be resolved by IDS/IPS?

Thank you.


Robert Albach Mon, 08/27/2012 - 11:36

Hi Carlos,

I am going to expand your question a bit to seperate IDS and IPS slightly from each other. The explanation may be simplistic but I think it is a good starting point.

A firewall is primarily about access control. Firewalls such as Cisco's ASA enforces access rules to certain networked elements based on IP addresses found within the header. One can state that devices within a particular CIDR can or cannot access another network device. This can typically be done using IP addresses and ports. There are additional extensions such as those provided by the ASA such as identity, and then with the the ASA-CX application as well. For the most part, operations are to deny all with exceptions.

An IDS (Intrusion Detection System) is largely a passive listening system which performs deep packet inspection targeting traffic of interest. In the majority of cases the traffic of interest are varying forms of attack traffic. This attack traffic can range across the entire attack life-cycle and represent a large span of different attack vectors and techniques. As a passive system it may or may not be in-line but largely the system is there to observe and report.

An IPS (Intrusion Prevention System) is an in-line system which also performs deep packet inspection with the intent of both observing and acting on the traffic. The difference from the IDS role is the need to be able to impact the traffic it is interested in. As such it is not passive but unlike the firewall it will only potentially stop or alter traffic that meets its policy statement which is normally an attack threat that is identified.

There are several impacts that these definitions may have on your placement of devices and how your organization may wish to treat the results.

If I can summarise simplistically:

A firewall denies all traffic except that whose access it allows.

An IDS impacts no traffic and reports what it discovers.

An IPS allows all traffic except that which is identified as a threat.

I hope this helps.



Mahadev Patil Wed, 02/13/2013 - 21:43

Hi Robert,

Have you any idea to configure advance IPS. Basic configuretion is done. model IPS 4240.


JEFF SPRADLING Tue, 08/28/2012 - 13:10

Hi Robert,

Can you recommend the best book / video to get up and running on the IPS as quick as possible?  I'm familiar with the ASA, but now I need to learn the IPS module within the ASA and fast! 


Jeff S.

Central, KY

Robert Albach Thu, 08/30/2012 - 09:27

Hi Jeff,

Sorry for the delay - it sounds like you are seeking some quick general operational details. Is that fair?

Sadly there are no books that I know of that are specific to the Cisco IPS and up to date. Mr. Deal's book while strong from the pure ASA perspective is a bit dated and both the ASA and IPS has had some significant changes introduced as well as new models with some significant operational differences.

I would be remiss if I did not mention my coworker's book "Cisco Firewalls" by Alexandrae Moraes. There is not much in terms of the IPS module uniquely but it does cover the newer ASA 5585 models which includes the dedicated IPS blade.

I think we may need to combine a book with a few other sources depending on your particular model. Let me know which solution you will need to manage and I will try to pull together a number of sources for you.

Now if your actual question was more along the lines of "tell me about general intrusion prevention best practices" then that would be a whole different set of references.

So let me know your platform and I'll try to pull some suggestions together.



JEFF SPRADLING Thu, 08/30/2012 - 10:03

Thanks, Robert. 

Yes, I'm looking for quick operational details on the ASA-SSM-10 module running in an ASA5510 (v8.2), so an out of date book may not be that far off for me at this time. The IDS/IPS is running ver 7.0(2).

I've been tasked to do a review of the rulebase.  I've worked on GUI based IDS appliances, and understand the theory of IDS/IPS, but I've never worked on the Cisco ASA IDS/IPS, so I just need basic info on how to get started. 

I can session into the module from the firewall, but the config is so foriegn to me that I'm not even sure that it's setup and doing anything. 

Thanks again,


Robert Albach Fri, 08/31/2012 - 09:05

Hi Jeff,

That is an older and lower end product which means the resources available to run a larger number of signatures will be limited relative to the higher end and newer platforms (ASA 5515x) as an example.

I am going to guess that this device is positioned at the company's internet edge (most people start there). In 7.1.5 we introduced a set of protection templates which are our default recomendations for deployment environments. That would be a good place to start as a reference.

I hope this helps.


JEFF SPRADLING Fri, 08/31/2012 - 16:38


Thanks for the reply, but I have to be honest - it doesn't help.

I'm looking for a crash course to show me the basics.  You mentioned a set of production templates - how do I apply them?  How do I see signatures that are there now?  They tell me they are running the IPS, but I can't even tell that this is true. What are the commands that divert or copy packets to the IPS module?  How do I create an alert to tigger when a specific IP is hit?

Again, basic information I know - but I just need to get started and don't know where to turn.  I know I can read the reams of documentation Cisco put out, but I really just want simple, basic instruction to get me started.  I'll pour through the rest when I have more time.

I appreciate any help you can provide.



Robert Albach Tue, 09/04/2012 - 08:16


Looking about it appears that we are lacking in having a simplified getting started guide at the ready.

I would like to recomend some of the video documents put together by the execellent members of TAC as a starting point.

Installation and Basic setup of AIP-SSM:

TAC ips media series:

Let me know what you think of them and if there are subjects that you feel are missing.



JEFF SPRADLING Tue, 09/04/2012 - 13:30

Thanks, Robert.  I'll check those out - I'm sure they'll be helpful.



Garrison Botts Fri, 08/31/2012 - 18:19


I just sent you a private message.. Check that out and let me know if it works for you .... :-)  If not, hit me back up and we'll get you going....

prashantrecon Thu, 08/30/2012 - 04:19

Hi Robert,

i just try to test one of DOS attack tool(LOIC) in LAB environment.

but in cisco IME real time monitoring window i am not geeting any alerts regarding this attack.

i am very sure that i am successful in Flooding in the network (cpu of ASA is going more then 60 % at that time)

But there is no event in cisco IME.

can you help in this ?



Robert Albach Thu, 08/30/2012 - 10:01

Hi Prashant,

I am going to assume that you are referencing the Low Orbit Ion Cannon attack tool. Is that corrrect?

I am going to first make a broad sweeping comment on the role of IPS and DOS/DDOS and then get to your question. An IPS is not an optimal dedicated DOS/DDOS prevention tool. It is a good means of initially identifying that the attack is starting but it would optimally signal this information upstream to some other device such as the FW, router, or specialized DOS tool. The closer to the source (ISP) the better.

Now on to your specifics.

Cisco IPS does not have an LION specific signature. While LION is a powerful tool the nature of its attacks are not really unique enough to justify a unique siganture. LION will initiate an attack in either UDP, TCP, or HTTP. There are flood signatures in the 6900 range that may be appropriate to your attack.

As always with our signatures ensure that the ones of interest are UNRETIRED, ENABLED, and that your actions inlude ALERT. Depending on the signature you may want to elevate the base RISK RATING or  use an EVENT ACTION Rule (Overrides) to guarantee a response. Given that you are operating within a lab all the other risk rating contributors are not likely to be there.

I hope this helps and thanks for asking.


prashantrecon Thu, 08/30/2012 - 20:36

Hi Robert,

Yes you are correct , iam using Low Orbit Ion Cannon tool.

ok i wiil try by tuning 6900 range IPS signature.

Just for Knowledge : could you please recommded the dedicated DOS prevention tool .



Robert Albach Fri, 08/31/2012 - 08:56

Arbor Networks is a dedicated provider of DOS/DDOS defense capable tools. Their products are frequently used by service providers.


Robert Albach Tue, 09/04/2012 - 07:14

Hi Garris,

This is an area that I 'm not qualified in the "expert" area and am going to ask on of our Technical Marketing members to help out with for an answer and I have a fear that we may have some kind of collision condition at play.

Can you tell me what report you ran where you see the segment overwrite errors? I am interested in knowing what piece of the puzzle is reporting this condition.



Garrison Botts Thu, 08/30/2012 - 14:47

I'm running a 6500 with an Sup-2 720, FWSM and IDSM-2. Is it possible to monitor/protect the vlan between the firewall and internal router interface, the DMZ, and the external firewall interface? I'm currently just protecting (running inline) the external interface but every now and then, the IDSM-2 blocks internal users from accessing the internet. When running a report, I see tcp segment overwrite errors.

If this was answered previously, please point me to the discussion...


Sent from Cisco Technical Support iPad App

Robert Albach Tue, 09/04/2012 - 14:37

Hi Garris,

IT looks like you have an open TAC case on this question so I am going to defer to that process for now and let those folks run with your issue.

Should TAC need to escalate to the local team I am certain they will not hesitate.

Hopefully things will resolve soon.


coffey.j Thu, 08/30/2012 - 16:58

Hello Robert,

What, if any, best practices are there for managing IPS AD KB across a "cluster" of IPS SSP's in an ASA HA PAIR ?

I would have thought the logical thing would be for IPS 1 in the active ASA to copy the KB to IPS2 in the standby ASA but Cisco does not provide a mechanism to do this.  Do I have to cludge this with an external scp server and expect scripts ?. If so is it a case of copying the current KB from IPS1 (maybe once a day) to an scp server and then at some time later IPS2 copies the KB form the scp server to itself and makes that the current KB.  Any advice is greatly appreciated.  Wuuld be nice if CSM could manage this....     

Robert Albach Wed, 09/05/2012 - 10:23

Hi and my apologies for the late reply.

Starting with some happier news there are plenty of options to copy and manage Anomaly Detection KBs on individual devices so you can certainly script these. Of course there is also some nice tools in IME which expose these commands.

The bad news is as you have already discovered we have not centralized this management through CSM for multi-device management. So yes kludge it is or as we may prefer to call it "creative extensioneering".

Some rambling thoughts here to follow so take them with enough thought before implementing....

Hopefully your systems rarely fail over and the nature of the traffic does not change much meaning your KBs should look very similar over time. I think it would be interesting to run diffs across those to see if there is much change.

Does one sensor happen to generate greater diffs from your "standard"? Just something to consider.

I would be very interesting in knowing how frequently your AD fires. As it was focused on worm propagation it would be good to know how often you run across those.



coffey.j Wed, 09/05/2012 - 18:01

Thanks Robert,

This is a greenfields deployment so no indication yet of what the AD alerts may be or what the KB diffs would be.  Given the ASA's are active/passive I need to ensure that the KB that is backed up is the KB from the active firewall.  Would be a very bad day if pulled from the passive device that sees normal traffic as virttually no sessions although that would only be initially. over time it should have a backup of the active KB. The only way I could think of how to do this would be to login to the active ASA and then session to the IPS module.  Do you have any other suggestions about how to grab the active KB ?

One other gripe I do have is that the copy ad knowledge base scp client only supports ssh version 1 ?  Why is that ?

I can ssh to the IPS SSP with version 2 so why would Cisco hamstring the client to version 1 ?   

vkumarg89 Mon, 09/03/2012 - 03:51

Hi Robert

I have an operational query. How do i block a root user for accessing certain commands in Unix os . Is there a way through IPS signatures . I want to block Tcp based commands

Robert Albach Tue, 09/04/2012 - 08:30

Hi Vaibhav,

Pardon me but I will make an assumption here which is that your root user has legitimate access to the Unix box in question. I am uncertain what exactly you mean by Tcp based commands. I will make another leap and guess that you mean that the user is accessing the device in question across the network perhaps?

I will work the rest of my discussion based on the above paragraph assumptions.

First this *may* be possible and the nature of the request is not all that unusual. It is often the case that people wish to use their IPS as an application control vehicle by which they want to manage commands that are remotely executed over the network. There are a number of existing signatures which already exist for similar ideas but not necessarily unique Unix commands. You can certainly write your own to apply here as well.

Second I would hope that the communication between the external user and the device is encrypted as a general best practice. If this is the case then it is probable that your IPS will not be able to see these commands in which case what *may* be possible is made not possible. Here a good security practice prohibits what you desire.

Third, given that your potential newly created Unix command signatures detect legal commands it is important that you deploy these carefully. Think through the scenarios that you want these working carefully. Are there potential situations in which you might block necessary activity from others that will need to manage this system. Remember that unless you have an ASA in place the IPS does not differentiate "who" the user is. Unless you can guarantee a network identifieir such as a VLAN or source IP the application of the signature may hit others you did not wish it to.



farkascsgy Mon, 09/03/2012 - 13:23

Hi Robert,

I have AIP-SSM 10 installed in my firewall the question is how I can disable weak cipher for the management, so how I can force that only stron encryption mechanism should be sued for https management session?

Thanks for your reply in advance.

Robert Albach Thu, 09/06/2012 - 14:01

Hi and my apology as I overlooked this question for a while!

This was definately a challenge in the 7.0 code base. If you upgrade to 7.1.6 though the problem is resolved and this release does support your platform too. Look at the 7.1.3 release notes for more details

If you need to remain on 7.0 then give TAC a call and they can point you to a less elegant solution.

And credit for this goes to Stijn Vanveerdeghem (Cisco IPS TME) who pointed me to the solution.



Sonugnair_2 Tue, 09/04/2012 - 03:43


I had posted this as a  separate discussion, but just wanted to know your opinion on this.

I am trying to upgrade the AIP SSM 20 to IPS-K9-6.2-4-E4.pkg.

The problem is that this error as below comes:-

Error: execUpgradeSoftware : Connect failed

I can confirm the following:-

1) Ping from FTP server to sensor and vice versa is OK

2) FTP server works OK, as i am able to upload/download files from other clients

3) Command given is as upgrade ftp:[email protected]/IPS-K9-6.2-4-E4.pkg

4) I also created another user in FTP server, tested but same results

5) The FTP server listens on port 21 and does not gets any request.

6) Current image is a bit old i.e. 6.0(4)E2

Some information from show version is as:-

Using 1023815680 out of 2093600768 bytes of available memory (48% usage)

system is using 17.7M out of 29.0M bytes of available disk space (61% usage)

application-data is using 39.3M out of 166.8M bytes of available disk space (25% usage)

boot is using 38.4M out of 68.6M bytes of available disk space (59% usage)

Image  that i am trying to upload i.e. IPS-K9-6.2-4-E4.pkg. is about 28.6 MB  in size, could the issue be related to the disk size (show in bold  above)?

Please help

Thanks in advance.


Robert Albach Tue, 09/04/2012 - 14:48

Hi PG,

The size of the package relative to your resources could definately be the problem but not just the storage space but potentially the memory as well.

For any device with a somewhat limited amount of storage it is a good idea to perform some occasional cleanup. Look for unnecessary prior packages, packet captures, and the like then remove them if possible. That should provide more space for laying down the package.

The second area is memory available. Best to initiate this download when things are as idle as possible. You might want to interrupt eventing activity and ensure that there are no reports being generated or signatures being downloaded (only twice a week so likely ok).

I will note that yes - your 6.0 software is rather old. In fact it is no longer a maintained rev. I would suggest as big a leap forward as possible to the 7.0.8 release if you feel comfortable with that.

Beyond that if your clean up and upgrade does not work then be certain to get some TAC help.

Good Luck!


prashantrecon Wed, 09/05/2012 - 00:26

Hi Robert,

I am not clear on below documention

TAC IPS Media Series, Episode 3 - IPS Placement

i have cisco ASA 5520 with IPS module  so what you suggest about ips placement in my case..

I want to protect my internal and DMZ network from internet and also i want to protect DMZ server from internet and internal Attack..

currently i am using IPS-CLASS service policy rule with in Global Policy service policy rule

and configuration is like

IPS-CLASS ---source any destination any service ip rule action ips inline,permit traffic,sensor vs0

is this configuration is ok

Robert Albach Fri, 09/07/2012 - 13:01

Hi Prashant,

The position sounds Ok and the policy rule is likely fine also assuming that the network surroundings are arranged in a manner where traffic is going to bypass the box.

The next step is defining what signatures and actions are configued for vs0 (virtual sensor 0) as that is where the IPS will perform its inspection.

If you find that you don't have the time to do an extensive investigation into the assets you wish to protect and all their vulnerabilities (to determine what sigs to turn on etc.), you might want to consider the use of protection templates.

If you get to version 7.1.6, there are some new pre-defined deployment specific templates available. I suggest that you set up a new virtual sensor vs1 for example and apply them there. If you can afford to mirror traffic through them as a test bed that would be nice. After analyzing the results you may select to run your live traffic through it.

Good Luck!


pcoughlin01 Wed, 09/05/2012 - 05:24

Hi Robert, how does the Cisco IPS systems compare with those from vendors like TippingPoint and McAfee?  How does Cisco differentiate itself against these other products?  I frequently get these types of questions in the field, and I'm not too familiar with either TippingPoint or McAfee to answer.  Any information you have that helps in this area is appreciated.



Robert Albach Wed, 09/05/2012 - 11:42

Hi Pat,

I will focus on three areas of differentiation that generally seperates Cisco from most of the other IPS vendors.

The first is the most obvious and that Cisco is first and foremost a network solution provider. As such you will find IPS security made available at whatever point in the network you desire and in a wide variety of forms. There is IOS/IPS, a switch module, we've had a router module, and integrated with firewalls. We are a very network aware and network enabled security solution.

Second is an extension of the first with regards to firewall integration. We have created a highly symbiotic relationship with the ASA such that certain functions are shared and policies impacts can be shared as well.

Thirdly Cisco IPS is largely contextually driven. We apply context not just to post processing reporting but in fact will alter the actions we take depending on the who, what, where involved. A nice example would be something like the following: If Manny the Marketer is having problems accessing an application then Nero the Network Admin can get on his box and ping the appropriate servers to see if connectivity is a problem. The Cisco solutions understands it is an IT admin and allows it. If Manny (who was looking over Nero's shoulder) tries to do the same then the system could block it because naturally lots of pings from a marketing machine might represent an owned host seeking out new victems. That is the kind of contextual story that Cisco can execute against live traffic in real time. A pretty nice story!

Hope this helps and thanks for the chance to plug some differentitors!


Damien Stevens Wed, 09/05/2012 - 08:25

Hi Robert,

I  was wondering if you had further clarification on what the  cidsHealthPacketDenialRate SNMP object shows.  This is one of the  objects we monitor and will alert on when this object shows that packets  are being denied but I am wondering what the output from this really  means.  According to the description of the object it displays "the  percentage of packets denied due to protocol and security violations."

Does  this mean that the IPS is dropping the packets due to triggered  signatures or that it is not inspecting packets because something is  wrong with them or something else?  It doesn't seem like it triggers  when packets are dropped because of a triggered signature because we  have MARS configured to alert on when traffic is dropped by the IPS  because of the severity of a triggered signature and we don't get these  alerts when this object shows packets being denied.

We  would like to get a better idea of what the output from this SNMP  object shows to see if we need to monitor the output from this object or  not.



Robert Albach Fri, 09/07/2012 - 12:46

Hi Damien,

I see that you asked this question earlier. I am sorry to see that you did not get an answer then.

This the the % of packets denied because the policy on the box is set to drop these when the conditions described - grossly speaking when the appropriat signature matcesh and  the resulting risk rating calculation matches the appropriate threshold for a drop. There is more detail on this and I suggest a listen to the IPS Tech Tips on risk ratings on this forum if you wish.

In simple terms there is two parts of inspection - that done through a normalization process - where issues like fragmentation or protocol violations are noted and then a threat detection phase where specific security risks are identified.

Now I notice your reference to MARs and your perceived gaps with the Alerts. Some policy settings may not call for an explicit alert when a signature is invoked and traffic is dropped. The normalization process itself could generate a good deal of inactionable (mostly) events that way.

For the other cases you should look over your policy and see if you are generating alerts that are associated with each drop.

Hope this helps!


Damien Stevens Fri, 09/07/2012 - 13:20

Thankds Robert,

As a followup, the virtual sensor doesn't show any traffic as being dropped but the analysis engine does.  Does that mean traffic is getting dropped or just not inspected?

Here is the output I'm seeing:

# show stat virtual-sensor  

Virtual Sensor Statistics

   Statistics for Virtual Sensor vs0

      Name of current Signature-Defintion instance = sig0

      Name of current Event-Action-Rules instance = rules0

      List of interfaces monitored by this virtual sensor = GigabitEthernet0/0 subinterface 1,GigabitEthernet0/0 subinterface 2,GigabitEthernet0/1 subinterface 1,GigabitEthernet0/1 subinterface 2

      General Statistics for this Virtual Sensor

         Number of seconds since a reset of the statistics = 461178

         MemoryAlloPercent = 26

         MemoryUsedPercent = 26

         MemoryMaxCapacity = 1350000

         MemoryMaxHighUsed = 423936

         MemoryCurrentAllo = 361524

         MemoryCurrentUsed = 357402

         Inspection Load Percentage = 0

         Total packets processed since reset = 8717680

         Total IP packets processed since reset = 7569923

         Total IPv4 packets processed since reset = 7569923

         Total IPv6 packets processed since reset = 0

         Total IPv6 AH packets processed since reset = 0

         Total IPv6 ESP packets processed since reset = 0

         Total IPv6 Fragment packets processed since reset = 0

         Total IPv6 Routing Header packets processed since reset = 0

         Total IPv6 ICMP packets processed since reset = 0

         Total packets that were not IP processed since reset = 1147757

         Total TCP packets processed since reset = 4938204

         Total UDP packets processed since reset = 2611735

         Total ICMP packets processed since reset = 19984

         Total packets that were not TCP, UDP, or ICMP processed since reset = 0

         Total ARP packets processed since reset = 68589

         Total ISL encapsulated packets processed since reset = 0

         Total 802.1q encapsulated packets processed since reset = 8717680

         Total GRE Packets processed since reset = 0

         Total GRE Fragment Packets processed since reset = 0

         Total GRE Packets skipped since reset = 0

         Total packets with bad IP checksums processed since reset = 0

         Total packets with bad layer 4 checksums processed since reset = 72

         Total number of bytes processed since reset = 2337873147

         The rate of packets per second since reset = 18

         The rate of bytes per second since reset = 5069

         The average bytes per packet since reset = 268

      Denied Address Information

         Number of Active Denied Attackers = 0

         Number of Denied Attackers Inserted = 0

         Number of Denied Attacker Victim Pairs Inserted = 0

         Number of Denied Attacker Service Pairs Inserted = 0

         Number of Denied Attackers Total Hits = 0

         Number of times max-denied-attackers limited creation of new entry = 0

         Number of exec Clear commands during uptime = 0

      Denied Attackers and hit count for each.

      Denied Attackers with percent denied and hit count for each.

      The Signature Database Statistics.

         The Number of each type of node active in the system

            Total nodes active = 53

            TCP nodes keyed on both IP addresses and both ports = 6

            UDP nodes keyed on both IP addresses and both ports = 4

            IP nodes keyed on both IP addresses = 7

         The number of each type of node inserted since reset

            Total nodes inserted = 204068

            TCP nodes keyed on both IP addresses and both ports = 4542

            UDP nodes keyed on both IP addresses and both ports = 52903

            IP nodes keyed on both IP addresses = 38632

         The rate of nodes per second for each time since reset

            Nodes per second = 0

            TCP nodes keyed on both IP addresses and both ports per second = 0

            UDP nodes keyed on both IP addresses and both ports per second = 0

            IP nodes keyed on both IP addresses per second = 0

         The number of root nodes forced to expire because of memory constraints

            TCP nodes keyed on both IP addresses and both ports = 23

         Packets dropped because they would exceed Database insertion rate limits = 0

      Fragment Reassembly Unit Statistics for this Virtual Sensor

         Number of fragments currently in FRU = 0

         Number of datagrams currently in FRU = 0

         Number of fragments received since reset = 144

         Number of fragments forwarded since reset = 144

         Number of fragments dropped since last reset = 0

         Number of fragments modified since last reset = 0

         Number of complete datagrams reassembled since last reset = 72

         Fragments hitting too many fragments condition since last reset = 0

         Number of overlapping fragments since last reset = 0

         Number of Datagrams too big since last reset = 0

         Number of overwriting fragments since last reset = 0

         Number of Inital fragment missing since last reset = 0

         Fragments hitting the max partial dgrams limit since last reset = 0

         Fragments too small since last reset = 0

         Too many fragments per dgram limit since last reset = 0

         Number of datagram reassembly timeout since last reset = 0

         Too many fragments claiming to be the last since last reset = 0

         Fragments with bad fragment flags since last reset = 0

      TCP Normalizer stage statistics

         Packets Input = 4938202

         Packets Modified = 0

         Dropped packets from queue = 0

         Dropped packets due to deny-connection = 0

         Duplicate Packets = 0

         Current Streams = 6

         Current Streams Closed = 0

         Current Streams Closing = 0

         Current Streams Embryonic = 0

         Current Streams Established = 0

         Current Streams Denied = 0

         Total SendAck Limited Packets = 0

         Total SendAck Limited Streams = 0

         Total SendAck Packets Sent = 0

      Statistics for the TCP Stream Reassembly Unit

         Current Statistics for the TCP Stream Reassembly Unit

            TCP streams currently in the embryonic state = 0

            TCP streams currently in the established state = 0

            TCP streams currently in the closing state = 0

            TCP streams currently in the system = 0

            TCP Packets currently queued for reassembly = 0

         Cumulative Statistics for the TCP Stream Reassembly Unit since reset

            TCP streams that have been tracked since last reset = 0

            TCP streams that had a gap in the sequence jumped = 0

            TCP streams that was abandoned due to a gap in the sequence = 0

            TCP packets that arrived out of sequence order for their stream = 0

            TCP packets that arrived out of state order for their stream = 0

            The rate of TCP connections tracked per second since reset = 0

      SigEvent Preliminary Stage Statistics

         Number of Alerts received = 518

         Number of Alerts Consumed by AlertInterval = 518

         Number of Alerts Consumed by Event Count = 0

         Number of FireOnce First Alerts = 0

         Number of FireOnce Intermediate Alerts = 0

         Number of Summary First Alerts  = 0

         Number of Summary Intermediate Alerts  = 0

         Number of Regular Summary Final Alerts  = 0

         Number of Global Summary Final Alerts  = 0

         Number of Active SigEventDataNodes  = 0

         Number of Alerts Output for further processing = 0

         Per-Signature SigEvent count since reset

            Sig 3653.0 = 518

      SigEvent Action Override Stage Statistics

         Number of Alerts received to Action Override Processor = 0

         Number Of Meta Components Input = 0

         Number of Alerts where an override was applied = 0

         Actions Added

            deny-attacker-inline = 0

            deny-attacker-victim-pair-inline = 0

            deny-attacker-service-pair-inline = 0

            deny-connection-inline = 0

            deny-packet-inline = 0

            modify-packet-inline = 0

            log-attacker-packets = 0

            log-pair-packets = 0

            log-victim-packets = 0

            produce-alert = 0

            produce-verbose-alert = 0

            request-block-connection = 0

            request-block-host = 0

            request-snmp-trap = 0

            reset-tcp-connection = 0

            request-rate-limit = 0

      SigEvent Action Filter Stage Statistics

         Number of Alerts received to Action Filter Processor = 0

         Number of Alerts where an action was filtered = 0

         Number of Filter Line matches = 0

         Number of Filter Line matches causing decreased DenyPercentage = 0

         Actions Filtered

            deny-attacker-inline = 0

            deny-attacker-victim-pair-inline = 0

            deny-attacker-service-pair-inline = 0

            deny-connection-inline = 0

            deny-packet-inline = 0

            modify-packet-inline = 0

            log-attacker-packets = 0

            log-pair-packets = 0

            log-victim-packets = 0

            produce-alert = 0

            produce-verbose-alert = 0

            request-block-connection = 0

            request-block-host = 0

            request-snmp-trap = 0

            reset-tcp-connection = 0

            request-rate-limit = 0

         Filter Hit Counts

      SigEvent Action Handling Stage Statistics.

         Number of Alerts received to Action Handling Processor = 0

         Number of Alerts where produceAlert was forced = 0

         Number of Alerts where produceAlert was off = 0

         Number of Alerts using Auto One Way Reset = 0

         Actions Performed

            deny-attacker-inline = 0

            deny-attacker-victim-pair-inline = 0

            deny-attacker-service-pair-inline = 0

            deny-connection-inline = 0

            deny-packet-inline = 0

            modify-packet-inline = 0

            log-attacker-packets = 0

            log-pair-packets = 0

            log-victim-packets = 0

            produce-alert = 0

            produce-verbose-alert = 0

            request-block-connection = 0

            request-block-host = 0

            request-snmp-trap = 0

            reset-tcp-connection = 0

            request-rate-limit = 0

         Deny Actions Requested in Promiscuous Mode

            deny-packet not performed = 0

            deny-connection not performed = 0

            deny-attacker not performed = 0

            deny-attacker-victim-pair not performed = 0

            deny-attacker-service-pair not performed = 0

            modify-packet not performed = 0

         Number of Alerts where deny-connection was forced for deny-packet action = 0

         Number of Alerts where deny-packet was forced for non-TCP deny-connection action = 0

      Anomaly Detection Statistics

         Number of Received Packets:

            TCP = 4938202

            UDP = 2611591

            Other = 19984

            TOTAL = 7569777

         Number of Overrun Packets:

            TCP = 0

            UDP = 0

            Other = 0

            TOTAL = 0

         Number of Ignored Packets = 0

         Number of Events = 28822

         Number of Recurrent Events:

            TCP = 2

            UDP = 60078

            Other = 0

            TOTAL = 60080

         Number of Worms = 0

         Number of Scanners = 0

         Number of Scanners Under Worm = 0

         Internal Zone

            Number of Events:

               TCP = 0

               UDP = 0

               Other = 0

               TOTAL = 0

            Number of Overrun Events:

               TCP = 0

               UDP = 0

               Other = 0

               TOTAL = 0

         External Zone

            Number of Events:

               TCP = 1

               UDP = 28405

               Other = 4

               TOTAL = 28410

            Number of Overrun Events:

               TCP = 0

               UDP = 0

               Other = 0

               TOTAL = 0

         Illegal Zone

            Number of Events:

               TCP = 0

               UDP = 412

               Other = 0

               TOTAL = 0

            Number of Overrun Events:

               TCP = 0

               UDP = 0

               Other = 0

               TOTAL = 0

         Global Utilization Percentage

            Unestablished Connections DB

               TCP = 0

               UDP = 0

               Other = 0

            Recurrent Events DB

               TCP = 0

               UDP = 0

               Other = 0

            Scanners DB

               TCP = 0

               UDP = 0

               Other = 0

# show stat analysis-engine  

Analysis Engine Statistics

   Number of seconds since service started = 461274

   The rate of TCP connections tracked per second = 0

   The rate of packets per second = 18

   The rate of bytes per second = 5070

   Receiver Statistics

      Total number of packets processed since reset = 8720201

      Total number of IP packets processed since reset = 7572202

   Transmitter Statistics

      Total number of packets transmitted = 8720129

      Total number of packets denied = 92114

      Total number of packets reset = 0

   Fragment Reassembly Unit Statistics

      Number of fragments currently in FRU = 0

      Number of datagrams currently in FRU = 0

   TCP Stream Reassembly Unit Statistics

      TCP streams currently in the embryonic state = 0

      TCP streams currently in the established state = 0

      TCP streams currently in the closing state = 0

      TCP streams currently in the system = 0

      TCP Packets currently queued for reassembly = 0

   The Signature Database Statistics.

      Total nodes active = 54

      TCP nodes keyed on both IP addresses and both ports = 6

      UDP nodes keyed on both IP addresses and both ports = 4

      IP nodes keyed on both IP addresses = 8

   Statistics for Signature Events

      Number of SigEvents since reset = 518

   Statistics for Actions executed on a SigEvent

      Number of Alerts written to the IdsEventStore = 0

   Inspection Stats

         Inspector        active   call      create   delete   createPct   callPct   loadPct  

         AtomicAdvanced   1        7572058   1        0        0           86        70       

         Fixed            0        64858     59108    59108    0           0         0        

         MSRPC_TCP        0        13186     4534     4534     0           0         0        

         MultiString      5        227151    2470     2465     0           2         15       

         ServiceDnsUdp    1        2612529   1        0        0           29        0        

         ServiceGeneric   1        2617063   4535     4534     0           30        1        

         ServiceNtp       8        5225058   106250   106242   1           59        0        

         ServiceP2PTCP    0        7623      4534     4534     0           0         0        

         ServiceRpcUDP    1        2612529   1        0        0           29        0        

         ServiceRpcTCP    6        2058130   1449     1443     0           23        0        

         ServiceSnmp      1        2612529   1        0        0           29        0        

         ServiceTNS       0        5983      5983     5983     0           0         0        

         String           6        336435    3419     3413     0           3         9        

         SweepICMP        2        19994     2285     2283     0           0         0        

         SweepTCP         5        9879066   47       42       0           113       0        

         SweepOtherTcp    2        4939533   22       20       0           56        1        


      SwVersion = 7.0(8)E4

      SigVersion = 664.0

      DatabaseRecordCount = 4307585

      DatabaseVersion = 1347048367

      RuleVersion = 1346963166

      ReputationFilterVersion = 1347048700

      AlertsWithHit = 0

      AlertsWithMiss = 0

      AlertsWithModifiedRiskRating = 0

      AlertsWithGlobalCorrelationDenyAttacker = 0

      AlertsWithGlobalCorrelationDenyPacket = 0

      AlertsWithGlobalCorrelationOtherAction = 0

      AlertsWithAuditRepDenies = 0

      ReputationForcedAlerts = 0

      EventStoreInsertTotal = 0

      EventStoreInsertWithHit = 0

      EventStoreInsertWithMiss = 0

      EventStoreDenyFromGlobalCorrelation = 0

      EventStoreDenyFromOverride = 0

      EventStoreDenyFromOverlap = 0

      EventStoreDenyFromOther = 0

      ReputationFilterDataSize = 453

      ReputationFilterPacketsInput = 7571702

      ReputationFilterRuleMatch = 0

      DenyFilterHitsNormal = 0

      DenyFilterHitsGlobalCorrelation = 0

      SimulatedReputationFilterPacketsInput = 0

      SimulatedReputationFilterRuleMatch = 0

      SimulatedDenyFilterInsert = 0

      SimulatedDenyFilterPacketsInput = 0

      SimulatedDenyFilterRuleMatch = 0

      TcpDeniesDueToGlobalCorrelation = 0

      TcpDeniesDueToOverride = 0

      TcpDeniesDueToOverlap = 0

      TcpDeniesDueToOther = 0

      SimulatedTcpDeniesDueToGlobalCorrelation = 0

      SimulatedTcpDeniesDueToOverride = 0

      SimulatedTcpDeniesDueToOverlap = 0

      SimulatedTcpDeniesDueToOther = 0

      LateStageDenyDueToGlobalCorrelation = 0

      LateStageDenyDueToOverride = 0

      LateStageDenyDueToOverlap = 0

      LateStageDenyDueToOther = 0

      SimulatedLateStageDenyDueToGlobalCorrelation = 0

      SimulatedLateStageDenyDueToOverride = 0

      SimulatedLateStageDenyDueToOverlap = 0

      SimulatedLateStageDenyDueToOther = 0




      ConfigAggressiveMode = 2

      ConfigAuditMode = 1



Robert Albach Fri, 09/07/2012 - 13:28

Hi Damien,

This will probably take a bit to debug and unfortunately I am out next week. Will try to get somebody to look at what you have here.

Just to cover a very simplistic case. Are we certain that all traffic is going through this particular virtual sensor?



Abdul-Mutakkabir Wed, 09/05/2012 - 08:52

Hi Robert,

My organization is planning to implement a firewall system to allow our outside employees to access a certain web application that we have on our local machines. Can you advise me on wether purchasing a Cisco router such as the 1900 series version that include cisco IOS firewall would be a solid investment or would purchasing a standalone firewall such as the ASA be a better option. The Cisco Router would be a nice addition because it would provide a dynamic device that would make monitoring and filtering traffic a little more intuitive right?

Robert Albach Thu, 09/06/2012 - 14:05

Hi Allen,

I would suggest the ASA/IPS combination. The code base is more up to date and has a greater upside for future expansion.The VPN capabilities for those outside empoyees is helpful as well.  If you were considering the router it suggests that your throughput needs for inspection is not high. You may want to consider the ASA 5515 or lower.

Hope this helps.


yjimenez12 Thu, 09/06/2012 - 07:54

Hello Robert,

my name is Yenko.

we are trying to subnet our network by departments. Right now we are using the network and it is just a huge network. What is the best way to subnet it so that the users can only have access to their department files.

Robert Albach Thu, 09/06/2012 - 15:16

Hi Yenko,

I think your question is more of a firewall question from the perspective of access.  When talking to customers I frequentlyl start with an overly simplistic question set of:

(a)  What do you want to protect yourself from;

(b) What do you want to protect.

The answer to (a) almost always starts out as - the set of objects and actors outside my organization. This leads to the placement of security devices at the internet edge.

The answer to (b) is typically a mirror to (a) - the set of objects and actors inside my organization. The same conclusion for device placement occurs.

Follow up with the assumption that "inside my organization" cannot be trusted. From here things get more interesting but from a survey of just under 200 Cisco IPS customers it turns out that these are the following deployment %s:

Behind the perimeter FW - 78%

In front of perimeter FW - 67%

Network core - 33%

In front of primary data center - 32%

In front of public facing web application - 31%

Behind VPN concentrtaor - 24%

Between different business units - 24%

Between corporate campuses - 22%

Between different business functions - 18%

These are just some numbers from other IPS users out there that might spark some ideas. Naturally budget and management efforts may curtail your ability to place them wherever you wish but look at those numbers as idea starters and consider that "protect me from" and "protect this" relationship.

I recognize that the vagueness of the answer but hope you can find something of value within.



Xavier Lloyd Thu, 09/06/2012 - 14:24

Hi Robert,

I want to position an IDS solution for a client who is on a strict budget. I see that the new IPS sensors (4300) are out and provide quite a bit of throughput but are very expensive. A 4240 sensor is more in line with his throughput requirements but I don't want to position something that runs older software/hardware. I was thinking that the ASA 5515X with the IPS is equal to the 4240 in terms of IPS throuput.

Is there any way to install the ASA to sit out of line with the traffic while monitoring in promiscuous mode? If I configured a SPAN port on a switch to feed the ASA all the switch traffic, and configured the policy on the ASA to pass it to the IPS in promiscuous mode, would the ASA drop the traffic or send it to the sensor?

I was also thinking I could put the ASA in layer 2 mode and set the IPS to promiscuous mode and fail open but if the ASA goes down, it will cut off the traffic. I don't want it to be a point of failure, but I don't want to position a solution that is too expensive, or too old.

What are your thoughts?

Thanks much,


Robert Albach Fri, 09/07/2012 - 13:20

Hi Xavier,

As of 7.1.6 the 4240 will run the most up to date software functionally equivalent to the rest of the platforms. I can't say it reverses the hardware age though.

So your question is a good one and indeed there is a challenge here. As it is all traffic must travers the ASA prior to entering the IPS. You can configure rules as needed to get traffic through the box unchallenged as you noted but it is still a firewall and indeed you end up with the somewhat unnatural acts that you describe.

Wish I had a cleaner solution for you. I think the 5515x is a good solution if your customer can accept the conditions. You can always use different contexts to drive the traffic through and hey it is a darn good firewall.


Robert Albach Fri, 02/01/2013 - 14:04

Hi Garris,

These botnets are primarily used for denial of service (DOS) attacks using HTTP. I'm uncertain if your question's focus is on either (a) detecting their presense within your network; or (b) defending against their attacks. For the sake of brevity I'm going to focus on (a) detection.

There are three means I would like to offer to detecting any form of bot and its introduction into your network: (a) its inttroduction within your environment; (b) its presence on a specific device; and (c) its activity once within your network. I think I will work in reverse operational order here.

These bots are mostly used for DOS and their "medium" is web traffic, HTTP. Consider significant outbound web requests that are out of the ordinary both in terms of volume and time of day. If certain windows hosts are sending HTTP requests at hours the user is typically not present those are pretty good clues. Unfortunately these don't seem to use the more common tell-tale IRC as a command and control communication channel so my one of my favorite advices for discovering infections is ineffective. You may want to consider looking at your IPS logs for hits to from the Reputation Fitler. I also suggest looking into the use of the Botnet Traffic Filter if you have an ASA in line.

Next - while no guarantee, keep your Anti-X up to date. There are some AV variants that detect these systems but the variants (particularly Dirt Jumper) have been spawning with regularity unfortunately which can make file based detection a challenge.

Now what we all really want is to stop these things in transit before they make it onto your network devcies. The bad news is that just as the AV vendors are challenged to capture all the variants an in-line device is even more so hampered given the real time nature of their operation. Best bet is to hopefully identify the activity of the initial intrusion prior to the dropper doing its work.

So sadly the most honest answer I can provide to you is that an in-line security system such as your IDSM2 based IPS is most likely to detect these threats by their activity. They could enter your network from a numbe of vectors some of which may be outside the view of your IPS.


Garrison Botts Wed, 01/30/2013 - 13:43


I was wondering if there's a signature update that addresses the Dirt Jumper, BlackEnergy, and Optima BotNets...  If not, could you help me create one to do so?

I'm currently running a WS-SVC-IDSM-2 with ver 7.0(6)E4.  Signaturever. 691.0 and Eng. 4 .... I use the auto update option and have readdressed the ip address to the new server...

Thanks in advance,


Tarjeet Singh Thu, 01/31/2013 - 15:01

Hi Robert,

My client has active (ASA1)/passive (ASA2) firewalls 5520 both firewalls have IPS ASA-SSM-20… On Active (ASA1) Firewall IPS module failed and failover method found ASA1 is unhealthy because IPS is failed and Failover switched over to Standby ASA2.

Yes we need to replace ASA1 IPS to bring back failover to ASA1.. But my client doesn’t want to buy new one..  So he requested me to take out secondary ASA2 IPS. So ASA2 will switch back to ASA1 once Failover will find out that there is no more IPS

Please help me, How I can remove IPS from ASA2 which is Active now. So failover switch back to ASA1 Active.

Should I just shut down IPS on both routers so failover method will not check for IPS

hw-module module 1 shutdown

Robert Albach Fri, 02/01/2013 - 14:09

Hi Tarjeet,

The important thing to do is to determine the cause for the initial failure of ASA1/IPS1. It may be the case that this is a potential misconfiguration or software error. In both cases there should be no need to purchase another device. Further if there is a hardware problem and the system is still under warranty then they should look into an RMA.

In all of these cases lets get to the bottom of the failure condition. Please contact TAC and open a case and let them determine a solution. That IPS unit should not fail and force an ASA failover.

Good Luck!


jimmyc_2 Tue, 02/05/2013 - 07:57

How do you save a copy of the IDS to flash, or the ASA?   I understand you can save to backup-config, but I'd really like to save a working copy in a repository, in case future modifications go sour.

Also, if you have failover enabled on 5510s, can you easily update the active ASA and the backup IDS pick up the active config?



Tarjeet Singh Tue, 02/05/2013 - 10:01

Hi Jimmyc,

  If you have failover then only Active ASA config save on Standby ASA but IPS/IDS do not save config on Standby. you have to make change manually every time on both IPS.

Robert Albach Wed, 02/06/2013 - 12:57

Hi Jimmy,

I think that Tarjeet gave you a good answer but I wanted to be certain that what you were asking about was in fact the configuration of the system rather than the image itself. CSM makes much of your configuration import / export and general management process very easy and with varying degrees of granularity as you chose.


Pavel Pokorny Wed, 02/06/2013 - 00:07

Dear Robert,

I have spent a lot of time with searching but without success.

My answer is simple.

Is there SNMP OID for IPS module (this one is SSM-20), which tell me Inspection  Load?

I have found OID for CPU load, but this one is not what I need (CPU load can be high and inspection load can be low at same time), because important for me is inspection load.

Thank you very much,



This Discussion

Related Content