AIP-SSM not firing any sigs - Analysis Engine is Busy

raga.fusionet · ‎07-05-2012

Hello guys,

I have installed an AIP-SSM module on my ASA's lab and I cant get it to fire any signatures. I do see traffic going thru the interfaces which makes me think it's not an issue with the ASA Config, however I dont see any sigs even if I generate events that would fire one such a TCP port scan or bitorrent.

I have assigned an interface to the vs0 and configured the basic stuff but still I'm not getting any hits. One thing I noticed is this unsual message on the logs:

vError: eventId=1341365101856715019 vendor=Cisco severity=error

originator:

hostId: sensor

appName: collaborationApp

appInstanceId: 452

time: Jul 04, 2012 20:21:32 UTC offset=0 timeZone=UTC

errorMessage: Analysis Engine is Busy Processing Stage 3 of 97 at Step 0 of 1

Messages, like this one, in the category - ct to sensorApp timed out - were logged 1 times in the last 0 seconds. name=errUnclassified

Here's the IDS config and a show int:

sh interfaces Gi

GigabitEthernet GigabitEthernet0/0 GigabitEthernet0/1

RFNET-IPS# sh interfaces GigabitEthernet0/1

MAC statistics from interface GigabitEthernet0/1

Interface function = Sensing interface

Description =

Media Type = backplane

Default Vlan = 0

Inline Mode = Unpaired

Pair Status = N/A

Hardware Bypass Capable = No

Hardware Bypass Paired = N/A

Link Status = Up

Admin Enabled Status = Enabled

Link Speed = Auto_1000

Link Duplex = Auto_Full

Missed Packet Percentage = 0

Total Packets Received = 2545022

Total Bytes Received = 1683855948

Total Multicast Packets Received = 0

Total Broadcast Packets Received = 0

Total Jumbo Packets Received = 0

Total Undersize Packets Received = 0

Total Receive Errors = 0

Total Receive FIFO Overruns = 0

Total Packets Transmitted = 2544496

Total Bytes Transmitted = 1683341358

Total Multicast Packets Transmitted = 0

Total Broadcast Packets Transmitted = 0

Total Jumbo Packets Transmitted = 0

Total Undersize Packets Transmitted = 0

Total Transmit Errors = 0

Total Transmit FIFO Overruns = 0

RFNET-IPS# sh configuration

! ------------------------------

! Current configuration last modified Wed Jul 04 16:01:57 2012

! ------------------------------

! Version 7.0(8)

! Host:

! Realm Keys key1.0

! Signature Definition:

! Signature Update S654.0 2012-06-25

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 172.16.10.235/24,172.16.10.1

host-name RFNET-IPS

telnet-option disabled

access-list 172.16.10.0/24

access-list 172.16.14.0/24

dns-primary-server enabled

address 172.16.10.237

exit

dns-secondary-server disabled

dns-tertiary-server disabled

exit

time-zone-settings

offset -360

standard-time-zone-name GMT-06:00

exit

ntp-option enabled-ntp-unauthenticated

ntp-server 209.114.111.1

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

event-retrieval-policy

enable false

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service aaa

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

Any suggestions would be appreciated

Thanks!

raga.fusionet · ‎07-05-2012

Either this is a little weird or I'm looking at the wrong place. If I do a show statistics virtual-sensor I seem to be getting some hits on different sigs:

Per-Signature SigEvent count since reset

Sig 6403.1 = 6

Sig 6409.1 = 17

Sig 6409.2 = 2

Sig 20059.1 = 1453

Sig 21619.1 = 2

Sig 23782.2 = 2

Sig 30260.1 = 3

However If I go to the IDM, Monitoring, Events, Event Viewer all I see is health messages from the sensor itself, not signatures.

Any ideas? Thanks.

sawgupta · ‎07-05-2012

You may edit the above firing signatures. Add Event Action to "produce-alert.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

Maykol Rojas · ‎07-09-2012

Raga,

Hope you are doing great. Have you tried with the very basic ones? 2000 and 2004 for ICMP traffic? Enable them and put the action to produce alert.

Then go to Monitoring and set an IP logging. Use the IP addresses that you are trying to ping to make a packet capture (ip logging ), start it, send the ping and then stop the IP logging, after that the IP logging either will dissapear (meaning the packets are not getting to the virtual sensor) or appear but the action is not taken.

On the home page you can also see the state of the analysis engine, it normall stucks in compiling signatures, but analysis engine should be back.

We can take it from there.

Mike