Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anti-X, IPS in ASA w/ SSM

Hi,

I am a bit confused with configuring IPS in the ASA (with installed SSM module). I appresiate your feedback for this scenario:

Case

This is our ASA configuration portion relevant to IPS. I did this to block instant messaging ...

http-map TestHTTPMap

strict-http action allow log

port-misuse p2p action drop log

port-misuse tunnelling action drop log

port-misuse im action drop log

class-map global-class_ForIM

description Traffic Class to block IM

match any

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect esmtp

inspect rsh

inspect rtsp

inspect sqlnet

inspect dns

inspect http

inspect pptp

class global-class_ForIM

inspect http TestHTTPMap

ips inline fail-open

!

service-policy global_policy global

I also used "Deny Connection Inline" in the Signature Configuration of SSM (for signatures related to instant messaging, peer to peer file sharing and http tunnelling).

Questions

1. Does blocking happen at SSM or at ASA level or both!? I had to drop/deny connections both in http map configutation (ASA) and signature configuration (SSM)

2. With the above configuration, what would be the best to do to block virus, worm and other malicious code? I think I can just inspect all types of traffic under the "class global_class_ForIM" above by adding more inspect commands. I also need to deny connections as the Action for signatures related to viruses and worms. Is this correct?

Thanks in advance for your help.

AA

1 REPLY
Silver

Re: Anti-X, IPS in ASA w/ SSM

Cisco IDS Network Sensor identifies web application attacks, which include those used by the Nimda worm. The Network Sensor is able to identify attacks and provide details about the affected or compromised hosts to isolate the Nimda infection.

These Cisco IDS Network Sensor alarms fire:

WWW WinNT cmd.exe Access (SigID 5081)

IIS CGI Double Decode (SigID 5124)

WWW IIS Unicode Attack (SigID 5114)

IIS Dot Dot Execute Attack (SigID 3215)

IIS Dot Dot Crash Attack (SigID 3216)

For more information refer to the following url:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_tech_note09186a0080093f4d.shtml.

169
Views
0
Helpful
1
Replies
CreatePlease login to create content