07-29-2014 09:46 AM - edited 03-10-2019 06:13 AM
Hello,
We have an ASA 5510 with the SSM-10 module installed. ASA is running version 8.2 and IPS is version 7.1. We have put the module into inline mode in order for it to actively deny traffic, but we see policies that are firing without being acted upon. Not sure if this is a misconfiguration on our part or something else. Attached is the IPS statistics printout. If someone has any suggestions from looking at this printout, please comment.
Thanks folks.
---Transaction Server Statistics-----
section General
totalControlTransactions 3217
failedControlTransactions 4
-----Virtual Sensor Statistics-----
section Virtual Sensor Statistics
section Statistics for Virtual Sensor vs0
Name of current Signature-Defintion instance sig0
Name of current Event-Action-Rules instance rules0
List of interfaces monitored by this virtual sensor GigabitEthernet0/1 subinterface 0
section General Statistics for this Virtual Sensor
Number of seconds since a reset of the statistics 47913
MemoryAlloPercent 47
MemoryUsedPercent 42
MemoryMaxCapacity 500000
MemoryMaxHighUsed 2826897
MemoryCurrentAllo 237068
MemoryCurrentUsed 212840
Inspection Load Percentage 14
Total packets processed since reset 34505688
Total IP packets processed since reset 34505688
Total IPv4 packets processed since reset 34505688
Total IPv6 packets processed since reset 0
Total IPv6 AH packets processed since reset 0
Total IPv6 ESP packets processed since reset 0
Total IPv6 Fragment packets processed since reset 0
Total IPv6 Routing Header packets processed since reset 0
Total IPv6 ICMP packets processed since reset 0
Total packets that were not IP processed since reset 0
Total TCP packets processed since reset 34325323
Total UDP packets processed since reset 167065
Total ICMP packets processed since reset 13300
Total packets that were not TCP, UDP, or ICMP processed since reset 0
Total ARP packets processed since reset 0
Total ISL encapsulated packets processed since reset 0
Total 802.1q encapsulated packets processed since reset 0
Total GRE Packets processed since reset 0
Total GRE Fragment Packets processed since reset 0
Total GRE Packets skipped since reset 0
Total GRE Packets with Bad Header skipped since reset 0
Total IpIp Packets with Bad Header skipped since reset 0
Total Encapsulated Tunnel Packets with Bad Header skipped since reset 0
Total packets with bad IP checksums processed since reset 0
Total packets with bad layer 4 checksums processed since reset 4
Total cross queue TCP packets processed since reset 0
Total cross queue UDP packets processed since reset 0
HTTP transfer encoding errors 0
HTTP content encoding errors 0
HTTP character encoding errors 0
HTTP connection out of sync 0
HTTP pipelining or persistence out of sync 0
Total number of bytes processed since reset 3759758068
The rate of packets per second since reset 720
The rate of bytes per second since reset 78470
The average bytes per packet since reset 108
section Denied Address Information
Number of Active Denied Attackers 0
Number of Denied Attackers Inserted 1
Number of Denied Attacker Victim Pairs Inserted 0
Number of Denied Attacker Service Pairs Inserted 0
Number of Denied Attackers Total Hits 1
Number of times max-denied-attackers limited creation of new entry 0
Number of exec Clear commands during uptime 0
section Denied Attackers and hit count for each.
section Denied Attackers with percent denied and hit count for each.
section The Signature Database Statistics.
section The Number of each type of node active in the system
Total nodes active 12754
TCP nodes keyed on both IP addresses and both ports 2640
UDP nodes keyed on both IP addresses and both ports 9
IP nodes keyed on both IP addresses 1413
section The number of each type of node inserted since reset
Total nodes inserted 22856965
TCP nodes keyed on both IP addresses and both ports 6605775
UDP nodes keyed on both IP addresses and both ports 77832
IP nodes keyed on both IP addresses 1331670
section The rate of nodes per second for each time since reset
Nodes per second 477
TCP nodes keyed on both IP addresses and both ports per second 137
UDP nodes keyed on both IP addresses and both ports per second 1
IP nodes keyed on both IP addresses per second 27
section The number of root nodes forced to expire because of memory constraints
TCP nodes keyed on both IP addresses and both ports 0
Packets dropped because they would exceed Database insertion rate limits 0
section Fragment Reassembly Unit Statistics for this Virtual Sensor
Number of fragments currently in FRU 0
Number of datagrams currently in FRU 0
Number of fragments received since reset 19
Number of fragments forwarded since reset 19
Number of fragments dropped since last reset 0
Number of fragments modified since last reset 0
Number of complete datagrams reassembled since last reset 4
Fragments hitting too many fragments condition since last reset 0
Number of overlapping fragments since last reset 0
Number of Datagrams too big since last reset 0
Number of overwriting fragments since last reset 0
Number of Inital fragment missing since last reset 0
Fragments hitting the max partial dgrams limit since last reset 0
Fragments too small since last reset 0
Too many fragments per dgram limit since last reset 0
Number of datagram reassembly timeout since last reset 0
Too many fragments claiming to be the last since last reset 0
Fragments with bad fragment flags since last reset 0
section TCP Normalizer stage statistics
Packets Input 32172092
Packets Modified 0
Dropped packets from queue 0
Dropped packets due to deny-connection 0
Duplicate Packets 0
Current Streams 2640
Current Streams Closed 0
Current Streams Closing 0
Current Streams Embryonic 0
Current Streams Established 0
Current Streams Denied 0
Total SendAck Limited Packets 0
Total SendAck Limited Streams 0
Total SendAck Packets Sent 0
section Statistics for the TCP Stream Reassembly Unit
section Current Statistics for the TCP Stream Reassembly Unit
TCP streams currently in the embryonic state 0
TCP streams currently in the established state 0
TCP streams currently in the closing state 0
TCP streams currently in the system 0
TCP Packets currently queued for reassembly 0
section Cumulative Statistics for the TCP Stream Reassembly Unit since reset
TCP streams that have been tracked since last reset 0
TCP streams that had a gap in the sequence jumped 0
TCP streams that was abandoned due to a gap in the sequence 0
TCP packets that arrived out of sequence order for their stream 0
TCP packets that arrived out of state order for their stream 0
The rate of TCP connections tracked per second since reset 0
section SigEvent Preliminary Stage Statistics
Number of Alerts received 35195507
Number of Alerts Consumed by AlertInterval 17188269
Number of Alerts Consumed by Event Count 17999591
Number of FireOnce First Alerts 0
Number of FireOnce Intermediate Alerts 0
Number of Summary First Alerts 37
Number of Summary Intermediate Alerts 1
Number of Regular Summary Final Alerts 1
Number of Global Summary Final Alerts 0
Number of Active SigEventDataNodes 11594
Number of Alerts Output for further processing 7647
section Per-Signature SigEvent count since reset
Sig 2157.1 247
Sig 3051.0 811075
Sig 3051.1 17188269
Sig 6009.0 17188269
Sig 6901.0 1474
Sig 6902.0 1474
Sig 6903.0 1474
Sig 6910.0 1593
Sig 6920.0 1593
Sig 20059.1 12
Sig 23782.2 26
Sig 28779.0 1
section SigEvent Action Override Stage Statistics
Number of Alerts received to Action Override Processor 7579
Number Of Meta Components Input 38
Number of Alerts where an override was applied 7579
Number of Alerts where a Trait override was applied 7579
section Actions Added
deny-attacker-inline 1
deny-attacker-victim-pair-inline 1
deny-attacker-service-pair-inline 1
deny-connection-inline 7579
deny-packet-inline 1
modify-packet-inline 0
log-attacker-packets 1
log-pair-packets 1
log-victim-packets 1
produce-alert 0
produce-verbose-alert 0
request-block-connection 7349
request-block-host 5928
request-snmp-trap 0
reset-tcp-connection 7579
request-rate-limit 0
section SigEvent Action Filter Stage Statistics
Number of Alerts received to Action Filter Processor 0
Number of Alerts where an action was filtered 0
Number of Filter Line matches 0
Number of Filter Line matches causing decreased DenyPercentage 0
section Actions Filtered
deny-attacker-inline 0
deny-attacker-victim-pair-inline 0
deny-attacker-service-pair-inline 0
deny-connection-inline 0
deny-packet-inline 0
modify-packet-inline 0
log-attacker-packets 0
log-pair-packets 0
log-victim-packets 0
produce-alert 0
produce-verbose-alert 0
request-block-connection 0
request-block-host 0
request-snmp-trap 0
reset-tcp-connection 0
request-rate-limit 0
section Filter Hit Counts
section SigEvent Action Handling Stage Statistics.
Number of Alerts received to Action Handling Processor 7609
Number of Alerts where produceAlert was forced 0
Number of Alerts where produceAlert was off 0
Number of Alerts using Auto One Way Reset 0
section Actions Performed
deny-attacker-inline 1
deny-attacker-victim-pair-inline 1
deny-attacker-service-pair-inline 1
deny-connection-inline 0
deny-packet-inline 1
modify-packet-inline 0
log-attacker-packets 7609
log-pair-packets 7609
log-victim-packets 7609
produce-alert 7609
produce-verbose-alert 0
request-block-connection 1
request-block-host 1
request-snmp-trap 0
reset-tcp-connection 0
request-rate-limit 0
section Deny Actions Requested in Promiscuous Mode
deny-packet not performed 7608
deny-connection not performed 0
deny-attacker not performed 7608
deny-attacker-victim-pair not performed 7608
deny-attacker-service-pair not performed 7608
modify-packet not performed 0
Number of Alerts where deny-connection was forced for deny-packet action 0
Number of Alerts where deny-packet was forced for non-TCP deny-connection action 1
section Anomaly Detection Statistics
section Number of Received Packets:
TCP 0
UDP 0
Other 0
TOTAL 0
section Number of Overrun Packets:
TCP 0
UDP 0
Other 0
TOTAL 0
Number of Ignored Packets 0
Number of Events 16164879
section Number of Recurrent Events:
TCP 233461
UDP 10822
Other 0
TOTAL 244283
Number of Worms 0
Number of Scanners 0
Number of Scanners Under Worm 0
section Internal Zone
section Number of Events:
TCP 0
UDP 0
Other 0
TOTAL 0
section Number of Overrun Events:
TCP 0
UDP 0
Other 0
TOTAL 0
section External Zone
section Number of Events:
TCP 16069562
UDP 89570
Other 5747
TOTAL 16164879
section Number of Overrun Events:
TCP 0
UDP 0
UDP 0
Other 0
TOTAL 0
section Illegal Zone
section Number of Events:
TCP 0
UDP 0
Other 0
TOTAL 0
section Number of Overrun Events:
TCP 0
UDP 0
Other 0
TOTAL 0
section Global Utilization Percentage
section Unestablished Connections DB
TCP 0
UDP 0
Other 0
section Recurrent Events DB
TCP 0
UDP 0
Other 0
section Scanners DB
TCP 0
UDP 0
Other 0
-----Web Server Statistics-----
section listener-443
section session-6
remote host 192.168.1.2
session is persistent yes
number of requests serviced on current connection 11
last status code 200
last request method POST
last request URI cgi-bin/transaction-server
last protocol version HTTP/1.1
session state processingPostServlet
number of server session requests handled 2967
number of server session requests rejected 0
total HTTP requests handled 3328
maximum number of session objects allowed 40
number of idle allocated session objects 9
number of busy allocated session objects 1
section summarized log messages
number of TCP socket failure messages logged 0
number of TLS socket failure messages logged 0
number of TLS protocol failure messages logged 0
number of TLS connection failure messages logged 0
number of TLS crypto warning messages logged 0
number of TLS expired certificate warning messages logged 0
number of receipt of TLS fatal alert message messages logged 0
crypto library version 6.2.1.0
11-19-2014 04:00 AM
Try using GUI (IDM/IME) and verify your trigger actions . They are many options.
Select options like deny packet inline or deny attacker inline etc....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide