Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPS Event Action Filter is not working properly.

Hi,

We have a local syslog server which listens on UDP 514 port. As many UDP frames has been cut I've done some investigation and found dropped packets (action requested by IPS). This was 1206.0 signature which is "IP Fragmant Too Small". I have created a new entry in IPS Policies to filter this out, but it didn't help. As a test I have disabled the signature completly and all frames have been delivered fine. Another thing I've tried was bringing the new action filter to the top and enabled "Stop on Match" option. Still the same. The only one solution is to disable the signature, but we can't do it.

This is ASA-SSM-20 installed on ASA 5520 version 7.1(6)E4, mode: inline

Bug search tool didn't show any related bugs.

I have checked Database integrity and get "No errors found while performing database integrity checks.

My questions are:

1. What can cause an action to be ignored on IPS?

2. Is it worth to use "Repair Database" tool? If yes what is the impact.

3. Is it possible to check hit counts on each action filter?

Regards

Mariusz

  • Intrusion Prevention Systems/IDS
7 REPLIES

IPS Event Action Filter is not working properly.

By default, the Summarizer is enabled. If you disable it, all signatures  are set to Fire All with no summarization. If you configure individual  signatures to summarize, this configuration will be ignored if the  Summarizer is not enabled.

New Member

IPS Event Action Filter is not working properly.

Thanks for reply.

Summarizer is enabled. All signature settings are left as default.

IPS Event Action Filter is not working properly.

Hey

Just for a test..

Inside the Sensor Management, Blocking, Blocking Properties.

Add the IP as Never Block, just for a test..

Anyway, Dont you think that you should update your version?

New Member

IPS Event Action Filter is not working properly.

Hi,

Thanks for your input Diego.

I have added the IP as you've suggested, but no difference.

IPS Event Action Filter is not working properly.

Hum... Very weird, I never see it before!

I think you have a missmatch configuration, like, something is not matching with anything so, the filter does not apply..

I know you did, but, maybe a new double-check in the configuration? Src Addr, Signature ID... Is everything correct?

New Member

IPS Event Action Filter is not working properly.

Hi All,

Filter settings below:

filter.jpg

The filter works partially as I don't get alerts on the IPS itself.

Firewall LOG:

4          Feb 14 2014          15:33:22                              39715                    514          IPS requested to drop UDP packet from SOURCE_VLAN_NUMBER:/39715 to DESTINATION_VLAN_NUMBER:/514

IPS LOG (when enabled):

evIdsAlert: eventId=1352793300955167909  vendor=Cisco  severity=low 

  originator:  

    hostId: SSM02 

    appName: sensorApp 

    appInstanceId: 1192 

  time: Feb 14, 2014 15:33:22 UTC  offset=0  timeZone=GMT00:00 

  signature:   description=IP Fragment Too Small  id=1206  version=S212  type=anomaly  created=20030801 

    subsigId: 0 

    sigDetails: Too many small IP fragments in datagram 

  interfaceGroup: vs0 

  vlan: 0 

  participants:  

    attacker:  

      addr: 172.x.x.x  locality=OUT 

      port: 39715 

    target:  

      addr: x.x.x.x  locality=OUT 

      port: 514 

      os:   idSource=unknown  type=unknown  relevance=relevant 

  alertDetails: InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; 

  riskRatingValue: 50  targetValueRating=medium  attackRelevanceRating=relevant 

  threatRatingValue: 50 

  interface: GigabitEthernet0/1  context=single_vf  physical=Unknown  backplane=GigabitEthernet0/1 

  protocol: udp 

Our next step is to make a service policy exception on the firewall itself. We are also considering reloading the IPS device or at least the analysis engine.

Thanks for all your help so far. Any more suggestions are most welcome. I'll keep you up to date.

Regards

Mariusz

New Member

IPS Event Action Filter is not working properly.

Update:

I configured the service policy rule on the firewall to bypass IPS. Still the same.

The only one option which works is to disable the signature.

Any more ideas?

Regards

Mariusz

416
Views
3
Helpful
7
Replies