Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS-SSM Module for 5585 - Configuration Assistance

We have this set up in standard topolgy (Internet > ISP Router > ASA/IDS > Internet Switch)

We are a University.

SSM has been operational for about 4 weeks now. 

Was getting LOTS of "worm" events based on no SYN reposnse (tons of em) with the attacker IP being listed as nearly everyone of our internal IPs and the victim IP as being 0.0.0.0

I originally had illegal zone enabled with the default service subnet listed as 0.0.0.0     

I originally had external zone enabled (which I belive was the default)

As every machine we tracked down in the original configuration shoed no signs of malward - I began to think false positivr or configuration problem or both.

Today I disabled both illegal zone and the external zone checkboxes and all of that "worm" activity has went away and I am still seing the occasional hit from an outside source to various boxes on the inside (open  SSL or malformed TLS usually)

So the question are :

Can someone explain what the effect of enable disable the illegal and external zones is or possibly send me a sanitized version of the config set up in a similar scenario?

Hope all of this makes sense as I think I just know enough IDS to be dangerous          

206
Views
0
Helpful
0
Replies
CreatePlease to create content