Re: Issue with IPS alerts involving Secure Content Accelerator

ilango_allikuzhi · ‎08-02-2007

We have deployed CSS-SCA Secure Content Accelerator to terminate the SSL connectiion from the clients and the traffic between CSS-SCA and servers is HTTP on port/80. Our IPS sensors (deployed in detection mode) see this HTTP traffic and triggers alarms, but the source IP shows up as CSS-SCA device and the destination are our servers as the SSL connection is terminated in SCA. How do we handle this scenario and figure out who the attcker is? We are currently not forwarding logs from CSS-SCA to CW-SIM (Netforensics). Even if I have access to SCA logs, how do I link this alarm to a particular client (external IP)? There could be multiple clients talking to our server at the same time!! Is Cisco MARS SCA aware and can it handle this scenario well by correlating with SCA logs?

wong34539 · ‎08-08-2007

After you have set up a "load definition" for the signature package file to be copied to the idconf, you must configure an IPS rule name. Use this task to configure an IPS rule name and start the IPS configuration.

You can also use this task to configure a Cisco IOS IPS signature location, which tells Cisco IOS IPS where to save signature information.

The configuration location is used to restore the IPS configuration in case the router reboots or IPS is disabled or reenabled. Files, such as signature definition, signature-type definitions, and signature category information, are written in XML format, compressed, and saved to the specified IPS signature location