Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Issue with IPS alerts involving Secure Content Accelerator

We have deployed CSS-SCA Secure Content Accelerator to terminate the SSL connectiion from the clients and the traffic between CSS-SCA and servers is HTTP on port/80. Our IPS sensors (deployed in detection mode) see this HTTP traffic and triggers alarms, but the source IP shows up as CSS-SCA device and the destination are our servers as the SSL connection is terminated in SCA. How do we handle this scenario and figure out who the attcker is? We are currently not forwarding logs from CSS-SCA to CW-SIM (Netforensics). Even if I have access to SCA logs, how do I link this alarm to a particular client (external IP)? There could be multiple clients talking to our server at the same time!! Is Cisco MARS SCA aware and can it handle this scenario well by correlating with SCA logs?

1 REPLY
Silver

Re: Issue with IPS alerts involving Secure Content Accelerator

After you have set up a "load definition" for the signature package file to be copied to the idconf, you must configure an IPS rule name. Use this task to configure an IPS rule name and start the IPS configuration.

You can also use this task to configure a Cisco IOS IPS signature location, which tells Cisco IOS IPS where to save signature information.

The configuration location is used to restore the IPS configuration in case the router reboots or IPS is disabled or reenabled. Files, such as signature definition, signature-type definitions, and signature category information, are written in XML format, compressed, and saved to the specified IPS signature location

121
Views
0
Helpful
1
Replies
CreatePlease to create content