Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

SSM-10 - Not seeing many events


I have set up an IPS module SSM-10 on my ASA 5510 firewalls. I have been testing the module in Promiscuous mode in one environment and In-line on another (very little traffic). I also set up the service rule in the ASA to forward alerts to the IPS module.

I rarely see any events fire on our IPS modules at all. If I turn on the SigID: 2000 (ICMP) I can see them trigger in the logs, when this ICMP "test rule" is turned off I rarely get events (only the odd SQL query in HTTP, SigID 5474).


My IPS modules are 'healthy' with regular signature updates, Sig Version 810.0:


I've enabled the interface (on all modules) and set actions based on severity:


During a normal day I can expect to see one or two "SQL query" events, but nothing else:

I ran a test by turning on the ICMP rule in signatures and got a lot of events, so I think its "working":

Being the pessimist I am, I can't bring myself to believe that my network is this 'clean'! I think I am missing something.


Do I need to tune every single signature or should I expect to see a lot of events on a default installation? Are there any hints/tips/tricks with setting up the IPS modules I can follow to configure/tune this module.


Any help you can provide will be a greatly appriciated! 



CreatePlease to create content