I have set up an IPS module SSM-10 on my ASA 5510 firewalls. I have been testing the module in Promiscuous mode in one environment and In-line on another (very little traffic). I also set up the service rule in the ASA to forward alerts to the IPS module.
I rarely see any events fire on our IPS modules at all. If I turn on the SigID: 2000 (ICMP) I can see them trigger in the logs, when this ICMP "test rule" is turned off I rarely get events (only the odd SQL query in HTTP, SigID 5474).
My IPS modules are 'healthy' with regular signature updates, Sig Version 810.0:
I've enabled the interface (on all modules) and set actions based on severity:
During a normal day I can expect to see one or two "SQL query" events, but nothing else:
I ran a test by turning on the ICMP rule in signatures and got a lot of events, so I think its "working":
Being the pessimist I am, I can't bring myself to believe that my network is this 'clean'! I think I am missing something.
Do I need to tune every single signature or should I expect to see a lot of events on a default installation? Are there any hints/tips/tricks with setting up the IPS modules I can follow to configure/tune this module.
Any help you can provide will be a greatly appriciated!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...