how to monitor CISCO IPS

Posted on 2011-10-22
Last Modified: 2012-06-21
ANY IPS Expert$$$$$$$$$$$$$

am new to CISCO IPS.

while monitoring a CISCO IPS  there are lot of Attacks whose information is very less on the internet.

like  "tcp exceeded mss" and others, POINT here is how to track these events.
on cisco site very less info is avaliable on these kind of Signature.

What resources can be used to drill down more deep in these Signatures alerts to find where is the issue.

how to enhance analytical skills to deal with IPS traffic events

any starting point  

Question by:osloboy
    LVL 24

    Expert Comment

    by:Ken Boone CCIE #4649
    Well first of all you have to take a look at the risk factor.  I don't mean Cisco's arbitrary risk number associated to an attack.  First of all I don't know if your IPS is built in to the ASA via the SSM module or rather you are using multiple IPS appliances on your network.   So the first thing you have to do with IPS is to tune it.   The Cisco IPS modules you can turn on from day one and it will block high risk - no chance of false positive signatures.  So you get safety immediately - however, there are thousands of other signatures that it will alert on but not block.  The first thing you need to do is to determine what some of these are.  Like the kind you see 100 of per hour.  Drill down into those and determine what it is, see what Cisco says causes false positives.  For instance there used to be a signature that would alert when ever someone performed a telnet session to an AS/400.  Well since in every instance the alert triggered it happened to be from an internal source going to the AS/400 you could tell it was a false positive.  So tune those out - i.e. set an event rule that says if the source is internal and the dest is the host as/400 and this particular signature is what would normally fire, then don't alert.

    That cuts down on all the garbage.  There are many things that will kick stuff off like that.  Network management apps will fire stuff all the time.  The way easy some websites with backend sql servers act sometimes fires stuff all the time.  The key is when you have these scenarios you need to tune it.  In many cases you have to go the source machine if its internal and examine it, find out what the user is doing - a lot of times they don't know.  In some cases it turns out to be certain apps that they user needs.  You do this for all the signatures that fire over and over or multiple times a day.  

    If a signature fires 1 time that you have never seen before and and cisco arbitrarily deems it as a low risk, and if you see that is in the category of reconnaissance don't waste your time on it.  Chalk it up as an anomaly.  If however you are a full time IPS analyst - which most companies do not have then you can dig deeper into each and every attack signature that gets fired.  

    In some cases you will see an attack that can only be used against a linux server.  Well if all you have are windows servers - don't worry about it.

    This is something that you just kind of have to get a feel for.  What digging into each signature will do is force you to learn tcp, udp at a much much deeper level which is always a good thing.  Most companies don't have time to get to that level.  I am a consultant and I have installed this in many places.  There is only 1 entity I know of that uses in the fashion where they track EVERY incident.  They have a department dedicated to this though and of course it is a govt entity.

    Hope that helps.

    Author Comment

    bravo, thanks.

    am having a very small network and perimeter defenses is as  


    all cisco

    my problem
    1) how to dig deep
    2) how to get more practical info on there signatures
    do Cisco or other 3rd party offers any PAID service

    how i can develop skills, any good reading materials

    LVL 24

    Expert Comment

    by:Ken Boone CCIE #4649
    1) Have to learn TCP/IP in depth - packet header formation - all of the fields.  the correct TCP handshake, the tcp tear down, etc..  
    2) On the signatures themselves - well each vendor seems to have their own names for these signatures as well.  Its really looking at packet analysis and googling the daylights out of stuff and then doing packet captures with wireshark if you can re-create the issue.

    Yes there are 3rd party IPS services who do all of this for you at a monthly costs.  They won't use your IPS but they will install their own IPS appliance that will go inline to your firewall.  They monitor 24x7 and alert you for serious stuff and make changes as necessary.

    I don't have a list of reading material but I imagine you can find  a lot via google.

    Author Comment

    its too confusing sometimes, especially when nither the Attacker and Victim IP address does not belongs to my network and IPS shows ICMP or TCP MSS Exceed message
    any idea

    searching how to get comfortable with these Signature and understand whats going on

    LVL 24

    Accepted Solution

    If the src and destination are not on your network - don't worry about it.   Its either a broadcast type packet that hit the outside of the firewall only or a spoofed packet with no chance of it returning.  The hard part is learning when to just ignore it vs when to dig in.  There is just no short cut method to learning this stuff.  Its an area where experience is your best teacher.

    Author Closing Comment


    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Suggested Solutions

    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    Read about achieving the basic levels of HRIS security in the workplace.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now