how to monitor CISCO IPS

Posted on 2011-10-22
Medium Priority
Last Modified: 2012-06-21
ANY IPS Expert$$$$$$$$$$$$$

am new to CISCO IPS.

while monitoring a CISCO IPS  there are lot of Attacks whose information is very less on the internet.

like  "tcp exceeded mss" and others, POINT here is how to track these events.
on cisco site very less info is avaliable on these kind of Signature.

What resources can be used to drill down more deep in these Signatures alerts to find where is the issue.

how to enhance analytical skills to deal with IPS traffic events

any starting point  

Question by:osloboy
  • 3
  • 3
LVL 25

Expert Comment

by:Ken Boone
ID: 37012156
Well first of all you have to take a look at the risk factor.  I don't mean Cisco's arbitrary risk number associated to an attack.  First of all I don't know if your IPS is built in to the ASA via the SSM module or rather you are using multiple IPS appliances on your network.   So the first thing you have to do with IPS is to tune it.   The Cisco IPS modules you can turn on from day one and it will block high risk - no chance of false positive signatures.  So you get safety immediately - however, there are thousands of other signatures that it will alert on but not block.  The first thing you need to do is to determine what some of these are.  Like the kind you see 100 of per hour.  Drill down into those and determine what it is, see what Cisco says causes false positives.  For instance there used to be a signature that would alert when ever someone performed a telnet session to an AS/400.  Well since in every instance the alert triggered it happened to be from an internal source going to the AS/400 you could tell it was a false positive.  So tune those out - i.e. set an event rule that says if the source is internal and the dest is the host as/400 and this particular signature is what would normally fire, then don't alert.

That cuts down on all the garbage.  There are many things that will kick stuff off like that.  Network management apps will fire stuff all the time.  The way easy some websites with backend sql servers act sometimes fires stuff all the time.  The key is when you have these scenarios you need to tune it.  In many cases you have to go the source machine if its internal and examine it, find out what the user is doing - a lot of times they don't know.  In some cases it turns out to be certain apps that they user needs.  You do this for all the signatures that fire over and over or multiple times a day.  

If a signature fires 1 time that you have never seen before and and cisco arbitrarily deems it as a low risk, and if you see that is in the category of reconnaissance don't waste your time on it.  Chalk it up as an anomaly.  If however you are a full time IPS analyst - which most companies do not have then you can dig deeper into each and every attack signature that gets fired.  

In some cases you will see an attack that can only be used against a linux server.  Well if all you have are windows servers - don't worry about it.

This is something that you just kind of have to get a feel for.  What digging into each signature will do is force you to learn tcp, udp at a much much deeper level which is always a good thing.  Most companies don't have time to get to that level.  I am a consultant and I have installed this in many places.  There is only 1 entity I know of that uses in the fashion where they track EVERY incident.  They have a department dedicated to this though and of course it is a govt entity.

Hope that helps.

Author Comment

ID: 37012228
bravo, thanks.

am having a very small network and perimeter defenses is as  


all cisco

my problem
1) how to dig deep
2) how to get more practical info on there signatures
do Cisco or other 3rd party offers any PAID service

how i can develop skills, any good reading materials

LVL 25

Expert Comment

by:Ken Boone
ID: 37013030
1) Have to learn TCP/IP in depth - packet header formation - all of the fields.  the correct TCP handshake, the tcp tear down, etc..  
2) On the signatures themselves - well each vendor seems to have their own names for these signatures as well.  Its really looking at packet analysis and googling the daylights out of stuff and then doing packet captures with wireshark if you can re-create the issue.

Yes there are 3rd party IPS services who do all of this for you at a monthly costs.  They won't use your IPS but they will install their own IPS appliance that will go inline to your firewall.  They monitor 24x7 and alert you for serious stuff and make changes as necessary.

I don't have a list of reading material but I imagine you can find  a lot via google.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 37014415
its too confusing sometimes, especially when nither the Attacker and Victim IP address does not belongs to my network and IPS shows ICMP or TCP MSS Exceed message
any idea

searching how to get comfortable with these Signature and understand whats going on

LVL 25

Accepted Solution

Ken Boone earned 1500 total points
ID: 37015712
If the src and destination are not on your network - don't worry about it.   Its either a broadcast type packet that hit the outside of the firewall only or a spoofed packet with no chance of it returning.  The hard part is learning when to just ignore it vs when to dig in.  There is just no short cut method to learning this stuff.  Its an area where experience is your best teacher.

Author Closing Comment

ID: 37020085

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question