Adding Virtual Sensors
Use the virtual-sensor name command in service analysis engine submode to create a virtual sensor. You can create up to four virtual sensors. You assign policies (anomaly detection, event action rules, and signature definition) to the virtual sensor. Then you assign interfaces (promiscuous, inline interface pairs, inline VLAN pairs, and VLAN groups) to the virtual sensor. You must configure the inline interface pairs and VLAN pairs before you can assign them to a virtual sensor.
Note Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance.
The following options apply:
- http-advanced-decoding {true | false} —Enables deeper inspection of HTTP traffic. The default is disabled. Valid for IPS 7.1(5)E4 and later.
Note HTTP advanced decoding is supported on the IPS 4345, IPS 4360, IPS 4510, IPS 4520, ASA 5585-X IPS SSP, and ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, and ASA 5555-X IPS SSP
Caution Enabling HTTP advanced decoding severely impacts system performance.
- anomaly-detection —Specifies the anomaly detection parameters:
– anomaly-detection-name name —Specifies the name of the anomaly detection policy.
– operational-mode —Specifies the anomaly detection mode ( inactive , learn , detect ).
- description —Description of the virtual sensor.
- event-action-rules —Specifies the name of the event action rules policy.
- inline-TCP-evasion-protection-mode —Lets you choose which type of normalization you need for traffic inspection:
– asymmetric —Specifies that the sensor can only see one direction of bidirectional traffic flow. Asymmetric mode protection relaxes the evasion protection at the TCP layer.
Note Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen.
– strict —Specifies that if a packet is missed for any reason, all packets after the missed packet are not processed. Strict evasion protection provides full enforcement of TCP state and sequence tracking.
Note Any out-of-order packets or missed packets can produce Normalizer engine signatures 1300 or 1330 firings, which try to correct the situation, but can result in denied connections.
Note For the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP), normalization is performed by the adaptive security appliance and not the IPS.
- inline-TCP-session-tracking-mode —Enables an advanced method used to identify duplicate TCP sessions in inline traffic. The default is virtual sensor, which is almost always the best choice.
– virtual-sensor —Specifies that all packets with the same session key (AaBb) within a virtual sensor belong to the same session.
– interface-and-vlan —Specifies that all packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) and on the same interface belong to the same session. Packets with the same key but on different VLANs or interfaces are tracked independently.
– vlan-only —Specifies that all packets with the same session key (AaBb) in the same VLAN (or inline VLAN pair) regardless of the interface belong to the same session. Packets with the same key but on different VLANs are tracked independently.
Note The ASA IPS modules, (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support the inline TCP session tracking mode.
- signature-definition —Specifies the name of the signature definition policy.
- logical-interfaces —Specifies the name of the logical interfaces (inline interface pairs).
- physical-interfaces —Specifies the name of the physical interfaces (promiscuous, inline VLAN pairs, and VLAN groups):
– subinterface-number —Specifies the physical subinterface number. If the subinterface-type is none, the value of 0 indicates the entire interface is assigned in promiscuous mode.
- no —Removes an entry or selection.
Adding a Virtual Sensor
To add a virtual sensor, follow these steps:
Step 1
Log in to the CLI using an account with administrator privileges.
Step 2 Enter service analysis mode.
sensor# configure terminal
sensor(config)# service analysis-engine
Step 3 Add a virtual sensor.
sensor(config-ana)# virtual-sensor vs1
Step 4 Add a description for this virtual sensor.
sensor(config-ana-vir)# description virtual sensor 1
Step 5 Assign an anomaly detection policy and operational mode to this virtual sensor.
sensor(config-ana-vir)# anomaly-detection
sensor(config-ana-vir-ano)# anomaly-detection-name ad1
sensor(config-ana-vir-ano)# operational-mode learn
Step 6 Assign an event action rules policy to this virtual sensor.
sensor(config-ana-vir-ano)# exit
sensor(config-ana-vir)# event-action-rules rules1
Step 7 Assign a signature definition policy to this virtual sensor.
sensor(config-ana-vir)# signature-definition sig1
Step 8 Enable HTTP advanced decoding.
sensor(config-ana-vir)# http-advanced-decoding true
Caution Enabling HTTP advanced decoding severely impacts system performance.
Step 9 Assign the inline TCP session tracking mode. The default is virtual sensor mode, which is almost always the best option to choose.
sensor(config-ana-vir)# inline-TCP-session-tracking-mode virtual-sensor
Step 10 Assign the inline TCP evasion protection mode. The default is strict mode, which is almost always the best option to choose.
sensor(config-ana-vir)# inline-TCP-evasion-protection-mode strict
Step 11 Enable HTTP advanced decoding.
sensor(config-ana-vir)# http-advanced-decoding true
Step 12 Display the list of available interfaces.
sensor(config-ana-vir)# physical-interface ?
GigabitEthernet0/0 GigabitEthernet0/0 physical interface.
GigabitEthernet0/1 GigabitEthernet0/1 physical interface.
GigabitEthernet2/0 GigabitEthernet0/2 physical interface.
GigabitEthernet2/1 GigabitEthernet0/3 physical interface.
sensor(config-ana-vir)# physical-interface
sensor(config-ana-vir)# logical-interface ?
Step 13 Assign the promiscuous mode interfaces you want to add to this virtual sensor. Repeat this step for all the promiscuous interfaces that you want to assign to this virtual sensor.
sensor(config-ana-vir)# physical-interface GigabitEthernet0/3
Step 14 Assign the inline interface pairs you want to add to this virtual sensor. You must have already paired the interfaces.
sensor(config-ana-vir)# logical-interface inline_interface_pair_name
Step 15 Assign the subinterfaces of the inline VLAN pairs or groups you want to add to this virtual sensor. You must have already subdivided any interfaces into VLAN pairs or groups.
sensor(config-ana-vir)# physical-interface GigabitEthernet2/0 subinterface-number subinterface_number
Step 16 Verify the virtual sensor settings.
sensor(config-ana-vir)# show settings
-----------------------------------------------
description: virtual sensor 1 default:
signature-definition: sig1 default: sig0
event-action-rules: rules1 default: rules0
-----------------------------------------------
anomaly-detection-name: ad1 default: ad0
operational-mode: learn default: detect
-----------------------------------------------
physical-interface (min: 0, max: 999999999, current: 2)
-----------------------------------------------
subinterface-number: 0 <defaulted>
-----------------------------------------------
inline-TCP-session-tracking-mode: virtual-sensor default: virtual-sensor
-----------------------------------------------
logical-interface (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
Step 17 Exit analysis engine mode.
sensor(config-ana-vir)# exit
Step 18 Press Enter to apply the changes or enter no to discard them.
For More Information
- For the procedure for creating virtual sensors on the ASA 5500 AIP SSM, see Creating Virtual Sensors for the ASA 5500 AIP SSM.
- For the procedure for creating virtual sensors on the ASA 5500-X IPS SSP, see Creating Virtual Sensors for the ASA 5500-X IPS SSP.
- For the procedure for creating virtual sensors on the ASA 5585-X IPS SSP, see Creating Virtual Sensors for the ASA 5585-X IPS SSP.
- For more information on creating and configuring anomaly detection policies, see Working With Anomaly Detection Policies.
- For more information on creating and configuring event action rules policies, see Working With Event Action Rules Policies.
- For more information on creating and configuring signature definition policies, see Working With Signature Definition Policies.
- For more information about normalization, see Normalization and Inline TCP Evasion Protection Mode.
- For more information about inline TCP session tracking mode, see Inline TCP Session Tracking Mode.
- For the procedure for pairing inline interfaces, see Configuring Inline Interface Pairs. Repeat Step 11 for all the inline interface pairs that you want to assign to this virtual sensor.
- For the procedure for pairing and grouping inline VLANs, see Configuring Inline VLAN Pairs and Configuring VLAN Groups. Repeat Step 12 for all inline VLAN pairs or VLAN groups that you want to assign to this virtual sensor.
- For the procedure for enabling anomaly detection, see Enabling Anomaly Detection.
Editing and Deleting Virtual Sensors
You can edit the following parameters of a virtual sensor:
- Signature definition policy
- Event action rules policy
- Anomaly detection policy
Note Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance.
- Anomaly detection operational mode
- Inline TCP session tracking mode
Note The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support the inline TCP session tracking mode.
- Description
- Interfaces assigned
Editing or Deleting a Virtual Sensor
To edit or delete a virtual sensor, follow these steps:
Step 1
Log in to the CLI using an account with administrator privileges.
Step 2 Enter analysis engine mode.
sensor# configure terminal
sensor(config)# service analysis-engine
Step 3 Edit the virtual sensor, vs1.
sensor(config-ana)# virtual-sensor vs1
Step 4 Edit the description of this virtual sensor.
sensor(config-ana-vir)# description virtual sensor A
Step 5 Change the anomaly detection policy and operational mode assigned to this virtual sensor.
sensor(config-ana-vir)# anomaly-detection
sensor(config-ana-vir-ano)# anomaly-detection-name ad0
sensor(config-ana-vir-ano)# operational-mode learn
Step 6 Change the event action rules policy assigned to this virtual sensor.
sensor(config-ana-vir-ano)# exit
sensor(config-ana-vir)# event-action-rules rules0
Step 7 Change the signature definition policy assigned to this virtual sensor.
sensor(config-ana-vir)# signature-definition sig0
Step 8 Change the inline TCP session tracking mode. The default is virtual sensor mode, which is almost always the best option to choose.
sensor(config-ana-vir)# inline-TCP-session-tracking-mode interface-and-vlan
Step 9 Display the list of available interfaces.
sensor(config-ana-vir)# physical-interface ?
GigabitEthernet0/0 GigabitEthernet0/0 physical interface.
GigabitEthernet0/1 GigabitEthernet0/1 physical interface.
GigabitEthernet2/0 GigabitEthernet0/2 physical interface.
GigabitEthernet2/1 GigabitEthernet0/3 physical interface.
sensor(config-ana-vir)# physical-interface
sensor(config-ana-vir)# logical-interface ?
Step 10 Change the promiscuous mode interfaces assigned to this virtual sensor.
sensor(config-ana-vir)# physical-interface GigabitEthernet0/2
Step 11 Change the inline interface pairs assigned to this virtual sensor. You must have already paired the interfaces.
sensor(config-ana-vir)# logical-interface inline_interface_pair_name
Step 12 Change the subinterface with the inline VLAN pairs or groups assigned to this virtual sensor. You must have already subdivided any interfaces into VLAN pairs or groups.
sensor(config-ana-vir)# physical-interface GigabitEthernet2/0 subinterface-number subinterface_number
Step 13 Verify the edited virtual sensor settings.
ssensor(config-ana-vir)# show settings
-----------------------------------------------
description: virtual sensor 1 default:
signature-definition: sig1 default: sig0
event-action-rules: rules1 default: rules0
-----------------------------------------------
anomaly-detection-name: ad1 default: ad0
operational-mode: learn default: detect
-----------------------------------------------
physical-interface (min: 0, max: 999999999, current: 2)
-----------------------------------------------
subinterface-number: 0 <defaulted>
-----------------------------------------------
inline-TCP-session-tracking-mode: interface-and-vlan default: virtual-sensor
-----------------------------------------------
logical-interface (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
Step 14 Delete a virtual sensor.
sensor(config-ana-vir)# exit
sensor(config-ana)# no virtual-sensor vs1
Step 15 Verify the deleted virtual sensor. Only the default virtual sensor, vs0, is present.
sensor(config-ana)# show settings
-----------------------------------------------
-----------------------------------------------
max-open-iplog-files: 20 <defaulted>
-----------------------------------------------
-----------------------------------------------
virtual-sensor (min: 1, max: 255, current: 2)
-----------------------------------------------
-----------------------------------------------
description: default virtual sensor <defaulted>
signature-definition: sig0 <protected>
event-action-rules: rules0 <protected>
-----------------------------------------------
anomaly-detection-name: ad0 <protected>
operational-mode: detect <defaulted>
-----------------------------------------------
physical-interface (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
logical-interface (min: 0, max: 999999999, current: 0)
-----------------------------------------------
-----------------------------------------------
Step 16 Exit analysis engine mode.
Step 17 Press Enter to apply the changes or enter no to discard them.
For More Information