Cisco IPS 4200 Series Sensors

This document answers the most Frequently Asked Questions (FAQs) related to Cisco Secure Intrusion Detection System (IDS) 4.0, Cisco Intrusion Prevention System (IPS) 5.0 and later.

A. In order to solve this issue, use default password (cisco) two times and then change the password from the config mode. The IDS requires the default password to be entered twice.

For example:

login:cisco 
Password:cisco
Enter current password:cisco
Enter new password: *** 
Re-enter new password: *** 

A. No, RADIUS is not supported for sensor login authentication.

A. Block host blocks all packets from that source address. Block connection only blocks the one connection based on source and destination IP/port. The PIX works in a slightly different manner. For automatic shuns, the Sensor sends the source IP, destination IP, source port, and destination port. The PIX blocks all packets that originate from that IP address. The additional information is used by the PIX to remove that one connection from its connection tables. If the connection has not been removed from the connection table, then it is theoretically possible that if the shun is removed shortly after it is applied, then the original connection might not have timed out yet. This allows the attacker to continue the attack on the original connection. The removal of the connection from the table ensures that the original connection cannot be used to continue the attack after the shun is removed. The Sensor cannot shun a single connection on the PIX because the PIX does not support the use of the shun command in order to shun a single connection. The PIX shun command always shuns the source address regardless of whether or not the additional connection information is provided.

A. This error means that your default gateway is incorrect or a generic error message that means that either the IP, netmask, or default gateway are incorrect. The Fatal part of the message means that after the first failure, the previous configuration was applied and also failed. The Sensor issues ifconfig and route commands and one or both of them fails.

A. This issue might be the auto update feature, which does not work, because it is set to download at an even hour. Try to set the auto update to a random time; even a small offset of eight or night minutes can fix this problem.

In general, the issue is resolved and the Error: http error response: 500 error message is be seen if you change the retrieval time to a non-hourly boundary.

A. In order to resolve this issue, try to reload the sensor or reimage the sensor.

A. Clear the browser cache in order to resolve this issue.

A. In version 6.0, Asymmetric mode on IPS that is configurable using CLI only and not available on GUI. But, in version 6.1 this feature is also available in GUI.

A. Unfortunately, the PIX/ASA is not able to block the skype traffic. Skype has the capacity to negotiate dynamic ports, and to use encrypted traffic. With encrypted traffic, it is virtually impossible to detect it as there are no patterns to look for.

You could eventually use a Cisco IPS (Intrusion Prevention System)/AIP-SSM. It has some signatures that are able to detect a Windows Skype Client that connects to the Skype server to synchronize its version. This is usually done when the client is initiated the connection. When the sensor picks up the initial Skype connection, you can be able to find the person who use the service, and block all connections initiated from their IP address.

A. During a signature update and reconfigurations, sensorApp stops to process packets as it processes the new signatures in the update. The network driver detects that sensorApp has stopped and pulls any new packets from the buffer. So the network driver does different things, which depends on the configuration and sensor model:

Promiscuous Interface—It brings the link down on the interfaces, and brings the link back up once sensorApp starts to monitor again.

Inline Interface or Inline Vlan Pair—It depends on the Bypass setting:

• Bypass Auto—The driver keeps the link up and begins to pass packets through without analysis. It then reverts back to sending the packets through sensorApp once sensorApp starts to monitor again.

• Bypass Off—The driver brings the link down on the interfaces, which is the same as in promiscuous mode, and brings them back up once sensorApp starts to monitor again.

So, if sensor app does not pull packets from the buffer, which possibly occurs because there is no interface configured to process packets, then the driver can put the interface in a down state.

A. No, the sensor does not maintain a password history. Passwords are not viewable at any time.

A. No.

A. The local event of the sensor stores only 30 MB and begins to overwrite itself once the 30 MB limit is reached. This limit is non-configurable.

A. Use the STRING.TCP in order to write a signature that detects the attachment. Look for something similar to this:

Engine STRING.TCP 
Enabled True 
Severity informational 
AlarmThrottle Summarize 
CapturePacket False 
Direction ToService 
MinHits 1 
Protocol =TCP 
RegexString [Ff][Ii][Ll][Ee][Nn][Aa][Mm][Ee][=]["][Ff][Oo]
             [Tt][Oo][a-zA-Z][.][Zz][Ii][Pp]["] 
ResetAfterIdle 15 
ServicePorts 25 
StorageKey =STREAM

A. Issue these commands:

configure terminal
service host
networkParams
ftpTimeout 300 <timeout is in seconds>

A. In order to solve this error message, choose Control Panel > Admin Tools > Services and restart IME services.

A. In order to solve this error message, verify that correct IP address is used when you add IPS in IME and also check any software firewall that is running on IME computer, which can block the connection.