Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
C-53
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix C Troubleshooting
Troubleshooting the Appliance
If you do not have the event action set to reset, the TCP reset does not occur for a specific signature.
Note TCP Resets are not supported over MPLS links or the following tunnels: GRE, IPv4 in IPv4, IPv6 in
IPv4, or IPv4 in IPv6.
To troubleshoot a reset not occurring for a specific signature, follow these steps:
Step 1 Log in to the CLI.
Step 2 Make sure the event action is set to TCP reset.
sensor# configure terminal
sensor(config)# service signature-definition sig0
sensor(config-sig)# signatures 1000 0
sensor(config-sig-sig)# engine atomic-ip
sensor(config-sig-sig-ato)# event-action reset-tcp-connection|produc-alert
sensor(config-sig-sig-ato)# show settings
atomic-ip
-----------------------------------------------
event-action: produce-alert|reset-tcp-connection default: produce-alert
fragment-status: any <defaulted>
specify-l4-protocol
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-ip-payload-length
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-ip-header-length
-----------------------------------------------
no
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
specify-ip-tos
-----------------------------------------------
--MORE--
Step 3 Exit signature definition submode.
sensor(config-sig-sig-ato)# exit
sensor(config-sig-sig)# exit
sensor(config-sig)# exit
Apply Changes:?[yes]:
Step 4 Press Enter to apply the changes or type no to discard them.
Step 5 Make sure the correct alarms are being generated.
sensor# show events alert
evAlert: eventId=1047575239898467370 severity=medium
originator:
hostId: sj_4250_40
appName: sensorApp
appInstanceId: 1004
signature: sigId=20000 sigName=STRING.TCP subSigId=0 version=Unknown
addr: locality=OUT 172.16.171.19
 previous next