Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Category: Cisco IPS

Meet the Cisco IPS sensor 4200 series, episode 2 – User management

To continue the series I did this video of configuring users to manage IPS sensor – adding/deleting/resetting password/unlocking them. All the configs are being done on CLI.

Meet the Cisco IPS sensor 4200 series, episode 1 – Initial configuration

Some great products get unfair treatment for unclear reasons. One such gear is Cisco IPS sensor 4200 appliance, that while doing its job doesn’t get much attention, fame and even worse proper relation on Cisco.com documentation site. The documentation exists but scarce , examples of configuration – close to none, screenshots – go find. You got the picture – and here comes my humble effort to introduce the sensor to wider audience of this website.
First is the initial configuration using the console. The software used is 6.1 , sensor hardware is IPS 4235 . I am doing the config NOT running built-in #setup dialog.
Enjoy and have a nice day.

Cisco ASA 5500 Series Content Security and Control Security Services Module or just CSC-SSM and how it looks

While the reason for me getting involved with this ASA 5510 module is of less interest (client was getting notification message ” LogServer has recently stopped on InterScan for CSC SSM” , more about that at the end of the post) , the module itself looks cute , so I bring here some output to give you a taste what it is.
General status of the module from ASA CLI prompt.

See that some traffic actually gets redirected to the module.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class global-class
csc fail-open

#show service-policy

Class-map: global-class
CSC: packet sent 324010194
CSC: packet received 359600712

# show module 1 det

Getting details from the Service Module, please wait…
ASA 5500 Series Content Security Services Module-10
Model: ASA-SSM-CSC-10-K9
Hardware version: 1.0
Serial Number: JAF777777
Firmware version: 1.0(11)5
Software version: CSC SSM 6.3.1172.4
MAC Address Range: c333.7333.b333 to c333.7333.b333
App. name: CSC SSM
App. Status: Up
App. Status Desc: CSC SSM scan services are available
App. version: 6.3.1172.4
Data plane Status: Up
Status: Up
HTTP Service: Up
Mail Service: Up
FTP Service: Up
Activated: Yes
Mgmt IP addr:
Mgmt web port: 8443

# show module all

Mod Card Type Model Serial No.
— ——————————————– —————— ———–
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX333333
1 ASA 5500 Series Content Security Services Mo ASA-SSM-CSC-10-K9 JAF333333

Mod MAC Address Range Hw Version Fw Version Sw Version
— ——————————— ———— ———— —————
0 3333.3333.3333 to 3333.3333.3333 2.0 1.0(11)5 8.2(3)
1 3333.3333.3333 to 3333.3333.3333 1.0 1.0(11)5 CSC SSM 6.3.1172.4

Mod SSM Application Name Status SSM Application Version
— —————————— —————- ————————–
1 CSC SSM Up 6.3.1172.4

Mod Status Data Plane Status Compatibility
— —————— ——————— ————-
0 Up Sys Not Applicable
1 Up Up

Now let’s enter the module itself

# session 1

Opening command session with slot 1.
Connected to slot 1. Escape character sequence is ‘CTRL-^X’.

login: cisco
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption. Importers, exporters, distributors and
users are responsible for compliance with U.S. and local country laws. By using
this product you agree to comply with applicable laws and regulations. If you
are unable to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to
Trend Micro InterScan for Cisco CSC SSM Setup Main Menu

1. Network Settings
2. Date/Time Settings
3. Product Information
4. Service Status
5. Password Management
6. Restore Factory Default Settings
7. Troubleshooting Tools
8. Reset Management Port Access Control List
9. Ping
10. Exit …

Enter a number from [1-10]:

– Are all services are actually running ?
Enter a number from [1-10]: 4

Service Status

The CSC SSM RegServer service is running
The CSC SSM URLFD service is running
The CSC SSM ScanServer service is running
The CSC SSM HTTP service is running
The CSC SSM FTP service is running
The CSC SSM Notification service is running
The CSC SSM Mail service is running
The CSC SSM GUI service is running
The CSC SSM SysMonitor service is running
The CSC SSM Failoverd service is running
The CSC SSM LogServer service is running
The CSC SSM SyslogAdaptor service is running
The CSC SSM Syslog-ng service is running
The CSC SSM TMCM-Agent service is not enabled
– Troubleshooting information is rather overwhelming

Enter a number from [1-7]: 2

Troubleshooting Tools – Show System Information

1. Show System Information on Screen
2. Upload System Information
3. Return to Troubleshooting Tools Menu

Enter a number [1-3]: 1
Thu Feb 17 08:04:17 IST 2011 (2)

System is : Up

#@ Product Information
Trend Micro InterScan for Cisco CSC SSM
Version: 6.3.1172.4
Upgrade History: 6.3.1172.4
Engineering Build:
SSM Model: SSM-10
SSM S/N: JAF7777777

#@ Scan Engine and Pattern Information
Virus Scan Engine: 9.2.1012 (Updated: 2010-10-14 07:51:11)
Virus Pattern: 7.841.00 (Updated: 2011-02-17 05:51:23)
Spyware/Grayware Pattern: 1.151.00 (Updated: 2011-02-17 06:51:20)
AntiSpam Engine: 6.5.1024 (Updated: 2010-10-14 07:51:54)
AntiSpam Rule: 17960 (Updated: 2011-02-16 16:53:55)
IntelliTrap Pattern: 0.151.00 (Updated: 2011-02-01 09:07:20)
IntelliTrap Exception Pattern: 0.631.00 (Updated: 2011-02-15 08:51:15)

#@ License Information
Product:Base License
License profile host info check OK.
Activation Code:PX-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Expiration date:10/6/2011
Product:Plus License
License profile host info check OK.
Activation Code:PX-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Expiration date:10/6/2011

Daily Node Count: 221
Current Node Count: 85

#@ Kernel Information
Linux ssm #13 PREEMPT Fri Nov 6 06:32:00 PST 2009 i686 unknown

ASDP Driver 1.1(0) is UP:
Total Connection Records: 159623
Connection Records in Use: 156
Free Connection Records: 159467

—— Shared Memory Segments ——–
key shmid owner perms bytes nattch status
0x00003186 4653056 root 666 2621440 1
0x00000000 4456449 root 600 16 2 dest
0x00000000 4620290 root 600 1000000 1 dest
0x00000000 4685827 root 600 1048576 1 dest
0x00000000 4718596 root 600 1048576 1 dest
0x00000000 4325381 isvw 600 24632 22 dest

Continue reading

Cisco IPS sensor – initial setup

UPDATE 2011 – I started a video walkthrough series on configuring IPS .END OF UPDATE
Hello everyone. . I will be posting all the things I learn about this gear, even the basics as I noted that on the Internet Cisco IPS sensors
are not much talked about and while not sure why this is so, I’ll try to fill the gap.In all cases I am using CIsco IPS sensor 4235 unless specified otherwise

Initial Configuration.
By default , out of the box the sensor has the following defaults:

Management IP:
Default gateway: Allowed access: from the network
Telnet access: disabled
HTTPS: port 443

As most likely your network has different network address the first thing to do is change management IP, default gateway and allowed management access network(s)/IP. You do so by connecting with console to it .
You can configure these basic network settings in 2 ways: enter all the configuration commands on CLI (if you know them) or run interactive menu-type setup by issuing on the CLI: #setup . I’ll show both ways but let’s start with the setup menu.
A short remark – IPS sensor is the one of not so many devices in the Cisco family that configuring/managing/communicating with it using its GUI interface is the recommended and preferred way . It is much more intuitive, simple, produces the very same configuration at the device as done in CLI. The only time you may need to do stuff with CLI is initial setup and debug.

Configuring minimal required settings through setup menu:

  1. Connect to the device by terminal
  2. enter default user/password: cisco/cisco (or see the documentation coming with the device);
  3. run:
    sensor# setup

– First you are presented with the whole configuration currently set, just hit Space key until it reaches the end and asks whether you want to enter the setup dialog , print yes and Enter:

Continue with configuration dialog?[yes]:     
Enter host name[sensor]: IPS4235  Here I set hostname to IPS4235
Enter IP interface[,]:,   Pay attention to the syntax of specifying the management IP its subnet mask and default gateway
Enter telnet-server status[disabled]: enable     I say yes here but you are advised to say no on production devices
Enter web-server port[443]:         Default https listening port
Modify current access list?[no]: yes
Current access list entries:
  No entries
Permit:                 I allow management access to the device form this specific station 
Permit:                       Hit Enter to move to the next menu item
Modify system clock settings?[no]: no
Modify summer time settings?[no]: no
Modify system timezone?[no]: no
Modify interface/virtual sensor configuration?[no]: no
Modify default threat prevention settings?[no]: 
------cut here------------
exit exit 

Upon finishing all the menu items in the dialog you are presented with the configuration you just entered :

The following configuration was entered. 
service host 
host-name IPS4235 
telnet-option enabled 
ftp-timeout 300 
no login-banner-text 
summertime-option disabled 
ntp-option disabled 
service web-server port 443 

At the end of the output you are given the following choices:

[0] Go to the command prompt without saving this config. 
[1] Return back to the setup without saving this config. 
[2] Save this configuration and exit setup. 
 Enter your selection[2]:   2 

Then device asks to reboot in order for the changes to take effect – confirm that.
After reboot you may enter the sensor using supported browser by the management IP:
Also make sure the station you are connecting from has Java virtual machine installed as the GUI is entirely based on it.

© 2016 yurisk.info

Theme by Anders NorenUp ↑