Not receiving IPS events on your FMC or not sure you are receiving them all? In this blog post, I’ll discuss the detection_engines, and the sftunnel and sfdatacorrelator FTD commands.
I know what you’re thinking: “No IPS events! Woo Hoo! I’m in the clear!” But are you? I had one customer tell me, and somehow he was serious: “Im so good, people are afraid to attack my network!“….uhm, okay, pal.
Unfortunately there is not a command we can run on the FTD to show the last day or days’ worth of IPS events. However, we can figure out if sensor is sending up-to-the-minute events to the FMC by logging into the FTD console and running these commands:
1. Connect to the FTD Management IP address using SSH or console connection.
2. Issue the command expert
3. Issue the command sudo su
4. When prompted, enter your password.
5. Issue the Command
Ls -lha /var/sf/detection_engines/221a35a4-6b7d-11eb-a196-4feda4364b2c/instance-1|grep bookmark
-rw——- 1 root root 256 Sep 27 20:07 ids_forward.2ef35c00-4ef5
-rw——- 1 root root 256 Sep 27 20:07 ids_forward.a4b236a4-af80-11e7-8fb9-67c1e83311a0.bookmark
-rw-r–r– 1 root root 16 Sep 14 13:41 snort-unified.log.bookmark.consumer.SSEConnector
-rw-r–r– 1 root root 23 Sep 27 20:04 ssl-certs-unified.log.bookmark.2ef35c00-4ef5-11eb-ba43-3be45e5cf8d0
-rw-r–r– 1 root root 23 Sep 27 20:04 ssl-certs-unified.log.bookmark.a4b236a4-af80-11e7-8fb9-67c1e83311a0
-some output cut-
…and now we see the current events which should correlate with your FMC…if not, restart your “sftunnel” with the following command from expert mode:
pmtool restartbyid sftunnel
Then check again, and if you still don’t have events, restart the sfdatacorrelator with the following commands:
[email protected]\\-Sourcefire3D:/var/sf/user_enforcement# OmniQuery.pl -db mdb -e “select count(*) from rna_client_app_map;”
if that doesn’t work call Cisco, or upgrade to Palo Alto…no, just kidding! :).