Can anyone help me I am facing some strange issue on NSM.I was getting high low and medium alerts on nsm IPS report but sudden high severity alarms disappeared from report.This issue persisting from few days.I have disable proxy server on nsm.Is this change can cause of not getting high alarms.Sorry for my bad english.
There are no changes in the signature set where high/medium signatures will be disabled.
To validate if it is reporting an issue, kindly check whether the high severity alerts are seen in attack logs. If yes, look for the same alerts in the report. This should give us clarity on where to investigate.
Also, kindly confirm which report are you generating?
Kindly check this error I am getting in server logs:
[Thread-32004::Top Attacks, ] [logCorId1580290967140] com.intruvert.ruleEngine.DAO.updates.IUS_DAO - Error While Processing the request for url, IOException https://menshen1.intruvert.com/main2.xml, the error is Connection timed out: connect
Can u tell me what is the issue?
Network Security Manager downloads the signature set update from menshen1.intruvert.com server. From the error, it seems signature set download is failing because of the connectivity issue between NSM & the download server.
I would suggest you investigate the connectivity between the two devices.
I am not getting high severity alerts so how I can troubleshoot this issue.One thing more I test just by running cmd.exe on browser to check if IPS detect it but when I checked attack log there was no event seen this means that either sensor is not detecting or not displaying it on nsm?What you suggest to troubleshoot?
For high Sev. alerts not coming:
1. Check the policy if they are enabled.
2. If high severity alerts are enabled then please check if Sent alert to manager is enabled or not.
3. Do you see all high Sev alerts have stopped coming? or there have been some specific alerts reduced. If there is any specific alert, it might be possible the traffic is no longer seen. We must take packet capture to confirm the same.
For cmd.exe alert not detected:
1. Validate the policy applied has cmd.exe enabled.
2. Confirm the system used for testing is inline to the Sensor [take a packet capture on the Sensor for host IP]
3. If the traffic is received, then check the alert status counter via status command on the Sensor. If the counters are increasing that implies Sensor is sending alerts.
4. Now, check on the manager the alert should be present.