After we were able to do some analysis on the new IPS events (which got to over 100,000 in just a few minutes!), I had to verify these weren’t false positives and then find the culprits. Drilling down, we found that their entire server farm was infested heavily with CnC’s, and only the High Overhead rules found these CnC’s. Those attacks were so well drilled into these servers, they each had thousands of connections, which would explain the bandwidth issue! We immediately started blacklisting these servers and the CPU percentage dropped to less than 10%, and the bandwidth saturation went from 80% to less than 20%!
I had to perform troubleshooting of management traffic exchanged between IPS module in ASA5525-X and management station. I had some communication problems resulting in denied traffic on firewall placed in between (and it’s not the ASA itself). The best option is always sniffing packet headers on either end, as I had no possibility to do it on management station IPS was the next option.
As much as IPS software is limited (and also not clear in configuration approach if you are used to IOS) there is easy option to capture the traffic. You can do it in two ways either by displaying traffic flow on terminal or saving to file. First option is probably best for quick analysis and if you don’t care about payload.
More info: field engineer