Cisco Secure Intrusion Prevention System (IPS) comprises three main components: first, the IPS Sensor, which is the sniffing or inline component of Cisco Intrusion Prevention System; second, a management section of IPS (IPS MC, for example), which will be discussed in Chapter 18, "Troubleshooting IDM and IDS/IPS Management Console (IDS/IPS MC);" and third, a reporting tool (for example, a Security Monitor, which is discussed in Chapter 22, "Troubleshooting IEV and Security Monitors"). This chapter focuses on how to troubleshoot issues with IPS software on the sensor. As IPS software implementation is the same on all platforms (Sensor Appliance, IDSM-2 blade (IDSM stands for intrusion detection system module), NM (Network Module)-CIDS blade, and ASA-SSM (Security Services Module)), troubleshooting software issues on IPS software are the same across these platforms.
First, the chapter discusses the building blocks of IPS and some high-level details of IPS operation, and then it discusses troubleshooting tools and techniques. Once you understand the level of detail required to use the tools and apply techniques, you will see the main problem area categories and how to troubleshoot them efficiently and quickly. The chapter finishes with a detailed case study on different capturing techniques on various switches that are needed for IPS to function correctly, and concludes with a section on Best Practices.