Cisco IOS IPS - How to manage signatures?

Similar Messages

• Cisco IOS IPS in Cisco 2921/k9 router

  Hi All,
  I have a router of Cisco 2921 series (C2921/K9) basic box with IP BAse IOS image (SL-29-IPB-K9 IOS). I would like to enable IOS Level IPS feature on this Router now. Based on the Cisco Document i have found i need to purchase an additonal subscripton license to enale the IPS feature. My querry is-
  Will it support on the Basic IP Base IOS or do i need to change the IOS?
  If i need to purchase the Subscription Licesne, how can i get the part number and cost for the same?
  Do i need to buy any addtional module for this like (NME-IPS-K9) ?
  Thanks in advance for your quick support
  regards
  Sunny

  Hi Sunny
  1. Yes you can enable IPS on IOS with the security license, without buying a subscription, but this would make little sense - new signatures are being released all the time so you would not be protected from recently discovered vulnerabilities/attacks.
  2. Correct, the modules and appliances run a different kind of software and are much more powerful
  3. If you add the module, you do NOT need the security license. It would still be advised to get a subscription license to get signature updates for the module.
  I hope this helps, let us know.
  regards
  Herbert
  jacob.samuel wrote:Dear Herbert,Thanks alot for the wonderful post. It clear most of my doubts. Still i kindly need to know few more points-1)  Cant we enable IPS Feature on 2921/K9 router (with Sec license or 2921Sec/K9 bundle) without signature subscription license (is it a must? it is for getting updates of signatures and for support only, right?)2)  I came to know from a distributor pre-sales engineer that the Cisco IOS Level Intrusion Protection is not going to provide the full feature of IPS like NME module or IPS Applinace. Is that right?3)  If i add NME-IPS-K9 Module to my 2921 Router, without enabling Sec License, can i enable IPS feature on the Router. Or is it a must that i need to buy Sec License (SL-29-SEC-K9)?Attaching the Datasheet of NME-IPS-K9 module (Page num 5 above Table 3) mentione as follows-Cisco IOS Software Feature Sets and ReleaseTable 3 lists the required Cisco IOS feature sets and releases for Cisco IPS AIM and IPS NME on the Cisco 1841,
  2800 and 3800 series Integrated Services Routers Note that, IPS NME on the Cisco 2900 and 3900 Integrated
  Services Routers does not require a Security Feature license.
  In that case if i buy a module i can install it on the 2921K9 box directly and can enable the IPS feature right? I dont need any License and additonal signature subscription here to enable the IPS feature (if i dont need signature updates and support) right?
  thanks alot for the support.
  regards
  Sunny

• Cisco IOS IPS on 2811

  Hi,
  Is it possible to install NM-CIDS-K9 Intrusion module on a Cisco 2811 and run IPS 5.0 on it ? i.e. with similar functionality to a IPS 4200 series appliance.
  From what i understand that you can do the above but the module will only work as IDS and not as in-line IPS (ability to drop packets etc) ?
  Are there any routers that can have a Network module running in IPS mode to provide the same functionality as IPS appliance (4200 etc) ?
  Is it correct that IOS IPS is only a fraction of the appliance based IPS ?
  Regards \\ Naman

  I am not really sure if there are any routers that can have a Network module running in IPS mode to provide the same functionality as IPS appliance as such, but the module will only work as IDS and not as in-line IPS

• Cisco IOS IPS ?

  Hi,
  I am currently studying CCSP SNRS by Greg Bastien. I have the following Lab scenario and would like clarification on what I am seeing. I want to verify that my IPS setup is working, so I have run 'angry ip' port/ip address scan at the router. When I use 'sh ip ips statistics' I see 'signature 3051:1 packets checked: [0:1]' which translates to 'TCP Connection Window Size DoS ATOMIC.TCP'.
  Is this signature 3051 an indication that the router has seen the IP scan ? and considered this a reconnassaince attack. Are there any other ways of verifying the attack ?

  Hi,
  If you see signature alert messages, then it means there is a match and IPS fires an alert message which is the default setting of a signatures.
  In your case, it only means that the 3051:1 signature saw one packet matching, so it just recorded the information. For this signature to fire (which means for ips to identify an attack, it has to check other parameters as well).
  If you look into the details of the definition of this signature, it has a global summary threshold and summary interval settings. Which means the ips has to see this signature match within the summary interval for the number of times defined in the summary threshold, then it will validate a signature match, thus send alarm and perform actions defined in the signature.
  So in your case, it just shows there is a packet matching this signature. You might be able to find more detailed information if you run a sniffer and capture your "angry ip' traffic sent to the router.
  Thanks,
  -Chris

• 1841 IOS IPS online updates

  Hi,
  Can we configure 1841 IOS IPS to get automatic signature updates directly from cisco site. I know we can do it in other firewalls like sonicwall, fortigate, etc.
  Regards
  Siva K

  Hi  Siva,
  Yes you can do it from the Cisco Security Manager , or you can try
  Automatic Signature Update Guidelines
  When enabling automatic signature updates, it is recommended that you ensure
  the following configuration guidelines have been met:
  * The router's clock is set up with the proper relative time.
  *The frequency for Cisco IOS IPS to obtain updated signature information has
  been defined.
  *The URL in which to retrieve the Cisco IOS IPS signature configuration files
  has been specified.
  *Optionally, the username and password for which to access the files from the
  server have been specified.
  SUMMARY STEPS
  1. enable
  2. configure terminal
  3. ip ips auto-update
  4. occur-at min:hour date day
  5. username name password password
  6. url url
  7. exit
  8. show ip ips auto-update
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1079125
  regards
  Yesua

• IOS IPS/IDS on a BGP Peering Router?

  We have a pair of BP peerings between our network and our upstream service provider.  Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.
  Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points.  Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs.  We also observed that some upstream service provider web sites became inaccessible to our users.  Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.
  Three questions:
  Do the default Cisco IOS IPS/IDS rules assume that the router will see both sides of each TCP session?
  Does the Cisco IOS IPS/IDS TCP stream reassembly assume an attack and send TCP RST frames when it doesn't see both sides of a TCP session?
  Should we move the Cisco IPS/IDS functionality from the BGP-speaking routers at peering points to our customer sites, as the customer sites are the only places in our network guaranteed to see both sides of a given TCP session?  (We already perform NAT on the customer site routers for that reason.)

  Hello Bill,
  1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)
  2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics  on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)
  3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura

• IOS IPS auto-update

  Hi,
  I have a couple of questions I hope people could answer:
  1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server?  Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
  2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
  Hoping someone could answer these or help point me in the right direction to find the answer out.
  regards M

  I found this link with answers my one question.
  Cisco IOS Intrusion Prevention System (IPS)
  Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html

• IOS IPS and VMS and shunning

  Installed 12.3.14T2 (advanced security) on 2811 router with new
  VMS update to the IDS Management Center (2.1) to support IOS IPS SDEE event monitoring. When I configure a specific signature, there is no option to shun. Only alert, block or reset. Where do you configure the dynamic shuning or "local shun action" that seems to be in all the "new features" of the IOS IPS.
  Configuring the signature to block, alert or reset works fine. Just no options to shun. Also the IPS device does not show up in the device list under Monitoring on VMS, even though it shows up as a device in Monitoring Center Device Page.
  Maybe this is where the problem may lie.

  IOS versions before 12.3(14)T support the following
  actions for IOS IPS:
  - alarm
  - drop (drop just the offending packet)
  - reset (reset tcp connection - works for tcp only)
  Version 12.3(14)T and later (including 12.4 versions) added support for the "local shunning" through two different actions:
  - denyFlowInline
  - denyAttackerInline
  DenyFlowInline creates an ACL that drops all traffic on that connection for a certain idle-timeout.
  DenyAttackerInline creates an ACL that drops all traffic from that source address (including other connections from that source address) for a certain idle-timeout.

• IOS IPS message

  hi,
  I enabled IOS IPS with SDM v2.4.1, and show following message repeatedly
  platform: 2821
  IOS：c2800nm-adventerprisek9-mz.124-11.T2.bin
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
  *Jul 25 06:18:22.831: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
  I try it again with CLI , but no message like that.
  Q2:
  I enabled ios_ips basic, retired false and enabled true , but in SDM--ios_ips--basic many signatures didn't enabled and retired true.
  my configuration as follow,
  ip ips signature-category
  category ios_ips basic
  category all
  retired true
  category ios_ips basic
  retired false
  enabled true
  thanks.

  SDM need 12.4(11)T2 or later image to support IOS IPS in 5.x signature format due to some issues in IOS.
  For 12.4(11)T1, the best option is to use CLI for now.
  Also please refer http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml
  Thanks,
  -Chris

• IOS IPS SIG Updates via IDSMDC

  When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
  So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
  SHM

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• Problems with adding IOS IPS to IPS MC

  Hi,
  We are having problems in adding Cisco IOS IPS (Running on Cisco 1701,12.3(14)T2) into IPS-MC (Version: 2.1.0).
  The IPS MC is able to create the Trust Point on the Router and the Router is also able to download the IPS-MC certificate chain. However after that the process fails with the error
  ++++++++++++++++++++
  Import of sensor x.x.x.x failed.
  Error : Error importing configuration files from the sensor - Unable to import sensor config from IOS IPS: null
  ++++++++++++++++++++
  Any ideas ?
  Thanks \\ Naman

  I am having the same issue and open TAC case for several days..with 1841 and 2811's..same software and IOS
  It works with advipservices but not with advsecurity

• IOS IPS Restore Deleted Signatures

  I have a router with IOS IPS and manage this using SDM.
  I have deleted a signature from the router and would now like to re-install it.
  Using SDM import feature I have looked for the deleted signature in the 256mb.sdf that I've downloaded from the Cisco website. It doesn't appear in the list of signatures. I've tried the attck-drop.sdf and the local ios sdmips.sdf but the signature is not listed.
  does anyone have any idea how I can get it back?
  The deleted signature is 4050 UDP Bomb.
  Thanks

  4050 UDP bomb is a built-in signature within the IOS. Some 100 odd signatures (version dependent) are loaded into the router by default when your IOS has the IDS image. Look under the ATOMIC.UDP signatures for 4050.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm#wp1000985
  You may be able to re-enable your signature using the following command on the CLI.
  "no ip audit signature 4050 disable"
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_d1g.htm#wp1073162

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.