IOS IPS basics

I'm pretty new to managing IPS. My co is looking at deploying a large number of this and i'm suppose to manage it. i got a few questions
1. are the available signature in default IOS IPS enough? i fired rentina to an old redhat version OS but i find that the results from IOS IPS is pretty generic.it detects non valid http traffic over ssl but not the vulnerablities used, and it does even detects nmap non tcp port scanning
2.do you recommend using the default IOS IPS signatures ? if no, any recommendations & standards to follow ?
3. Any guidance on custom signature development on IOS IPS ?
4. Any method to manage large numbers of IOS IPS rules/singatures on a single console ? So i can push the signature from a single console to each and every routers. if not, it is possible to copy the signature folders over all the routers to get the same sets on signature on the routers?
Appreciate any useful informations. Thanks in advance

1. The Built-in signatures are pretty old and mostly worthless, you may want to disable them and use the latest Signature File available for the IOS-IPS. Your memeory will be the constraining factor as to how many signature you can have enabled.
2. The signature defaults are a starting place. You will have to spend time doing the analysis of events to see if they're false positives (and many will be) and tune them down, or more likely disable them.
3. Each signature engine has a fixed 64MB of memory. Turn on too many within that engine (including your custom sigs) and you won't get any. Watch the console log when enabling IPS to see if your build is failing. Some sigs eat more memory than others.
4. If you have money to burn you can buy Cisco's CSM 3.1, or else keep your signature file(s) on an FTP/TFTP/SCP server and copy them to your routers as needed.

Similar Messages

Which interface to apply IOS IPS

Hello,
I have IOS IPS installed on 4 routers on our network at different sites. They are 2911 routers, with 2GB ram and i am using the latest signatures from cisco. Everything is working fine. I have enabled the basic signatures. At the moment the ips policy is only applied to the wan interface and not the lan. So in summary:
interface serial0/0 (wan link)
ip address x.x.x etc
ip ips mypolicy in
ip ips mypolicy out
exit
According to cisco i should not bother applying ip ips mypolicy out on the wan interface (serial0/0) but should have ip ips mypolicy in on the fa0/0
lan interface aswell as the serial0/0 interface.
interface fa0/0 (lan traffic)
NO IPS POLICY IN HERE AT THE MOMENT
anyone got experience on this?
regards
Kevin

Hi Kevin,
I would say that you have done the right thing, since router are limited in memory we should not enable a lot of signatures and also try to limit the scanning to traffic that we actually need to be scanned.
In what you have done any traffic that in entering or leaving the WAN interface will be scanned.
Now if there are more interfaces on your router and you want the traffic between the interfaces to be scanned as well in that case only you should enable IPS on those interfaces.
Most of the times it is not needed.
Regards,
Sachin

IOS IPS Signature description

I would like to "fine tune" category ios_ips advanced (or basic) on IOS IPS.
Clearly ISR G2 is not able to support as many active/enabled signatures as we'd like to so it would be nice to choose ones we actualy need.
Does anyone have table with signature descriptions so one can easily choose?
I found web site totaly inpractical... sorry cisco guys...
Please help !

If you are using IME, there is a way to export a list of signatures. I have done this with the IPS 4255 and it might be the same for IOS IPS.
Under Configuration, go to Policy -> Signatures -> All Signatures. There is a function to Export the list of signatures, in either HTML or CSV format.

IOS IPS configuration

Hi all,
I am implementing IOS IPS on a 3800 router but I am not sure if when I enable it all the previous TCP sessions already active across the router will be dropped by the inpsect (because the IPS never saw when all those sessions started).
Any comments are really apreciated..

Some clarifications:
1. the fail closed option by default is not configured. Default option is fail open.
2. Cisco has recommend signatures files (128MB.sdf and 256MB.sdf in 4.x signature format and has basic and advanced category (in 5.x signature format). Those are recommended starting point while configuring router based IOS IPS. It has about 300 and 500 signatures respectively.
3. If configured right, the above two set of signatures will take about 3 to 5 minutes to load and compile. And during the compilation process, the process cpu normally is high, but it wont affect data plane traffic passing the router.
Hope this helps,
-Chris

IOS IPS message

hi,
I enabled IOS IPS with SDM v2.4.1, and show following message repeatedly
platform: 2821
IOS：c2800nm-adventerprisek9-mz.124-11.T2.bin
*Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
*Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
*Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
*Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
*Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
*Jul 25 06:18:22.831: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
I try it again with CLI , but no message like that.
Q2:
I enabled ios_ips basic, retired false and enabled true , but in SDM--ios_ips--basic many signatures didn't enabled and retired true.
my configuration as follow,
ip ips signature-category
category ios_ips basic
category all
retired true
category ios_ips basic
retired false
enabled true
thanks.

SDM need 12.4(11)T2 or later image to support IOS IPS in 5.x signature format due to some issues in IOS.
For 12.4(11)T1, the best option is to use CLI for now.
Also please refer http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml
Thanks,
-Chris

IOS IPS - Reset Conection

Hi,
IOS IPS was configured to only generate alert. During testing it was observed that the IPS was reset in giving connections.
log below:
*Oct 10 14:30:29: %IPS-6-SEND_TCP_PAK: Sending TCP packet:(X.X.X.X:433)=>(y.y.y.y:63170),tcp flag:0x4, pak:0x2166449C, iso:0x3D5C7160,tcp seq:0x0, tcp ack:0x0, tcp_window:8192, ip_checksum:0x44B8, Serial0/0/0.1,feat_flags:0x10000, fast_path(no)
Some time ago cisco identified a bug in earlier versions. After opening some TAC, suggested upgrading the IOS and subscription packages.
Cisco recommendation below:
IOS Version : c2900-universalk9-mz.SPA.153-3.M.bin
Packet sig: OS-S744-CLI.pkg
Configuration Cisco Router
ip ips config location flash:ips retries 1
ip ips notify SDEE
ip ips name iosips
ip ips signature-category
category all
   retired true
category ios_ips basic
   retired false
   event-action produce-alert
Could anyone tell how to solve this problem?
BestRegards
Rodolfo Navero

But it will make the warnings go away, right?
but still see the reset command sh ip ips statics.
It seems the problem is in the subsystem of the feature.
I used up the hidden command on the router, but not solved the problem.
csdb tcp reassembly max-queue-length
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 240
Current session counts (estab/half-open/terminating) [7:17:0]
Maxever session counts (estab/half-open/terminating) [10:59:1]
Last session created 00:00:01
Last statistic reset 00:04:15
TCP reassembly statistics
Out-of-order packets dropped 0
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I performed some tests.
When I make disable all signatures, presents no reset.
However when I enable a single signature, the reset continues.
I believe Cisco has a bug in the compilation of feature
sh ip ips statistics
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [4:3:0]
Maxever session counts (estab/half-open/terminating) [4:3:0]
Last session created 00:23:36
Last statistic reset 00:15:40
TCP reassembly statistics
Out-of-order packets dropped 0
Regards
Rodolfo Navero

IOS IPS Automatic Signature Update

I will use cisco1941w.
I'd like to know, how to configure at CLI and where is the URL.
Is the bellow correct?
CLI
Router(config)# ip ips auto-update
Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
Router(config-ips-auto-update)# username XXX password XXX
URL
https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

Hello,
A. Hete is what the six files do:
• ios-ips-sigdef-default.xml: contains all the factory default signature definitions
• ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default
• ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions
• ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced
• ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters
• ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions
B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.
Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.
You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:
We do not have one single file that contains all the signatures. The signature package is installed in a certain way.
Hence we will need atleast first 4 files to copy of signature database from one router to the other.
C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.
But I am guessing it will look for a .pkg file and decompress it.
With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.
D. Hence there is no one single configuration file that you copy off the external ftp server.
I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.
It is also not necessary to check for signature updates every hour.
Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.
Sid Chandrachud
TAC Security Solutions
Customer support engineer

Is there a way to automate IOS IPS signature updates without CSM?

I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
Thanks in advance!

From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
Here is the configuration guide for your reference:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

Payload ios ips

anyway to view packet payload of captured alerts from ios ips ?

so IOS ips can't to do this ? seems that there are a lot of limitations with it

Correct procedure to update IOS IPS signatures on 2911 router

What is the correct procedure to update the IOS IPS signatures on an 2911 router?
I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
Thank you in advance!

The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
Typically here is how customer would enable/disable signatures:
- Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
- Monitor it for a couple of months
- Disable those that you don't need, and enable others if you think you require it for specific.

Cisco IOS IPS on 2811

Hi,
Is it possible to install NM-CIDS-K9 Intrusion module on a Cisco 2811 and run IPS 5.0 on it ? i.e. with similar functionality to a IPS 4200 series appliance.
From what i understand that you can do the above but the module will only work as IDS and not as in-line IPS (ability to drop packets etc) ?
Are there any routers that can have a Network module running in IPS mode to provide the same functionality as IPS appliance (4200 etc) ?
Is it correct that IOS IPS is only a fraction of the appliance based IPS ?
Regards \\ Naman

I am not really sure if there are any routers that can have a Network module running in IPS mode to provide the same functionality as IPS appliance as such, but the module will only work as IDS and not as in-line IPS

IOS IPS/IDS on a BGP Peering Router?

We have a pair of BP peerings between our network and our upstream service provider. Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.
Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points. Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs. We also observed that some upstream service provider web sites became inaccessible to our users. Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.
Three questions:
Do the default Cisco IOS IPS/IDS rules assume that the router will see both sides of each TCP session?
Does the Cisco IOS IPS/IDS TCP stream reassembly assume an attack and send TCP RST frames when it doesn't see both sides of a TCP session?
Should we move the Cisco IPS/IDS functionality from the BGP-speaking routers at peering points to our customer sites, as the customer sites are the only places in our network guaranteed to see both sides of a given TCP session? (We already perform NAT on the customer site routers for that reason.)

Hello Bill,
1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)
2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)
3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura

IOS IPS and SDM 2.2.a

Hello everybody!,
I have installed a Cisco 2821 Router with 12.4(4)T IOS version. And SDM V2.2.a. (enteprise service IOS image).
The router have 256MB Ram and 64MB flash memory.
From the SDM Interface cannot upload any .sdf file and cannot edit the signatures and tune de IOS IPS.
Do you know how i can fix that problem?.
Thanks for the answers friends.

Hi,
To add more info, here is the info on defect filed on SDM for RCP issue and workaround suggested.
Symptoms:
Issue 1) Installation of SDM version 2.2a or earlier on a router fails with RCP failure message.
Issue 2) "Load File from PC" feature of File Management dialog in SDM version 2.2a or earlier
fails.
Conditions:
These issues will be encountered for IOS images 12.4(4)T and above.
SDM uses RCP for installation operations. This problem occurs because the fix for CSCdu34824 in
recent Cisco IOS releases has changed RCP behavior. Because of this change, if the RCP client
uses a non-privileged port , the router RCP server does not respond and the above issues occur.
Workaround:
1) For Issue 1 :- Use the copy tftp flash command to copy SDM related files from PC to router.
2) For Issue 2 :- Use the copy tftp flash command to copy the required file from PC to router.

IOS IPS auto-update

Hi,
I have a couple of questions I hope people could answer:
1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server? Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
Hoping someone could answer these or help point me in the right direction to find the answer out.
regards M

I found this link with answers my one question.
Cisco IOS Intrusion Prevention System (IPS)
Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html

IOS IPS Sig Updates

It seems like whenever there is an IDS sensor/appliance update for defending against the latest virus/worm but there is no update for IOS IPS signatures.
Case in point - on June 3 there was an IDS update for W32/Bobax.worm.o S174. The IOS IPS zip file as of today is S169 from May 25, What gives?
Also, why isn't their any release notes for the IOS IPS zip files to document what was added? That way we can read it to judge if we need to download the zip file or not.

There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
SC

IOS IPS basics

Similar Messages

Maybe you are looking for