IOS IPS configuration

Similar Messages

• CISCO 2851 with IPS configuration

  Hi guys,i'm planning to do an IOS IPS configuration on a newly purchased 2851 router, the spec as below:
  CISCO2851-HSEC/K9
  CISCO 2800 AdvanceIPservice :Version 12.4(15)T10
  64MB CF default
  512DDR DRAM
  My problem right now is,when i tried to configure the IPS feature,the SDM Express ver2.5 doesn't have the IPS tabs that allow me to configure. I noticed and highly suspected that is due to the express version of SDM,instead of the full/enhanced version of SDM. I tried download the full version SDM from Cisco,the file size is 14MB, and my current CF free space is only remaining 7MB.The IOS itself has used up 51MB. So i'm going to advice my customer that running IPS on the router is not possible due to the limited CF size. Can someone who experience in IPS correct me if i'm wrong. I'm fresh in security area.
  PS:i know workaround is to installed CSM on a workstation then to configure and manage this router.
  Thanks

  Hi Collin,
  Thank for your adviced.I did read thru the configuration that you posted. One line which i'm not clear about is that:
  "copy flash:/IOS-S302-CLI.pkg idconf"
  Where is this idconf?Is a flash folder or somewhere?why do we need to copy the signature file to this idconf? Or,my guess,is this idconf referred to "flash:/ips"?
  regards,

• 2811 IOS IPS VMS Configuration

  I have several already deployed 2811 that I'd like to turn on the IPS feature. IOS firewall is already running. We also have just deployed VMS. Is there any order that need to be followed to get these into VMS. Should I import them into Router MC or IDS MC first? IDS MC documentation isnt clear to me setting up IOS IPS.
  thanks in advance

  No particular order (that I am aware of).
  As far as Security Monitor to monitor IDS Alerts, I choose the hard way and just manually added each of our devices, tedious but all is working.
  As far as Performance Monitor, I imported from RME
  The bulk of our routers run 12.3(11)T and 12.3(11)T2.
  We have a ton of 831's and I choose for them to send alerts via PostOffice rather than waiting for collections via SDEE because the memory in the 831's (48MB) are already just about maxed out (Regularly over 80%) just running the daily needed applications (VPN and CBAC). We have some 1700s and 2600s out in the field too that are not as taxed.
  if you choose the PostOffice route (or test it out) then here are the commands and steps you need:
  First add the device in Security Monitor to use PostOffice
  then from the router console, ssh, etc........
  ip ips notify nr-director
  ip ips po max-events 100
  ip ips po remote hostid [VMS Host ID#] orgid [ORG #] rmtaddress [VMS IP Address] localaddress [Router IP Address] port 45000
  ip ips po local hostid [Router Host ID#] orgid [Org ID#]
  exit
  write mem
  reload
  Once you reload it will send an initial packet to VMS and the router will register as 'Connected' in Sec Monitor.
  You should make sure that the 'ip ips po' commands are accepted in your IOS version
  I don't know what your memory consumption is like in your 2800 Router but the config for SDEE Event Collection is much less involved. If your router has resources to spare this is the way to go.

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• IOS IPS/IDS on a BGP Peering Router?

  We have a pair of BP peerings between our network and our upstream service provider.  Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.
  Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points.  Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs.  We also observed that some upstream service provider web sites became inaccessible to our users.  Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.
  Three questions:
  Do the default Cisco IOS IPS/IDS rules assume that the router will see both sides of each TCP session?
  Does the Cisco IOS IPS/IDS TCP stream reassembly assume an attack and send TCP RST frames when it doesn't see both sides of a TCP session?
  Should we move the Cisco IPS/IDS functionality from the BGP-speaking routers at peering points to our customer sites, as the customer sites are the only places in our network guaranteed to see both sides of a given TCP session?  (We already perform NAT on the customer site routers for that reason.)

  Hello Bill,
  1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)
  2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics  on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)
  3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura

• IOS IPS auto-update

  Hi,
  I have a couple of questions I hope people could answer:
  1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server?  Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
  2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
  Hoping someone could answer these or help point me in the right direction to find the answer out.
  regards M

  I found this link with answers my one question.
  Cisco IOS Intrusion Prevention System (IPS)
  Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.

• IOS IPS and VMS and shunning

  Installed 12.3.14T2 (advanced security) on 2811 router with new
  VMS update to the IDS Management Center (2.1) to support IOS IPS SDEE event monitoring. When I configure a specific signature, there is no option to shun. Only alert, block or reset. Where do you configure the dynamic shuning or "local shun action" that seems to be in all the "new features" of the IOS IPS.
  Configuring the signature to block, alert or reset works fine. Just no options to shun. Also the IPS device does not show up in the device list under Monitoring on VMS, even though it shows up as a device in Monitoring Center Device Page.
  Maybe this is where the problem may lie.

  IOS versions before 12.3(14)T support the following
  actions for IOS IPS:
  - alarm
  - drop (drop just the offending packet)
  - reset (reset tcp connection - works for tcp only)
  Version 12.3(14)T and later (including 12.4 versions) added support for the "local shunning" through two different actions:
  - denyFlowInline
  - denyAttackerInline
  DenyFlowInline creates an ACL that drops all traffic on that connection for a certain idle-timeout.
  DenyAttackerInline creates an ACL that drops all traffic from that source address (including other connections from that source address) for a certain idle-timeout.

• IOS IPS for blocking IM and P2P

  Any recommendations on the best way to use IOS IPS to stop P2P and IM?
  I set up a 3845 with 12.3(14)T1 to do this by importing signatures from the latest SDF using SDM. I used the attack-drop, and all IM and P2P signatures I could find. I changed them all to drop and reset. I then applied it to the inside interface of a 3845. I also set up nbar with a drop policy for all P2P traffic.
  The configuration caused very slow web response time for users, including blocked pages. Removing the IPS filter made everything work properly again. The router also stopped rebooting periodically.
  Is there a recommended way to set this up that does not cause slow performance and reboots?

  OK, went back and loaded some upgraded software. Now using 12.4.1 Advanced security IOS on the 3845, and SDM 211. The new 256MB.sdf signature file has all the IM and P2P signatures in it already!
  After applying the IPS inbound on the serial interface, I changed the UDP signatures action to drop and the TCP to drop/reset.
  Everything appears to be working beautifully. Yahoo and MSN messenger get dropped, as well as the peer to peer requests. I am unable to download Bittorrent. Web access is fast, and there is no hesitation by the router in configuring the IPS.
  This appears to be a great solution so far.

• IOS IPS Signature description

  I would like to "fine tune"  category ios_ips advanced  (or basic) on IOS IPS.
  Clearly ISR G2 is not able to support as many active/enabled signatures as we'd like to so it would be nice to choose ones we actualy need.
  Does anyone have table with signature descriptions so one can easily choose?
  I found web site totaly inpractical... sorry cisco guys...
  Please help !

  If you are using IME, there is a way to export a list of signatures. I have done this with the IPS 4255 and it might be the same for IOS IPS.
  Under Configuration, go to Policy -> Signatures -> All Signatures. There is a function to Export the list of signatures, in either HTML or CSV format.

• IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

  Hi,
  I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
  All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
  Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
  Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
  Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
  1) Do you find that IOS IPS sig 4050 false alarms are common?
  2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
  3) Does Cisco have any recommendations on what to do with this built in signature?
  Thanks,
  KEP

  On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
  You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
  I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
  Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

• IOS IPS message

  hi,
  I enabled IOS IPS with SDM v2.4.1, and show following message repeatedly
  platform: 2821
  IOS：c2800nm-adventerprisek9-mz.124-11.T2.bin
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
  *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
  *Jul 25 06:18:22.831: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
  I try it again with CLI , but no message like that.
  Q2:
  I enabled ios_ips basic, retired false and enabled true , but in SDM--ios_ips--basic many signatures didn't enabled and retired true.
  my configuration as follow,
  ip ips signature-category
  category ios_ips basic
  category all
  retired true
  category ios_ips basic
  retired false
  enabled true
  thanks.

  SDM need 12.4(11)T2 or later image to support IOS IPS in 5.x signature format due to some issues in IOS.
  For 12.4(11)T1, the best option is to use CLI for now.
  Also please refer http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml
  Thanks,
  -Chris

• IOS IPS

  If the IOS IPS pkg file is 7MB and after I do a copy tftp://xxx/xxx.pkg idconf, where does the file go? I don't see anything on the flash other than the .xml config files.
  Any thoughts?

  First, please take a look at http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml.
  In summary, the copy command follow the following process:
  1. load signature from outside server
  2. parse it and read into memory
  3. save out to the directory configuration as the ips location, in normal cases, it would be the router flash.
  When save the files out, it will save into multiple files in a compressed format, even it has a .xml extension, it is compressed.
  Here are the files got saved out:
  . -sigdef-typedef.xml
  type definition files, defines the engine parameters etc.
  . -sigdef-category.xml
  signature category file. Just a mapping file map the category to signature IDs
  . -sigdef-default.xml
  Signature file. Contains all signatures and their parameter definitions
  When management by CSM/SDM, it also will save out couple of other files:
  . -sigdef-delta.xml
  Contains all signature modification information other than the default in sigdef-default.xml
  . -seap-delta.xml
  Contains all the SEAP configuration changes
  . -seap-typedef.xml
  SEAP type definition file.
  Thanks,
  -Chris

• IOS IPS 3845 router

  The IOS IPS keeps failing. For some reason it sends the alerts to MARS and then all of a sudden the IPS is disabled on the interface. This config. was down through SDM.

  CS-MARS also integrates tightly with Cisco's premier security management suite, Cisco Security Manager (CSM). This tight integration maps traffic-related syslog messages to the firewall policies defined in CSM that triggered the event. Policy lookup enables rapid, round-trip analysis for troubleshooting firewall configuration-related network problems, policy configuration errors, and fine-tuning defined policies.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_tech_notes_list.html

• IOS IPS - Reset Conection

  Hi,
  IOS IPS was configured to only generate alert. During testing it was observed that the IPS was reset in giving connections.
  log below:
  *Oct 10 14:30:29: %IPS-6-SEND_TCP_PAK: Sending TCP packet:(X.X.X.X:433)=>(y.y.y.y:63170),tcp flag:0x4, pak:0x2166449C, iso:0x3D5C7160,tcp seq:0x0, tcp ack:0x0, tcp_window:8192, ip_checksum:0x44B8, Serial0/0/0.1,feat_flags:0x10000, fast_path(no)
  Some time ago cisco identified a bug in earlier versions. After opening some TAC, suggested upgrading the IOS and subscription packages.
  Cisco recommendation below:
  IOS Version : c2900-universalk9-mz.SPA.153-3.M.bin
  Packet sig: OS-S744-CLI.pkg
  Configuration Cisco Router
  ip ips config location flash:ips retries 1
  ip ips notify SDEE
  ip ips name iosips
  ip ips signature-category
    category all
     retired true
    category ios_ips basic
     retired false
     event-action produce-alert
  Could anyone tell how to solve this problem?
  BestRegards
  Rodolfo Navero

  But it will make the warnings go away, right?
  but still see the reset command sh ip ips statics.
  It seems the problem is in the subsystem of the feature.
  I used up the hidden command on the router, but not solved the problem.
  csdb tcp  reassembly max-queue-length
  Interfaces configured for ips 1
  Session creations since subsystem startup or last reset 240
  Current session counts (estab/half-open/terminating) [7:17:0]
  Maxever session counts (estab/half-open/terminating) [10:59:1]
  Last session created 00:00:01
  Last statistic reset 00:04:15
  TCP reassembly statistics
    Out-of-order packets dropped 0
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  I performed some tests.
  When I make disable all signatures, presents no reset.
  However when I enable a single signature, the reset continues.
  I believe Cisco has a bug in the compilation of feature
  sh ip ips statistics
  Interfaces configured for ips 1
  Session creations since subsystem startup or last reset 0
  Current session counts (estab/half-open/terminating) [4:3:0]
  Maxever session counts (estab/half-open/terminating) [4:3:0]
  Last session created 00:23:36
  Last statistic reset 00:15:40
  TCP reassembly statistics
    Out-of-order packets dropped 0
  Regards
  Rodolfo Navero