IOS IPS new definitions

Similar Messages

• IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

  Hi,
  I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
  All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
  Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
  Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
  Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
  1) Do you find that IOS IPS sig 4050 false alarms are common?
  2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
  3) Does Cisco have any recommendations on what to do with this built in signature?
  Thanks,
  KEP

  On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
  You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
  I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
  Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

• IOS IPS Automatic Signature Update

  I will use cisco1941w.
  I'd like to know, how to configure at CLI and where is the URL.
  Is the bellow correct?
  CLI
  Router(config)# ip ips auto-update
  Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
  Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
  Router(config-ips-auto-update)# username XXX password XXX
  URL
  https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

  Hello,
  A. Hete is what the six files do:
  • ios-ips-sigdef-default.xml: contains all the factory default signature definitions
  • ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default
  • ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions
  • ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced
  • ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters
  • ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions
  B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.
  Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.
  You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:
  We do not have one single file that contains all the signatures.  The signature package is installed in a certain way.
  Hence we will need atleast first 4 files to copy of signature database from one router to the other.
  C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.
  But I am guessing it will look for a .pkg file and decompress it.
  With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.
  D. Hence there is no one single configuration file that you copy off the external ftp server.
  I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.
  It is also not necessary to check for signature updates every hour.
  Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.
  Sid Chandrachud
  TAC Security Solutions
  Customer support engineer

• IOS IPS basics

  I'm pretty new to managing IPS. My co is looking at deploying a large number of this and i'm suppose to manage it. i got a few questions
  1. are the available signature in default IOS IPS enough? i fired rentina to an old redhat version OS but i find that the results from IOS IPS is pretty generic.it detects non valid http traffic over ssl but not the vulnerablities used, and it does even detects nmap non tcp port scanning
  2.do you recommend using the default IOS IPS signatures ? if no, any recommendations & standards to follow ?
  3. Any guidance on custom signature development on IOS IPS ?
  4. Any method to manage large numbers of IOS IPS rules/singatures on a single console ? So i can push the signature from a single console to each and every routers. if not, it is possible to copy the signature folders over all the routers to get the same sets on signature on the routers?
  Appreciate any useful informations. Thanks in advance

  1. The Built-in signatures are pretty old and mostly worthless, you may want to disable them and use the latest Signature File available for the IOS-IPS. Your memeory will be the constraining factor as to how many signature you can have enabled.
  2. The signature defaults are a starting place. You will have to spend time doing the analysis of events to see if they're false positives (and many will be) and tune them down, or more likely disable them.
  3. Each signature engine has a fixed 64MB of memory. Turn on too many within that engine (including your custom sigs) and you won't get any. Watch the console log when enabling IPS to see if your build is failing. Some sigs eat more memory than others.
  4. If you have money to burn you can buy Cisco's CSM 3.1, or else keep your signature file(s) on an FTP/TFTP/SCP server and copy them to your routers as needed.

• IOS IPS auto-update

  Hi,
  I have a couple of questions I hope people could answer:
  1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server?  Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
  2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
  Hoping someone could answer these or help point me in the right direction to find the answer out.
  regards M

  I found this link with answers my one question.
  Cisco IOS Intrusion Prevention System (IPS)
  Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html

• IOS IPS and VMS and shunning

  Installed 12.3.14T2 (advanced security) on 2811 router with new
  VMS update to the IDS Management Center (2.1) to support IOS IPS SDEE event monitoring. When I configure a specific signature, there is no option to shun. Only alert, block or reset. Where do you configure the dynamic shuning or "local shun action" that seems to be in all the "new features" of the IOS IPS.
  Configuring the signature to block, alert or reset works fine. Just no options to shun. Also the IPS device does not show up in the device list under Monitoring on VMS, even though it shows up as a device in Monitoring Center Device Page.
  Maybe this is where the problem may lie.

  IOS versions before 12.3(14)T support the following
  actions for IOS IPS:
  - alarm
  - drop (drop just the offending packet)
  - reset (reset tcp connection - works for tcp only)
  Version 12.3(14)T and later (including 12.4 versions) added support for the "local shunning" through two different actions:
  - denyFlowInline
  - denyAttackerInline
  DenyFlowInline creates an ACL that drops all traffic on that connection for a certain idle-timeout.
  DenyAttackerInline creates an ACL that drops all traffic from that source address (including other connections from that source address) for a certain idle-timeout.

• IOS IPS SIG Updates via IDSMDC

  When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
  So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
  SHM

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• IOS IPS for blocking IM and P2P

  Any recommendations on the best way to use IOS IPS to stop P2P and IM?
  I set up a 3845 with 12.3(14)T1 to do this by importing signatures from the latest SDF using SDM. I used the attack-drop, and all IM and P2P signatures I could find. I changed them all to drop and reset. I then applied it to the inside interface of a 3845. I also set up nbar with a drop policy for all P2P traffic.
  The configuration caused very slow web response time for users, including blocked pages. Removing the IPS filter made everything work properly again. The router also stopped rebooting periodically.
  Is there a recommended way to set this up that does not cause slow performance and reboots?

  OK, went back and loaded some upgraded software. Now using 12.4.1 Advanced security IOS on the 3845, and SDM 211. The new 256MB.sdf signature file has all the IM and P2P signatures in it already!
  After applying the IPS inbound on the serial interface, I changed the UDP signatures action to drop and the TCP to drop/reset.
  Everything appears to be working beautifully. Yahoo and MSN messenger get dropped, as well as the peer to peer requests. I am unable to download Bittorrent. Web access is fast, and there is no hesitation by the router in configuring the IPS.
  This appears to be a great solution so far.

• IOS IPS

  If the IOS IPS pkg file is 7MB and after I do a copy tftp://xxx/xxx.pkg idconf, where does the file go? I don't see anything on the flash other than the .xml config files.
  Any thoughts?

  First, please take a look at http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml.
  In summary, the copy command follow the following process:
  1. load signature from outside server
  2. parse it and read into memory
  3. save out to the directory configuration as the ips location, in normal cases, it would be the router flash.
  When save the files out, it will save into multiple files in a compressed format, even it has a .xml extension, it is compressed.
  Here are the files got saved out:
  . -sigdef-typedef.xml
  type definition files, defines the engine parameters etc.
  . -sigdef-category.xml
  signature category file. Just a mapping file map the category to signature IDs
  . -sigdef-default.xml
  Signature file. Contains all signatures and their parameter definitions
  When management by CSM/SDM, it also will save out couple of other files:
  . -sigdef-delta.xml
  Contains all signature modification information other than the default in sigdef-default.xml
  . -seap-delta.xml
  Contains all the SEAP configuration changes
  . -seap-typedef.xml
  SEAP type definition file.
  Thanks,
  -Chris

• CSM3.1 device addition of IOS IPS router

  Upon adding a IOS IPS device running (C2800NM-ADVIPSERVICESK9-M,Version 12.4(15)T1,)& 5.x-303 release signatures, CSM 3.1 does not display it as an IPS enabled device. The device in question (2821) has a stand-alone config and 5.x advanced signatures functioning properly.
  In the device properties of CSM 3.1 of said 2821, IPS is a feature but is grayed out. I have successfully added 2 ADSM modules from our 6513's and it displays them as IPS devices and I can add/deploy signatures to these devices. However, CSM 3.1 does not recognize the 2821 as an IOS IPS device and I can not add/deploy to this device. What am I missing here?

  In this case you will need to create a new device in CSM (using the Add Device option) and discover the device for the IOS IPS policies to show up. Just doing a rediscovery of an existing IOS device will not show the IOS IPS policies. This is because CSM treats the IOS IPS device as a different target type than a IOS device.

• IOS IPS auto-update without CSM

  Hi,
  We have 400 x 1811 router on which we need to update the IPS signature definition and custom signature.
  What is the best way to do it withou running CSM ?
  According to Cisco documentation, we need to add the auto-update command with an .XML extention. But when we load a .pkg in a router, the output is 4 different files. Unfortunalty we can auto-update only one file. Which one to I need to load on our TFTP server ?
  All the exemples of Cisco are using one single XML file.
  Does a single file with the signature defenition, category, default and type exist ?
  Since all our router have the same IPS config, I tought I could use one router at the central office with the configuration we want. And by someway asking the remote routers to auto-update their XML file on that router on which I would have activated a TFTP server.
  Anyone ever had to upgrade a lot of router IOS IPS signature?

  This can now be done in the 15.1T branch using cisco.com to download the update directly, see :
  http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html#wp1040750
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue.html#wp1137583

• No S284 or S285 sigs for the IOS IPS?

  Cisco released S284 and S285 this week, but for IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T, there are no updates on CCO. Has signature update support for prior to 12.4(11)T stopped? Did I miss an End of Life notice? If not, how long DO I have to get on the new 12.4(11)T and later train?
  See for yourself (link taken from the Cisco IPS Active Update Email):
  http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup

  For some reason, I can not access above link, so
  the problem may have been fixed already. This
  was related to a scripting issue, we are and will continue to support signatures updates for Mainline and T-Train Releases prior to 12.4(11)T
  releases till June 2008.
  kemal

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Problem with iOS 6 new app banner

  In IOS 6, new download apps will have a banner saying new. I have this blue banner too, its just that I do not have the new button. Is this a bug or something?

  sorry, my mistake. When you download a new app, there will be a new banner. I have that banner, its just that mine doesn't say new. Just a blue banner at the side.

• Payload ios ips

  anyway to view packet payload of captured alerts from ios ips ?

  so IOS ips can't to do this ? seems that there are a lot of limitations with it