IOS IPS Restore Deleted Signatures

Similar Messages

• IOS IPS Not loading signatures

  My IPS will not load the signatures.

  Please refer to the step by step guide for loading IPS signature to your router from below link
  http://www.cisco.com/c/en/us/products/collateral/security/ios-intrusion-prevention-system-ips/prod_white_paper0900aecd805c4ea8.html

• IOS IPS - only 3 Signatures...

  Hi,
  I have a 2801 running Advanced IP Services version 12.4(24)T.
  I have enabled the IOS_IPS feature but in looking at the IP IPS ALL command I see only 3 signatures enabled.
  I was reading the docs and was going to download the 128.SDF sinature file to the router - but it is too large for my 64Meg of flash.
  I expected to see a SDF file somewhere in the flash - but I cannot find it.
  What should I be doing at a minimum to get basic IPS running?
  Why do all the Micro Engine Signatures show INACTIVE?
  Any help would be appreciated.

  The base SDF signature file has a very limited signature base. You'll need to increase your flash if plan to put this into production. You probably have a directory in flash where the pkg files are stored. Here's a great guide that I used to get IPS working.
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html
  Hope that helps.

• IOS IPS remove a signature syntax

  What is the CLI syntax to not include an IPS signature. Like I want to remove the 2001 sig from the built-in.sdf

  You can use the IDM to disable or enable a signature... Not sure of the CLI command... IDM or VMS will be the easiest way of configuring IPS.
  Hope this helps...
  Raj

• IOS IPS SIG Updates via IDSMDC

  When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
  So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
  SHM

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.

• IOS IPS Signature Updates

  Hi,
  Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
  Thanks and rgds
  Rajesh

  hi,
  if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.

• IOS IPS Signature description

  I would like to "fine tune"  category ios_ips advanced  (or basic) on IOS IPS.
  Clearly ISR G2 is not able to support as many active/enabled signatures as we'd like to so it would be nice to choose ones we actualy need.
  Does anyone have table with signature descriptions so one can easily choose?
  I found web site totaly inpractical... sorry cisco guys...
  Please help !

  If you are using IME, there is a way to export a list of signatures. I have done this with the IPS 4255 and it might be the same for IOS IPS.
  Under Configuration, go to Policy -> Signatures -> All Signatures. There is a function to Export the list of signatures, in either HTML or CSV format.

• IOS IPS Signatures for password guessing?

  I recently experienced a password-guessing attack. The inside Windows server's security was pretty well useless in stopping the attack (block, yes; stop, no), because the user ID kept changing, and Windows account lockout ignores source addresses. In this case, it was FTP, and I found an IPS signature for that, but it got me to thinking:
  There don't seem to be password-guessing signatures for RDP, HTTP, HTTPS, or SSL. Granted it may not be practical for HTTPS and SSL, but what about the other two? Should we consider rolling our own?

  You can configure custom signatures for IOS IPS using Security Monitor which is part of VMS. Below is a doc on how to do this:
  http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080104f44.html#xtocid9
  Also try this link for Cisco Security Advisory
  http://www.cisco.com/en/US/products/products_security_advisory09186a008055dbdd.shtml

• IOS IPS Automatic Signature Update

  I will use cisco1941w.
  I'd like to know, how to configure at CLI and where is the URL.
  Is the bellow correct?
  CLI
  Router(config)# ip ips auto-update
  Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
  Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
  Router(config-ips-auto-update)# username XXX password XXX
  URL
  https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

  Hello,
  A. Hete is what the six files do:
  • ios-ips-sigdef-default.xml: contains all the factory default signature definitions
  • ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default
  • ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions
  • ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced
  • ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters
  • ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions
  B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.
  Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.
  You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:
  We do not have one single file that contains all the signatures.  The signature package is installed in a certain way.
  Hence we will need atleast first 4 files to copy of signature database from one router to the other.
  C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.
  But I am guessing it will look for a .pkg file and decompress it.
  With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.
  D. Hence there is no one single configuration file that you copy off the external ftp server.
  I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.
  It is also not necessary to check for signature updates every hour.
  Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.
  Sid Chandrachud
  TAC Security Solutions
  Customer support engineer

• IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

  Hi,
  Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
  -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
  Thanks,

  IPS on ASA/PIX = just 50 or so common signatures
  AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
  Please rate if helpful.
  Regards
  Farrukh

• Cisco IOS IPS - How to manage signatures?

  Hello everyone,
  I'd like to efficiently tune signatures in IOS IPS on one router, a 1941. Available options I found are:
  CLI: not efficient to tune a group of signatures (example: Windows OS)
  CCP 2.7 (Windows GUI): best tool I know, but not efficient, since:
  a bit bugged (sometimes won't work on some computers)
  needs IE9 to work fine, thus excluding its use on W8/W8.1
  turnaround to use onIE10/IE11 won't always work (one computer refuses to keep compatibility view settings, for example)
  not able to efficiently sort signatures, using several criteria (main drawback)
  not able to exclude sets of signatures - like compile failed signatures
  CCP 2.8: only available in express version. I installed it, but did not see a tab about signature tuning ...
  Cisco Security Manager is complete overkill, since it needs a license and a server. Not simple to tune IPS on only one router ;-)
  IPS Manager Express: seems a nice tool, but mainly designed for IPS sensors and firewalls, and not able to tune signatures for a router.
  So, if one of you has an idea about a tool, whether Cisco or 3rd party, running preferably on Windows, it is very velcome!
  Thanks!

  Hello Will,
  I have only played with the CLI and with that I was able to selective enable the signatures I wanted (even using the sub-id intentifier), changed the action,compile the ones required, etc.
  If this is what you are looking for when refering to tune signatures CLI will be fine, if more than that is needed well you have all of the software that you could use.
  No other software available
  Looking for some Networking Assistance? 
  Contact me directly at [email protected]
  I will fix your problem ASAP.
  Cheers,
  Julio Carvajal Segura
  http://laguiadelnetworking.com

• IOS IPS/IDS on a BGP Peering Router?

  We have a pair of BP peerings between our network and our upstream service provider.  Since the peering points are geographically distributed and we run a "cold potato" routing policy on our network we cannot guarantee symmetric routing for traffic exchanged with our upstream service provider.
  Yesterday we followed the bouncing ball through the IPS/IDS setup documentation on a Cisco 2901 running 15.2(4)M3 and acting as a BGP speaking peering router at one of our peering points.  Immediately the router started throwing %IPS-6-SEND_TCP_PAK and %IPS-6-TIMEOUT_EVENT messages in the logs.  We also observed that some upstream service provider web sites became inaccessible to our users.  Turning off IPS/IDS on the 2901 restored connectivity for our users to those web sites.
  Three questions:
  Do the default Cisco IOS IPS/IDS rules assume that the router will see both sides of each TCP session?
  Does the Cisco IOS IPS/IDS TCP stream reassembly assume an attack and send TCP RST frames when it doesn't see both sides of a TCP session?
  Should we move the Cisco IPS/IDS functionality from the BGP-speaking routers at peering points to our customer sites, as the customer sites are the only places in our network guaranteed to see both sides of a given TCP session?  (We already perform NAT on the customer site routers for that reason.)

  Hello Bill,
  1) Yes, there are some normalizer functions on some IOS-IPS signatures that will behave like that with this scenarios (Asymetric routing not something good to any kind of security device)
  2) Yes, it will close the connections, I will definetly need to look for specific actions regarding that but you could just check the IOS IPS Signature statistics  on your router , see which is the one triggering the most and then see the action configured for it (and change it if required)
  3) If you cannot change that behavior then it would be safe to tell the router is not a good place to set an IPS or any other kind of firewall configuration unless you set with a weaker security policy (useless from a security standard point of view)
  Check my blog at http:laguiadelnetworking.com for further information.
  Cheers,
  Julio Carvajal Segura