IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

Hi,
I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
1) Do you find that IOS IPS sig 4050 false alarms are common?
2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
3) Does Cisco have any recommendations on what to do with this built in signature?
Thanks,
KEP

On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

Similar Messages

  • IOS IPS Sig Updates

    It seems like whenever there is an IDS sensor/appliance update for defending against the latest virus/worm but there is no update for IOS IPS signatures.
    Case in point - on June 3 there was an IDS update for W32/Bobax.worm.o S174. The IOS IPS zip file as of today is S169 from May 25, What gives?
    Also, why isn't their any release notes for the IOS IPS zip files to document what was added? That way we can read it to judge if we need to download the zip file or not.

    There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
    Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
    SC

  • IOS IPS SIG Updates via IDSMDC

    When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
    So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
    SHM

    There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
    Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
    SC

  • IOS IPS Restore Deleted Signatures

    I have a router with IOS IPS and manage this using SDM.
    I have deleted a signature from the router and would now like to re-install it.
    Using SDM import feature I have looked for the deleted signature in the 256mb.sdf that I've downloaded from the Cisco website. It doesn't appear in the list of signatures. I've tried the attck-drop.sdf and the local ios sdmips.sdf but the signature is not listed.
    does anyone have any idea how I can get it back?
    The deleted signature is 4050 UDP Bomb.
    Thanks

    4050 UDP bomb is a built-in signature within the IOS. Some 100 odd signatures (version dependent) are loaded into the router by default when your IOS has the IDS image. Look under the ATOMIC.UDP signatures for 4050.
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm#wp1000985
    You may be able to re-enable your signature using the following command on the CLI.
    "no ip audit signature 4050 disable"
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_d1g.htm#wp1073162

  • IOS IPS Signature-File

    Hi Guys,
    We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
    Can any one tell me where is an alternate way to download the sig-file ?

    900 active signatures is quite much for a system that has no dedicated IPS-ressources.
    But you can controll which and how many signatures get enabled on your router:
    In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
    gw#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    gw(config)#ip ips signature-category
    gw(config-ips-category)#?
    IPS signature category configuration commands:
      category  Category keyword
      exit      Exit from Category Mode
      no        Negate or set default values of a command
    gw(config-ips-category)#category ?
      adware/spyware                Adware/Spyware (more sub-categories)
      all                           All Categories
      attack                        Attack (more sub-categories)
      configurations                Configurations (more sub-categories)
      ddos                          DDoS (more sub-categories)
      dos                           DoS (more sub-categories)
      email                         Email (more sub-categories)
      instant_messaging             Instant Messaging (more sub-categories)
      ios_ips                       IOS IPS (more sub-categories)
      l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
      network_services              Network Services (more sub-categories)
      os                            OS (more sub-categories)
      other_services                Other Services (more sub-categories)
      p2p                           P2P (more sub-categories)
      reconnaissance                Reconnaissance (more sub-categories)
      releases                      Releases (more sub-categories)
      specially_licensed_signature  Specially Licensed Signature (more sub-categories)
      telepresence                  TelePresence (more sub-categories)
      uc_protection                 UC Protection (more sub-categories)
      viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
      web_server                    Web Server (more sub-categories)
    gw(config-ips-category)#category all
    gw(config-ips-category-action)#retire true
    gw(config-ips-category-action)#exit              
    gw(config-ips-category)#category web_server
    gw(config-ips-category-action)#?
    Category Options for configuration:
      alert-severity   Alarm Severity Rating
      enabled          Enable Category Signatures
      event-action     Action
      exit             Exit from Category Actions Mode
      fidelity-rating  Signature Fidelity Rating
      no               Negate or set default values of a command
      retired          Retire Category Signatures
    gw(config-ips-category-action)#retired false
    gw(config-ips-category-action)#exit
    gw(config-ips-category)#exit
    Do you want to accept these changes? [confirm]
    gw(config)#
    gw(config)#exit
    gw#sh ip ips configuration | s IPS Signature Status
    IPS Signature Status
        Total Active Signatures: 131
        Total Inactive Signatures: 4370
    gw#
    I didn't follow the thread and answered your first post to have less line-breaks in this post.

  • IOS IPS Important Notice - UPDATED

    IOS IPS customers running version 12.4T, 15.0M, or 15.1M - a critical software defect has been identified which may cause your router to reload and be stuck in a boot loop if IOS IPS signature version S639 or later is installed on the device. Recovery of impacted devices is possible only via a serial console connection through the device's ROMMON mode. For customers who are using IOS IPS signatures S638 or earlier, there is no issue. Customers wishing to upgrade the IOS IPS signature version to S639 or later must first be running a fixed version of IOS on the device prior to upgrading the IPS signatures.  Fixed versions of IOS include: 15.2(4)M, 15.1(3)T4, 15.2(3)T1, 15.1(4)M5, 12.4(24)T8 and later. Please refer to defect CSCtz27137 for additional details and steps to recover impacted devices.
    If you have upgraded your version of IOS to 15.2(4)M, 15.1(3)T4, 15.2(3)T1, 15.1(4)M5, 12.4(24)T8 or later you can obtain the most recent signature updates by  contacting the Cisco TAC

    What is the most recent version of IOS IPS sig file that TAC can supply?
    I'm running IOS 15.2(4)M1 and, per your suggestion above to contact TAC for the most recent signature update, I requested a later version of IPS sig than S636.
    I was simply referred back to the standard download page and IPS sig file S636.

  • No S284 or S285 sigs for the IOS IPS?

    Cisco released S284 and S285 this week, but for IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T, there are no updates on CCO. Has signature update support for prior to 12.4(11)T stopped? Did I miss an End of Life notice? If not, how long DO I have to get on the new 12.4(11)T and later train?
    See for yourself (link taken from the Cisco IPS Active Update Email):
    http://www.cisco.com/cgi-bin/tablebuild.pl/ios-sigup

    For some reason, I can not access above link, so
    the problem may have been fixed already. This
    was related to a scripting issue, we are and will continue to support signatures updates for Mainline and T-Train Releases prior to 12.4(11)T
    releases till June 2008.
    kemal

  • IOS IPS basics

    I'm pretty new to managing IPS. My co is looking at deploying a large number of this and i'm suppose to manage it. i got a few questions
    1. are the available signature in default IOS IPS enough? i fired rentina to an old redhat version OS but i find that the results from IOS IPS is pretty generic.it detects non valid http traffic over ssl but not the vulnerablities used, and it does even detects nmap non tcp port scanning
    2.do you recommend using the default IOS IPS signatures ? if no, any recommendations & standards to follow ?
    3. Any guidance on custom signature development on IOS IPS ?
    4. Any method to manage large numbers of IOS IPS rules/singatures on a single console ? So i can push the signature from a single console to each and every routers. if not, it is possible to copy the signature folders over all the routers to get the same sets on signature on the routers?
    Appreciate any useful informations. Thanks in advance

    1. The Built-in signatures are pretty old and mostly worthless, you may want to disable them and use the latest Signature File available for the IOS-IPS. Your memeory will be the constraining factor as to how many signature you can have enabled.
    2. The signature defaults are a starting place. You will have to spend time doing the analysis of events to see if they're false positives (and many will be) and tune them down, or more likely disable them.
    3. Each signature engine has a fixed 64MB of memory. Turn on too many within that engine (including your custom sigs) and you won't get any. Watch the console log when enabling IPS to see if your build is failing. Some sigs eat more memory than others.
    4. If you have money to burn you can buy Cisco's CSM 3.1, or else keep your signature file(s) on an FTP/TFTP/SCP server and copy them to your routers as needed.

  • IOS IPS - Reset Conection

    Hi,
    IOS IPS was configured to only generate alert. During testing it was observed that the IPS was reset in giving connections.
    log below:
    *Oct 10 14:30:29: %IPS-6-SEND_TCP_PAK: Sending TCP packet:(X.X.X.X:433)=>(y.y.y.y:63170),tcp flag:0x4, pak:0x2166449C, iso:0x3D5C7160,tcp seq:0x0, tcp ack:0x0, tcp_window:8192, ip_checksum:0x44B8, Serial0/0/0.1,feat_flags:0x10000, fast_path(no)
    Some time ago cisco identified a bug in earlier versions. After opening some TAC, suggested upgrading the IOS and subscription packages.
    Cisco recommendation below:
    IOS Version : c2900-universalk9-mz.SPA.153-3.M.bin
    Packet sig: OS-S744-CLI.pkg
    Configuration Cisco Router
    ip ips config location flash:ips retries 1
    ip ips notify SDEE
    ip ips name iosips
    ip ips signature-category
      category all
       retired true
      category ios_ips basic
       retired false
       event-action produce-alert
    Could anyone tell how to solve this problem?
    BestRegards
    Rodolfo Navero

    But it will make the warnings go away, right?
    but still see the reset command sh ip ips statics.
    It seems the problem is in the subsystem of the feature.
    I used up the hidden command on the router, but not solved the problem.
    csdb tcp  reassembly max-queue-length
    Interfaces configured for ips 1
    Session creations since subsystem startup or last reset 240
    Current session counts (estab/half-open/terminating) [7:17:0]
    Maxever session counts (estab/half-open/terminating) [10:59:1]
    Last session created 00:00:01
    Last statistic reset 00:04:15
    TCP reassembly statistics
      Out-of-order packets dropped 0
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    I performed some tests.
    When I make disable all signatures, presents no reset.
    However when I enable a single signature, the reset continues.
    I believe Cisco has a bug in the compilation of feature
    sh ip ips statistics
    Interfaces configured for ips 1
    Session creations since subsystem startup or last reset 0
    Current session counts (estab/half-open/terminating) [4:3:0]
    Maxever session counts (estab/half-open/terminating) [4:3:0]
    Last session created 00:23:36
    Last statistic reset 00:15:40
    TCP reassembly statistics
      Out-of-order packets dropped 0
    Regards
    Rodolfo Navero

  • Is there a way to automate IOS IPS signature updates without CSM?

    I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
    I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
    Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                   Thanks in advance!

    From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
    Here is the configuration guide for your reference:
    http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

  • IOS IPS for blocking IM and P2P

    Any recommendations on the best way to use IOS IPS to stop P2P and IM?
    I set up a 3845 with 12.3(14)T1 to do this by importing signatures from the latest SDF using SDM. I used the attack-drop, and all IM and P2P signatures I could find. I changed them all to drop and reset. I then applied it to the inside interface of a 3845. I also set up nbar with a drop policy for all P2P traffic.
    The configuration caused very slow web response time for users, including blocked pages. Removing the IPS filter made everything work properly again. The router also stopped rebooting periodically.
    Is there a recommended way to set this up that does not cause slow performance and reboots?

    OK, went back and loaded some upgraded software. Now using 12.4.1 Advanced security IOS on the 3845, and SDM 211. The new 256MB.sdf signature file has all the IM and P2P signatures in it already!
    After applying the IPS inbound on the serial interface, I changed the UDP signatures action to drop and the TCP to drop/reset.
    Everything appears to be working beautifully. Yahoo and MSN messenger get dropped, as well as the peer to peer requests. I am unable to download Bittorrent. Web access is fast, and there is no hesitation by the router in configuring the IPS.
    This appears to be a great solution so far.

  • IOS IPS message

    hi,
    I enabled IOS IPS with SDM v2.4.1, and show following message repeatedly
    platform: 2821
    IOS:c2800nm-adventerprisek9-mz.124-11.T2.bin
    *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
    *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
    *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
    *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
    *Jul 25 06:18:22.827: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - mars-category)
    *Jul 25 06:18:22.831: %IPS-3-UNKNOWN_NAME: Unknown name (var xml element - vulnerable-os)
    I try it again with CLI , but no message like that.
    Q2:
    I enabled ios_ips basic, retired false and enabled true , but in SDM--ios_ips--basic many signatures didn't enabled and retired true.
    my configuration as follow,
    ip ips signature-category
    category ios_ips basic
    category all
    retired true
    category ios_ips basic
    retired false
    enabled true
    thanks.

    SDM need 12.4(11)T2 or later image to support IOS IPS in 5.x signature format due to some issues in IOS.
    For 12.4(11)T1, the best option is to use CLI for now.
    Also please refer http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml
    Thanks,
    -Chris

  • Payload ios ips

    anyway to view packet payload of captured alerts from ios ips ?

    so IOS ips can't to do this ? seems that there are a lot of limitations with it

  • Correct procedure to update IOS IPS signatures on 2911 router

    What is the correct procedure to update the IOS IPS signatures on an 2911 router?
    I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
    Thank you in advance!

    The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
    The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
    Typically here is how customer would enable/disable signatures:
    - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
    - Monitor it for a couple of months
    - Disable those that you don't need, and enable others if you think you require it for specific.

  • Which interface to apply IOS IPS

    Hello,
    I have IOS IPS installed on 4 routers on our network at different sites.  They are 2911 routers, with 2GB ram and i am using the latest signatures from cisco.  Everything is working fine.  I have enabled the basic signatures.  At the moment the ips policy is only applied to the wan interface and not the lan. So in summary:
    interface serial0/0     (wan link)
    ip address x.x.x etc
    ip ips mypolicy in
    ip ips mypolicy out
    exit
    According to cisco i should not bother applying ip ips mypolicy out on the wan interface (serial0/0) but should have ip ips mypolicy in on the fa0/0
    lan interface aswell as the serial0/0 interface.
    interface fa0/0          (lan traffic)
    NO IPS POLICY IN HERE AT THE MOMENT
    anyone got experience on this?
    regards
    Kevin

    Hi Kevin,
    I would say that you have done the right thing, since router are limited in memory we should not enable a lot of signatures and also try to limit the scanning to traffic that we actually need to be scanned.
    In what you have done any traffic that in entering or leaving the WAN interface will be scanned.
    Now if there are more interfaces on your router and you want the traffic between the interfaces to be scanned as well in that case only you should enable IPS on those interfaces.
    Most of the times it is not needed.
    Regards,
    Sachin

Maybe you are looking for