IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

Similar Messages

• IPS Signature Engine

  Hello,
  While Checking IPS signature database, i noticed that there is a column named engine.
  Some signatures are Atomic IP, others Normalizer, i don't know if there is a third value.
  but what do that values means?
  One more question, if a signature Action is set to "block attacker inline" it do block the attacker address IP for a one hour right?
  Also is there a way to know from IPS what are the group of IP's blocked for one hour and when??

  First, let me clarify the differences between blocking actions and deny actions:
  block - relies on an external device, such as a firewall or router, to implement the action via a shun or ACL entry
  deny - performs the action directly on the IPS sensor, requires the sensor to be configured for inline operation
    All of the output provided in the output of the 'show statistics network-access' relates to block actions. 'AllowSensorBlock' is a parameter that allows the IPS sensor to add its management IP address to a requested block action; this is not usually recommended.  To adjust the timeout for blocks to remain active you would make use of the 'global-block-timeout' command from the CLI:
  sensor# configure terminal
  sensor(config)# service event-action-rules rules0
  sensor(config-rul)#
  sensor(config-rul)# general
  sensor(config-rul-gen)# global-block-timeout 30
    The timeout is specified in minutes.
    For deny actions you can adjust the timeout using the 'global-deny-timeout command:
  sensor# configure terminal
  sensor(config)# service event-action-rules rules0
  sensor(config-rul)#
  sensor(config-rul)# general
  sensor(config-rul-gen)# global-deny-timeout 1800
    The timeout is specified in seconds.
    To adjust timeouts using the IDM GUI, please reference this documentation link:
  http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_event_action_rules.html#wp2039284
    You can monitor active blocks from the CLI using the 'show statistics network-access' command.
    You can monitor active denies from the CLI using the 'show statistics denied-attackers' command.
    To monitor blocks and denies using the IDM GUI, please reference this documentation link:
  http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/idm/idm_monitoring.html
    There is not a direct method within the sensor to view historical block/deny lists.
  Scott

• IPS Signature Dynamic Update

  Hello,
  I need to know what type of privilege I need to use IPS Signature Dynamic Update.
  Thank

  Since the IPS dynamic update is accessed from the Admin tab, only the accounts having Admin privilege can change/modify the dynamic update settings, Here is a description of the various user roles in CS-MARS (taken directly from the user guide):
  •Admin: has full use of the MARS.
  •Notification Only: for a non-user of the MARS appliance, use this to send alerts to people who are not administrators, security analysts, or operators.
  •Operator: has read-only privileges.
  •Security Analyst: has full use of the MARS, except cannot access the Admin tab
  Hope this helps

• Best practices for using Normalizer in ASA and in AIP-SSM

  Both PIX OS 7.x and IPS 5.x software have a concept of "traffic normalization". PIX OS on ASA can do virtual reassembly, IPS on SSM (so far as I know) can do physical reassembly and fragmentation of IP packets. Also, both ASA and SSM can do TCP normalization. For example, they both can "check inconsistent retransmissions" and protect against "TTL evasion attacks". I realize that PIX OS has only basic normalization functions and the SSM is much more configurable.
  The question is: what are the best practices here? Is it better to disable some IP/TCP PIX OS checks / IPS signatures on ASA and/or SSM? Is it better to use just SSM for traffic normalization? Does anybody has personal experience here?
  Also, there is a BugID CSCsd04327 - "ASA all out of order packets are dropped when sending to ssm"
  "When ips ssm is inline slowness is reported. show service-policy shows that the number of out of order packets reported match exactly the number of no buffer drops (even with queue-limit option). Performance hit is not the result of tcp normalization (on IPS 5.x ssm) in this case, but rather an issue with asa normalizer."
  To me it seems to be more logical to have normalization function on the firewall, but there may be drawbacks in doing this.
  So, those who're using ASA with SSM, please share your experience.
  Thx.

  Yes, this is almost correct ;)
  TCP SRP (Stream Reassemly Processor) is turned OFF on the SSM and cannot be enabled, contrary to 4200 appliances, but IP FRP (Fragmentation Reassembly Processor) is functioning on the SSM.
  The testing of 7.2(1) shows the following:
  When you configure "policy-map" to send packets to the SSM the "tcp-map" parameter "queue-limit", which has the value of zero by default, is set to an X (the X is unknown). This means that the ASA now only accepts the TCP segments which are sent in the correct order. More specifically, the gaps in SEQs are not allowed anymore. When for example, the ASA receives a TCP segment which has a SEQ within the window, but the previous TCP segment has been lost, it sends an ACK to the sender to enforce retransmition of the lost segment. As a result the sender retransmits both segments. Only after that the ASA forwards both segments to the SSM. This basically means that SSM always sees in-order TCP segments. That it is why SRP is not needed on the SSM.
  There are at least two problems however.
  The first problem is the performance impact.
  ASA now acts almost like a proxy. And, so far as I know, it doesn't support SACK (Selective ACKs). First, when the ASA does TCP SEQ randomization it doesn't change SEQ values within the SACK TCP Option. This simply breakes SACK. Second, even if you turn randomization mechanism OFF, then, I believe, the ASA will not selectively ACK the lost TCP segments, as it simply doesn't support this mechanism.
  The second problem is THE SECURITY HOLE.
  By default the ASA doesn't check TCP checksums. The 4200 appliances do check by default. But as we now know the SRP is turned OFF on the SSM... So, this means that SSM module can easily be evaded. The hacker only needs to mix attacking traffic with the random TCP segments that have bad TCP checksum. The SSM module will see the mixture of the two and will not recognize the attack. The target host will drop TCP segments with the bad checksums and see only attacking traffic... This has been successfully verified in the lab.
  Of course, this security hole can be closed with the "tcp-map" parameter "checksum-verification", but it will definitely has performance impact.
  The last note: All of the above has never been documented by Cisco. So, use at your own risk, etc.
  I hope, you will read this message, Marcoa. All of this MUST be documented. Once again, the default behaviour of the ASA opens up a big security hole.
  Regards,
  Oleg Tipisov,
  REDCENTER,
  Moscow

• AIP-SSM crash during S389 Signature upgrade

  Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
  1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.

• IOS IPS Signature Updates

  Hi,
  Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
  Thanks and rgds
  Rajesh

  hi,
  if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.

• IOS IPS Signatures for password guessing?

  I recently experienced a password-guessing attack. The inside Windows server's security was pretty well useless in stopping the attack (block, yes; stop, no), because the user ID kept changing, and Windows account lockout ignores source addresses. In this case, it was FTP, and I found an IPS signature for that, but it got me to thinking:
  There don't seem to be password-guessing signatures for RDP, HTTP, HTTPS, or SSL. Granted it may not be practical for HTTPS and SSL, but what about the other two? Should we consider rolling our own?

  You can configure custom signatures for IOS IPS using Security Monitor which is part of VMS. Below is a doc on how to do this:
  http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a0080104f44.html#xtocid9
  Also try this link for Cisco Security Advisory
  http://www.cisco.com/en/US/products/products_security_advisory09186a008055dbdd.shtml

• ASA botnet filter vs ips global correlation

  Does the global correlation include the data from botnet filter? On Cisc's site it says this on the global correlation
  Customers deploying Cisco IPS can benefit from  Global Correlation in multiple ways. First, bad traffic from known  sources is stopped immediately. This includes zero-day attacks, for  which no traditional threat prevention currently exists, advanced  persistent threats (APTs), and botnet command and control traffic

  Hello Matt,
  Check the following info:
  Cisco ASA Botnet Traffic Filter
  This paper focuses on how Cisco Security Intelligence Operations relates to botnet threat identification, and its interaction with the Cisco ASA Botnet Traffic Filter. It is important to realize that a comprehensive security deployment should include Cisco Intrusion Prevention Systems (IPS) with its reputation based Global Correlation service and IPS signatures in conjunction with the security services provided by the ASA security appliance such as Botnet Traffic Filter.
  So I would say they both provide you security based on databases from the SIO but they will not be equal on their funcionalities, that is why Cisco recommend to use both when possible,
  Regards

• IPS signature update

  i would like to get some idea for IOS IPS signature update.
  example currently the router fresh install using IOS-S416-CLI.pkg, IOS category ios_ips in advanced mode, with retired false.
  Just wonder what if next time download and loading with latest patch of the IOS-SXXX-CLI.pkg into the machine, what will effect on the current compiled signature?
  will it just loaded in incremental form?  (meaning is it the signature in latest patch will added as new enable signature), then what about the signature previously being modified and save one, any effect on it? (like re-write my previous save signature)
  with the new patch install, would it also effect on the router DRAM and flash size? (my router with 384 mb DRAM and 128mb flash)
  thanks

  Hi,
  When you compile a new signature package on a router that carries an existing signature database, the signature configuration in the new signature package will supersede the router's existing database's signature configuration. Thus, if you have made changes to the signature database on the your router, and you compile in an updated signature package that contradicts your changes, your changes will be overwritten!!, and will need to be re-created.
  You can avoid having to re-create your changes if you copy the "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" file to some other location on the router's local storage, and re-apply the original "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" to the updated signature database after you have compiled the updated signature package to the router's database.
  And don't forget, the basic signature category is appropriate for routers with less than 128 MB of flash memory, and the advanced signature category is appropriate for routers with more than 128 MB of flash memory.
  Hope this helps,
  Thank You,

• Does getting a Smartnet contract also give you IDS/IPS signature updates?

  A client of mine is looking into getting an ASA5510 with AIP-SSM module. I realize that with IDS/IPS systems, it is *crucial* to always keep signature files up-to-date. Does purchasing the Smartnet contract for the bundle give me signature file updates or is there some other package I need to buy?
  I see references to "Cisco Services for IPS" but that seems to be mainly for router/IOS-based firewall/IDS packages.

  There is not a Smartnet contract for the ASA/AIP-SSM bundle.
  The only SmartNET contract for SSM bundles are with the CSC-SSM and not the AIP-SSM.
  When purchasing an ASA/AIP-SSM bundle you will need to purchase a bundle maintenance contract. The bundle maintenance contracts are Cisco Service for IPS contracts and include the signature support for the AIP-SSM as well as the software and hardware support on both the AIP-SSM and ASA (the software and hardware support is what it is normally part of SmartNET).
  For the bundles you will want to purchase a Cisco Service for IPS maintenance contract using one of the following part number formats:
  CON-SUw-ASxAyKz
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "x" will be either 1 for the 5510, 2 for the 5520, or 4 for the 5540.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  The z will be either 8 or 9 depending on the encryption level.
  So for example:
  CON-SU2-AS2A20K9 - Would be 8X5X4 support for the ASA-5520 bundled with the AIP-SSM-20 with the higher encryption.
  NOTE: There are also SP contracts for purchase by Service Providers that follow a slightly different format.
  There are a few users who have purchased the ASA and AIP-SSM separately.
  When purcahsed separately you would need to purchase a SmartNET contract for the ASA, and a separate Cisco Service for IPS maintenance contract for the AIP-SSM.
  The AIP-SSM maintenane contract will be in the following format:
  CON-SUw-ASIPyK9
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  So for example:
  CON-SU2-ASIP20K9 would be 8X5X4 support for the AIP-SSM-20.
  What you will find is that purchasing a separate SmartNET for the ASA and Cisco Service for IPS for the AIP-SSM will be more expensive than purchasing a single Cisco Service for IPS for the ASA/AIP-SSM bundle. This is because there is a discount when purchasing by the bundle.

• Cisco IOS based IPS Services Licensing Query

  Hi Experts,
  We have a Cisco 3945 router at one of our location. Our requirement is to enable the IOS based IPS engine within in the router and would like to load new signature files from cisco website to the router. But i am not much familiar with the licensing part. show version and show ip ips license output has been attached for the reference. Following are my queries.
  1) Is this platform and IOS is capable for enabling IPS Engine?
  2) Is there any extra IPS Services Contract is required (other than the smartnet Coverage) for this router to enable IPS engine and to load new IPS Signature files from Cisco?
  Advanced Thanks and Regards,
  Sihanu N

  1) Is this platform and IOS is capable for enabling  IPS Engine?
  Yes, it is (3945 with a security IOS image will be able to do it)
  2)Is there any extra  IPS Services Contract is required (other than the smartnet Coverage) for this router to enable IPS engine and to load new IPS Signature files from Cisco?
  No, you are good to go.
  I will write a future articule about how to enable this feature on an IOS router so stay tune in my website at http:laguiadelnetworking.com for further information as I will cover all of the details,
  Cheers,
  Julio Carvajal Segura

• How to upgrade IPS Signature

  Can anyone help me with the steps of upgrading the IPS signature for the platform ASA SSM-20, IDS 4215, WV-SVC-IDSM-2 via IDM and IME. All the sensors are already upgraded with Engine E4 with signature S480.
  Can I upgrade the signature directly from S480 to S507? Please let me know the file which I need to download. Is there any impact while updating the signture like reboot?

  Hi Gangadaran,
  We can apply the same package on all the mentioned platforms. It can be applied to all below platforms:
  - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors
  - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230)
  - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2)
  - NM-CIDS IDS Network Module for Cisco 26xx, 3680, and 37xx Router Families.
  - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - AIM-IPS Cisco Advanced Integration Module for ISR Routers
  Refer the readme for all details:
  http://www.cisco.com/web/software/282549755/37074/IPS-sig-S507.readme.txt
  All the best!!
  Thanks,
  Prapanch