Obsolete Signatures Inheritance IPS IOS 7

Similar Messages

• IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

  Hi,
  Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
  -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
  Thanks,

  IPS on ASA/PIX = just 50 or so common signatures
  AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
  Please rate if helpful.
  Regards
  Farrukh

• Configuring signature through IPS Manager in CSM3.0

  I was trying to customize the siganture with IPS manager in CSM3.0.Any changes in CSM3.0 only displays in the window but looks like it is not been applied to IDSM2 which has IPS v5.1.The same change If I make through IDM to idsm2
  it works fine.
  This how I am testing: Just changed the sev level (low to high) in one of the bulit in siganture (say 2100 sweep)
  from the IPS manager in CSM3.0.Then, when a traffic triggers that signature,the IPS Eventviewer still shows the sev level as "low" only.
  But if I do the same changes though IDM I can see the sev level as "high" in the IPS event viewer5.0.
  I also have 2 x 6500 with single IDSM2 on both switches.I could add only one IDSM2 to IPS manager (via DCR in comman services )and the other one I couldnot.Any suggestions please

  Hi,Thanks for your response.IPS Sensor is configured.I use the same username/password with priv15 through IDM as well.
  Here is the Problem Summary:
  ============================
  We are using CSM3.0 for managing IDSM2 modules and we are having the following difficulties
  I. Adding new IDSM2 sensor module into CSM3.0 through IPS
  II.Customization of any signature
  I.Adding new IDSM2 sensor module into CSM3.0 through IPS
  We followed up the below procedures to add the IDSM2 modules
  1.Go to CCS, device crenditials, select the type as cisco service modules and give the device crenditials like IP Address, username/password etc
  2.Go to IPS Manager, under device tab we could see the IDSM2 module has been added.Then go to sensor group and re-import it.It works fine ie we could add and see the same in IPS manager.
  Note: 1st sensor was successfully added where as the 2nd sensor couldnot be added in IPS
  3.We could see that the same has been added into common services.But when we see in IPS Manager Device sensor or sensor group, we could not see the IDSM2 module.
  Only the 1st sensor is showed in the IPS window.So we couldnot re-import the second sensor in to the specified group ( the group is same as the 1st sensor)
  II.Customization of any signature:
  We followed up the above said procedures ( as per I 1 to 2) to add the IDSM2 modules
  Note: 1st sensor was successfully added where as the 2nd sensor couldnot be added in IPS
  1.Go to configuration, select the IPS siganture5.1, apply some changes like
  Changing the sev level from ?low? to ? high? for one of the built in signature ( ID 2100) by tuning. The changes appear in the CSM IPS console. But it doesn?t apply to the IDSM module. After this change, if the signature triggers IEV should show the changed level ? high?. But the IEV still shows the old level for the signature ID 2100 as ?low? only. The main screen under device tab still shows that configuration as pending.ie it looks like the changes made in CSM/IPS manager doesn?t applied to IDSM2 module
  Note: If we make the same changes by using the IDM which behaves as expected.ie IEV shows the sev level for the tuned signatureID (2100) as ?high?
  Please suggest us where are we missing?
  Here are the details about the modules
  Module: IDSM2 module
  Ver: 5.1(1)S229.0V1.0
  CSM : 3.0
  IEV: 5.1.1

• IPS IOS causing router frozen

  hi All,
  We have a number of IPS IOS routers. We turn IPS on and left the IPS config as default.
  When traffic goes up to 20Mbps, the router is hung and not reponsed.
  Router is 3845 and 512DRAM
  IOS ver 12.4 15T4.
  the "sh process cpu his" shows that CPU util went up to 100% sometime.
  Does Anyone know how to reduce the CPU util or any recommendation for IPS deplyment? thanks
  Tao

  The simplest way to go about this is via the CCP GUI. This will get you "in the ballpark" with some preconfigured firewall settings (low, medium, high). Once you get familiar with how the different levels are configured you can then go into the edit mode and tweak the firewall settings to fit your particular configuration. If you are a CLI junkie then you do need to be mindful of your configurations.
  To some degree the ASA info will help you but you would be better off using the CCP users manual to get a better description of how the IOS firewall and the IDS configurations are set up.
  There is a known IOS bug that you will need to be familiar with. The following link expains it very well:
  http://tools.cisco.com/security/center/viewBulletin.x?bId=478&year=2012
  Bottom line is you will probably need to upgrade the IOS in the 881's to be able to run any sensor version after S639.
  I can assure you by my own discovery, the 881 will not work if you have an older IOS version and you attempt to install a sensor of S640 or higher. I found that out the hard way as this information was not privy to me at the time I installed S640. It took a bit of doing but I did recover and now have the latest IOS as well as the latest sensor version.

• Multiple signature templates in IOS

  Hi,
  I have both an iPhone and an iPad with multiple mail accounts, some are private and one is my office mail account (exchange). I do not want to have the same signature for my private and pro emails (not the same informations I want to had like my cell for private and my office line for work).
  I can manage multiple signature with mail on Mac OSX, I can't on my IOS devices...
  So please, Apple, could you add this!!! I might not be the only one who will be grateful!
  Thx

  Although this forum is provided and moderated by Apple, each post and thread here is not read by a moderator or by any Apple employee. This forum gets way too much traffic and most Apple employees have better things to do with their time. Using the feedback link ensures that your feedback is forwarded to and read by the appropriate Apple personnel. Providing it here does not.

• What is new location to download the latest signatures for IPS

  Please provide me new location of signature download from cisco site for Cisco IPS.
  Also please let me know the procedure to update the signatures via IDM. Thanks

  Hello,
  IPS signatures are available for download here:
  http://tinyurl.com/4nh6gag
  Here are directions for updating the signatures.  If you have downloaded the signature update, please look at Step 4:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2126707
  Hope this helps!

• Cisco IPS - IOS vs Appliance vs ASA vs IDSM2

  Hello CSC
  I am trying to find information on performance of the various IPS implementation options.
  In short I've been asked to enable IPS on our 2 ISP routers 7206VXR (NPE-G1), 1 with 45Mbps connection, the other with 100mbps; LAN int for both 1Gbps. In addition, we have some internal WAN networks so would like to secure on this perimeter using ISDM2 in a 6509.
  I have some doubts that using IOS IPS on each device will be able to cope with the load, with efficient throughput.
  I found this info:
  ASA - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps4077_Products_Data_Sheet.html
  IPS Appliance - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html
  Does anyone have any similar stats for IOS IPS and IDSM2, or better still a comparison of all IPS solutions.
  Help appreciated.
  Thanks all
  Phil

  Here is a little info.
  http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/prod_presentation0900aecd806ccf26.pdf

• Updating a signature update & IPS License

  I am testing a IPS module on a ASA5505, I have a 30 day license which just expired.   I am trying to upload a new signature file, from the IPS express 7.2.1, but it just keeps timing out.    Is it not uploading because my license is expired?

  I think you get a 30 day grace period after your license expires where you can still apply signature updates.
  If you have an expired license, you can still apply OS updates that just happen to contain the latest signature pack as of their release date. These are not as frequent as the signature updates, but they will keep an unlicensed sensor within a few months of current signatures.
  - Bob

• Simple question: is IPS IOS appliance or software (win/linux)?

  I'm newbie in security.
  Can somebody provide me information about IPS. I want ot know does IPS is running on IOS or other software?
  If it is IOS - could somebody provide me IOS version that I can download for test IPS?

  IPS runs on standalone 4200 series IPS Appliances, Network modules (which go on the ASA, Routers and C6k switches) and IOS Routers.
  IPS standalone appliances and network modules run on the linux 2.4 kernel whereas IPS on Routers run on IOS.
  Here is the web link for 4200 series standalone IPS appliances :
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html
  Looks like Cisco IOS Software Release 12.4(11)T and later T-Train releases support IPS however I am not an IOS expert. More details can be found on this IOS-IPS data sheet :
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/product_data_sheet0900aecd803137cf.html

• CS-MARS + IPS + IOS IPS = DTM ---- HOW ????

  Hi Guys.
  I have a problem... I'm using a AIP-SSM20 with 6.1 version and IOS 12.4(6)T11 for building DTM (Distributed Threat Mitigation) with CS-MARS 4.3.5. I followed the document "Technology Preview: Configuring Distributed Threat Mitigation with Intrusion Prevention System in Cisco Security MARS" but I didn't have sucess. I would like to know if someone can building DTM with sucess? They could give me a tip???

  check the following url for more information on distributed threat MITIGATION:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5879/ps6264/ps5888/prod_white_paper0900aecd8011e927.html

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.

• IOS IPS Restore Deleted Signatures

  I have a router with IOS IPS and manage this using SDM.
  I have deleted a signature from the router and would now like to re-install it.
  Using SDM import feature I have looked for the deleted signature in the 256mb.sdf that I've downloaded from the Cisco website. It doesn't appear in the list of signatures. I've tried the attck-drop.sdf and the local ios sdmips.sdf but the signature is not listed.
  does anyone have any idea how I can get it back?
  The deleted signature is 4050 UDP Bomb.
  Thanks

  4050 UDP bomb is a built-in signature within the IOS. Some 100 odd signatures (version dependent) are loaded into the router by default when your IOS has the IDS image. Look under the ATOMIC.UDP signatures for 4050.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm#wp1000985
  You may be able to re-enable your signature using the following command on the CLI.
  "no ip audit signature 4050 disable"
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_d1g.htm#wp1073162

• IOS IPS Automatic Signature Update

  I will use cisco1941w.
  I'd like to know, how to configure at CLI and where is the URL.
  Is the bellow correct?
  CLI
  Router(config)# ip ips auto-update
  Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
  Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
  Router(config-ips-auto-update)# username XXX password XXX
  URL
  https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

  Hello,
  A. Hete is what the six files do:
  • ios-ips-sigdef-default.xml: contains all the factory default signature definitions
  • ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default
  • ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions
  • ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced
  • ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters
  • ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions
  B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.
  Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.
  You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:
  We do not have one single file that contains all the signatures.  The signature package is installed in a certain way.
  Hence we will need atleast first 4 files to copy of signature database from one router to the other.
  C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.
  But I am guessing it will look for a .pkg file and decompress it.
  With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.
  D. Hence there is no one single configuration file that you copy off the external ftp server.
  I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.
  It is also not necessary to check for signature updates every hour.
  Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.
  Sid Chandrachud
  TAC Security Solutions
  Customer support engineer

• IPS MC: It doesn´t show any signature.

  Hi.
  I had IPS MC 2.1.0 (Build 123) functioning fine. I installed the idsmdc2.1.0-win-CSCsc336961.tar file in order to solve the CSCsc33696 bug. Next, I installed an update signature for IPS version 5 (But I didn´t has any IPS sensor version 5, I just was checking), but the update didn´t work. Afther it, I noted that I have a big issue: When I try to modify any signature, in the Settings->IOS IPS, it shows:
  Object loading failed. Errors occurred while loading the Signatures. Not all signatures may have been loaded.
  It doesn´t show any signature.
  I erased all the sensors, including the IOS IPS. Then I import one of the IOS IPS and follow the instruction for the CSCsc33696 bug. I reimported the device, deployed configuration, disabled the IPS feature in the router and enabled the feature in order to load the signature configuration, but the issue persist. Then, I installed the newest signature update to IDS sensor version 4 (it includes IOS IPS update) and it installed without problems, but the problem in the sigature page perisist.
  I reinstalled the IPS MC, but the problem persist. I uninstalled the IDS MC, and installed again without save the database. It shows the application IDS MC and Security Monitor without configuration, like a new installation, but the issue persist!!!
  Someone had this problem? Someone know how can I solve it?
  Thanks.

  The Cisco IOS IPS feature restructures the existing Cisco IOS Intrusion Detection System (IDS), allowing customers to choose to load the default, built-in signatures or to load a Signature Definition File (SDF) called attack-drop.sdf onto the router. The attack-drop.sdf file contains 118 high-fidelity Intrusion Prevention System (IPS) signatures, providing customers with the latest available detection of security threats. For more information refer to following url:
  http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c9587.html

• IOS IPS basics

  I'm pretty new to managing IPS. My co is looking at deploying a large number of this and i'm suppose to manage it. i got a few questions
  1. are the available signature in default IOS IPS enough? i fired rentina to an old redhat version OS but i find that the results from IOS IPS is pretty generic.it detects non valid http traffic over ssl but not the vulnerablities used, and it does even detects nmap non tcp port scanning
  2.do you recommend using the default IOS IPS signatures ? if no, any recommendations & standards to follow ?
  3. Any guidance on custom signature development on IOS IPS ?
  4. Any method to manage large numbers of IOS IPS rules/singatures on a single console ? So i can push the signature from a single console to each and every routers. if not, it is possible to copy the signature folders over all the routers to get the same sets on signature on the routers?
  Appreciate any useful informations. Thanks in advance

  1. The Built-in signatures are pretty old and mostly worthless, you may want to disable them and use the latest Signature File available for the IOS-IPS. Your memeory will be the constraining factor as to how many signature you can have enabled.
  2. The signature defaults are a starting place. You will have to spend time doing the analysis of events to see if they're false positives (and many will be) and tune them down, or more likely disable them.
  3. Each signature engine has a fixed 64MB of memory. Turn on too many within that engine (including your custom sigs) and you won't get any. Watch the console log when enabling IPS to see if your build is failing. Some sigs eat more memory than others.
  4. If you have money to burn you can buy Cisco's CSM 3.1, or else keep your signature file(s) on an FTP/TFTP/SCP server and copy them to your routers as needed.