Downloads |
Table Of Contents
Cisco IOS Intrusion Prevention System (IPS)
Prerequisites for Cisco IOS IPS
Restrictions for Cisco IOS IPS
Information About Cisco IOS IPS
Signature Micro-Engines: Overview and Lists of Supported Engines
Lists of Supported Signature Engines
Supported Cisco IOS IPS Signatures
How to Load IPS-Based Signatures onto a Router
Installing Cisco IOS IPS on a New Router
Upgrading to the Latest Cisco IOS IPS Signature Definition File (SDF)
Merging Built-In Signatures with the attack-drop.sdf File
Monitoring Cisco IOS IPS Signatures via Syslog or SDEE
Interpreting Cisco IOS IPS System Messages
Conditions of an SME Build Failure
Loading the Default Signatures: Example
Loading the attack-drop.sdf: Example
Merging the attack-drop.sdf File with the Default, Built-in Signatures: Example
ip ips deny-action ips-interface
Cisco IOS Intrusion Prevention System (IPS)
This module describes the Cisco IOS Intrusion Prevention System (IPS) feature, which restructures the existing Cisco IOS Intrusion Detection System (IDS). Cisco IOS IPS helps to protect a customer's network from internal and external attacks and threats.
Cisco IOS IPS allows customers to choose between any of the following options when loading the signatures onto a device:
•
Loading the default, built-in signatures
•
•
Customers can download the SDF to their router from Cisco.com via the VPN and Security Management Solution (VMS) IDS Management Console (MC) 2.3 network management device, enabling IDS MC to immediately begin scanning for new signatures.
Feature History for Cisco IOS IPS
12.3(8)T
This feature was introduced, which adds support for Cisco IOS IPS and the Security Device Event Exchange (SDEE) Cisco standard.
12.3(14)T
Support for the following functions were added:
•
•
•
Support for the Post Office Protocol was deprecated and the following commands were removed from the Cisco IOS software: ip ips po local, ip ips po max-events, ip ips po protected, and ip ips po remote.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
•
•
•
Prerequisites for Cisco IOS IPS
VMS IDS MC 2.3 and Cisco Router SDM Support
VMS IDS MC provides a web-based interface for configuring, managing, and monitoring multiple IDS Sensors. Cisco Router and Security Device Manager (SDM) is a web-based device-management tool that allows users to import and edit SDFs from Cisco.com to the router. VMS IDS MC is for network-wide management while SDM is for single-device management. It is strongly recommended that customers download the SDF to an IDS MC 2.3 network management device or an SDM.
Customers can choose to download the SDF to a device other than IDS MC or SDM (such as a router) via command-line interface (CLI); however, this approach is not recommended because it requires the customer to know which signatures come from which signature engines.
Restrictions for Cisco IOS IPS
Signature Support Deprecation
Effective Cisco IOS Release 12.(8)T, the following signatures are no longer supported by Cisco IOS IPS:
•
Triggers when any IP datagram is received with the "more fragments" flag set to 1 or if there is an offset indicated in the offset field. 1
•
Triggers when an IP packet with a source address of 255.255.255.255 is detected. This signature may be an indicator of an IP spoof attack or an attempt to subvert a firewall, proxy, or gateway.
•
Triggers when an IP packet with a source address of 224.x.x.x is detected. This signature may be an indicator of an IP spoof attack or an attempt to subvert a firewall, proxy, or gateway.
•
Triggers on string "passwd" issued during an FTP session. May indicate that someone is attempting to retrieve the password file from a machine to crack it and gain unauthorized access to system resources.
Action Configuration via CLI No Longer Supported
Cisco IOS IPS actions (such as resetting the TCP connection) can no longer be configured via CLI. If you are using the attack-drop.sdf signature file, the signatures are preset with actions to mitigate the attack by dropping the packet and resetting the connection, if applicable. If you are using VMS or SDM to deploy signatures to the router, you will need to tune the signatures to use the desired actions before the deployment.
Any CLI that is issued to configure IPS actions will be silently ignored.
Memory Impact on Low-End to Mid-Range Routers
Intrusion detection configuration on certain routers may not be able to support the complete list of signatures due to lack of sufficient memory. Thus, the network administrator may have to select a smaller subset of signatures or choose to use the standard 100 (builtin) signatures that the routers are shipped with.
Information About Cisco IOS IPS
To help secure your network via a signature-based IPS, you should understand the following concepts:
•
•
•
Cisco IOS IPS Overview
The Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages or Security Device Event Exchange (SDEE). The network administrator can configure Cisco IOS IPS to choose the appropriate response to various threats. When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as appropriate:
•
•
•
•
•
Cisco developed its Cisco IOS software-based Intrusion-Prevention capabilities and Cisco IOS Firewall with flexibility in mind, so that individual signatures could be disabled in case of false positives. Generally, it is preferable to enable both the firewall and Cisco IOS IPS to support network security policies. However, each of these features may be enabled independently and on different router interfaces.
Benefits
Dynamic IPS Signatures
IPS signatures are dynamically updated and posted to Cisco.com on a regular basis. Thus, customers can access signatures that help protect their network from the latest known network attacks.
Parallel Signature Scanning
Cisco IOS IPS uses a Parallel Signature Scanning Engine to scan for multiple patterns within a signature micro-engine (SME) at any given time. IPS signatures are no longer scanned on a serial basis.
Named and Numbered Extended ACL support
Prior to Cisco IOS Release 12.3(8)T, only standard, numbered ACLs were supported. Cisco IOS IPS now supports both named and numbered extended ACLs by using at least one of the following commands— ip ips ips-name list acl or ip ips signature signature-id list acl-list.
The Signature Definition File
A Signature Definition file (SDF) has definitions for each signature it contains. After signatures are loaded and complied onto a router running Cisco IOS IPS, IPS can begin detecting the new signatures immediately. If customers do not use the default, built-in signatures that are shipped with the routers, users can choose to download one of two different types of SDFs: the attack-drop.sdf file (which is a static file) or a dynamic SDF (which is dynamically updated and accessed from Cisco.com).
The attack-drop.sdf file is available in flash on all Cisco access routers that are shipped with Cisco IOS Release 12.3(8)T or later. The attack-drop.sdf file can then be loaded directly from flash into the Cisco IOS IPS system. If flash is erased, the attack-drop.sdf file may also be erased. Thus, if you are copying a Cisco IOS image to flash and are prompted to erase the contents of flash before copying the new image, you might risk erasing the attack-drop.sdf file. If this occurs, the router will refer to the built-in signatures within the Cisco IOS image. The attack-drop.sdf file can also be downloaded onto your router from Cisco.com.
To help detect the latest vulnerabilities, Cisco provides signature updates on Cisco.com on a regular basis. Users can use SDM or VMS to download these signature updates, tune the signature parameters as necessary, and deploy the new SDF to a Cisco IOS IPS router.
Signature Micro-Engines: Overview and Lists of Supported Engines
Cisco IOS IPS uses signature micro-engines (SMEs) to load the SDF and scan signatures.
Signatures contained within the SDF are handled by a variety of SMEs. The SDF typically contains signature definitions for multiple engines. The SME typically corresponds to the protocol in which the signature occurs and looks for malicious activity in that protocol.
A packet is processed by several SMEs. Each SME scans for various conditions that can lead to a signature pattern match. When an SME scans the packets, it extracts certain values, searching for patterns within the packet via the regular expression engine.
For a list of supported signature engines, refer to the section Lists of Supported Signature Engines.
Lists of Supported Signature Engines
Table 1 lists supported signature engines and engine-specific parameter exceptions, if applicable.
Note
Table 1 Supported Signature Engines for Cisco IOS IPS
ATOMIC.L3.IP
12.3(8)T
—
ATOMIC.ICMP
12.3(8)T
—
ATOMIC.IPOPTIONS
12.3(8)T
—
ATOMIC.TCP
12.3(8)T
—
ATOMIC.UDP
12.3(8)T
—
SERVICE.DNS
12.3(8)T
—
SERVICE.HTTP
12.3(8)T
ServicePorts (applicable only in Cisco IOS Release 12.3(8)T)
SERVICE.FTP
12.3(8)T
ServicePorts
SERVICE.SMTP
12.3(8)T
ServicePorts
SERVICE.RPC
12.3(8)T
ServicePorts, Unique, and isSweep
STRING.ICMP
12.3(14)T
—
STRING.TCP
12.3(14)T
—
STRING.UDP
12.3(14)T
—
1 The following parameters, which are defined in all signature engines, are currently not supported: AlarmThrottle=Summarize (all other values are supported), MaxInspectLength, MaxTTL, Protocol, ResetAfterIdle, StorageKey, and SummaryKey.
Table 2 lists support for the 100 signatures that are available in Cisco IOS IDS prior to Cisco IOS Release 12.3(8)T. These 100 signatures are a part of the Cisco IOS IPS builtin SDF. By default, signatures are loaded from this builtin SDF. Table 2 lists support for these 100 signatures under Cisco IOS IPS.
Note
Table 2 Support for Signatures Available in Cisco IOS IDS (prior to 12.3(8)T)
1000-1006
7
ATOMIC.IPOPTIONS
1101, 1102
2
ATOMIC.L3.IP
1004, 1007
2
ATOMIC.L3.IP
2000-2012, 2150
14
ATOMIC.ICMP
2151, 2154
2
ATOMIC.L3.IP
3038-3043
6
ATOMIC.TCP
3100-3107
8
SERVICE.SMTP
3153, 3154
2
SERVICE.FTP
4050-4052, 4600
4
ATOMIC.UDP
6100-6103
4
SERVICE.RPC
6150-6155
6
SERVICE.RPC
6175, 6180, 6190
3
SERVICE.RPC
6050-6057
8
SERVICE.DNS
6062-6063
2
SERVICE.DNS
3215, 3229, 3223
3
SERVICE.HTTP
5034-5035
2
SERVICE.HTTP
5041, 5043-5045
4
SERVICE.HTTP
5050, 5055, 5071
3
SERVICE.HTTP
5081, 5090, 5123
3
SERVICE.HTTP
5114, 5116-5118
4
SERVICE.HTTP
1100
1
Not applicable. Signature is replaced by 12xx series.
1105-1106
2
Cisco IOS IPS deprecates these signatures, which do not appear in the SDF.
1201-1208
10
OTHER1 (fragment attack signatures)
3050
2
OTHER1 (SYN attack signatures)
3150-3152
3
STRING.TCP
4100
1
STRING.UDP
8000
1
Cisco IOS IPS deprecates these signatures, which do not appear in the SDF.
1 The OTHER engine contains existing, hard-coded signatures. Although the standard SDF contains an entry for these signatures, the engine is not dynamically updated. If the SDF that is loaded onto the engine does not contain the signature, the signature will be treated as though it has been disabled.
Supported Cisco IOS IPS Signatures
Customers can choose to use Cisco IOS IPS in one of the following ways:
•
•
Table 3 Cisco IOS IPS Signatures Supported in Cisco IOS Release 12.3(8)T
1006:0
A, D
ATOMIC.IPOPTIONS
Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 2 (Strict Source Routing).
1102:0
A, D
ATOMIC.L3.IP
Triggers when an IP packet arrives with source equal to destination address. This signature will catch the Land Attack.
1104:0
A, D
ATOMIC.L3.IP
Triggers when an IP packet with the address of 127.0.0.1, a local host IP address that should never be seen on the network, is detected.
This signature can detect the Blaster attack.
1108:0
A, D
ATOMIC.L3.IP
Alarms upon detecting IP traffic with the protocol set to 11. There have been known "backdoors" running on IP protocol 11.
2154:0
A, D
ATOMIC.L3.IP
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set. The IP offset (which represents the starting position of this fragment in the original packet and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
3038:0
A, D
ATOMIC.TCP
Triggers when a single, fragmented TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. A reconnaissance sweep of your network may be in progress.
3039:0
A, D
ATOMIC.TCP
Triggers when a single, fragmented, orphan TCP FIN packet is sent to a privileged port (having a port number less than 1024) on a specific host. A reconnaissance sweep of your network may be in progress.
3040:0
A, D
ATOMIC.TCP
Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. A reconnaissance sweep of your network may be in progress.
3041:0
A, D
ATOMIC.TCP
Triggers when a single TCP packet with the SYN and FIN flags set is sent to a specific host. A reconnaissance sweep of your network may be in progress. The use of this type of packet indicates an attempt to conceal the sweep.
3043:0
A, D
ATOMIC.TCP
Triggers when a single, fragmented TCP packet with the SYN and FIN flags set is sent to a specific host. A reconnaissance sweep of your network may be in progress. The use of this type of packet indicates an attempt to conceal the sweep.
3129:0
A, D, R
SERVICE. SMTP
Fires when an e-mail attachment matching the C Variant of the Mimail virus is detected. The virus sends itself to recipients as the e-mail attachment "photos.zip" that contains the file "photos.jpg.exe" and has "our private photos" in the e-mail subject line. If launched, the virus harvests email addresses and possible mail servers from the infected system.
3140:3
A, D, R
SERVICE.HTTP
Fires when HTTP propagation using .jpeg associated with the .Q variant is detected.
3140:4
A, D, R
SERVICE.HTTP
Fires when HTTP propagation using .php associated with the .Q variant is detected.
3300:0
A, D
ATOMIC.TCP
Triggers when an attempt to send Out Of Band data to port 139 is detected.
5045:0
A, D, R
SERVICE.HTTP
Triggers when any cgi-bin script attempts to execute the command xterm -display. An attempt to illegally log into your system may be in progress.
5047:0
A, D, R
SERVICE.HTTP
Triggers when an attempt is made to embed a server side include (SSI) in an http POST command. An attempt to illegally access system resources may be in progress.
5055:0
A, D
SERVICE.HTTP
A buffer overflow can occur on vulnerable web servers if a very large username and password combination is used with Basic Authentication.
5071:0
A, D, R
SERVICE.HTTP
An attempt has been made to execute commands or view secured files, with privileged access. Administrators are highly recommended to check the affected systems to ensure that they have not been illicitly modified.
5081:0
A, D, R
SERVICE.HTTP
Triggers when the use of the Windows NT cmd.exe is detected in a URL. This signature can catch the NIMDA attack.
5114: 0
5114:1
5114:2
A, D, R
SERVICE.HTTP
Triggers when an attempt to exploit the Unicode ../ directory traversal vulnerability is detected. Looks for the commonly exploited combinations that are included in publicly available exploit scripts.
SubSig 2 is know to detect the NIMDA attack.
5126:0
A, D, R
SERVICE.HTTP
Alarms if web traffic is detected with the ISAPI extension .ida? and a data size of greater 200 characters.
5159:0
A, D, R
SERVICE.HTTP
Triggers when access to sql.php with the arguments goto and btnDrop=No is detected.
5184:0
A, D, R
SERVICE.HTTP
Fires upon detecting a select statement on the Authorization line of an HTTP header.
5188:0
SubSig 0: GotomyPC
A, D, R
SERVICE.HTTP
Triggers when a computer connects to gotomyPC site.
5188:1
SubSig 1: FireThru
A, D, R
SERVICE.HTTP
Triggers when an attempt to use /cgi-bin/proxy is detected. The /cgi-bin/proxy is used to tunnel connections to other ports using web ports.
5188:2
SubSig 2: HTTP Port
A, D, R
SERVICE.HTTP
Triggers when a connection is made to exectech-va.com. The site runs a server, which connects to the requested resource and passes the information back to the client on web ports.
5188:3
SubSig 3: httptunnel
A, D, R
SERVICE.HTTP
Triggers when /index/html? is detected on POST request.
5245:0
A, D, R
SERVICE.HTTP
Fires when HTTP 1.1 chunked encoding transfer activity is detected.
This signature is known to detect the Scalper Worm.
5326:0
A, D, R
SERVICE.HTTP
Alarms upon detecting an HTTP request for root.exe.
This signature is known to detect the NIMDA attack.
5329:0
A, D, R
SERVICE.HTTP
Fires when a probe by the Apache/mod_ssl worm is detected. If the worm detects a vulnerable web server, a buffer overflow attack is sent to HTTPS port (TCP 443) of the web server. The worm then attempts to propagate itself to the newly infected web server and begins scanning for new hosts to attack.
5364:0
A, D, R
SERVICE.HTTP
Fires when a long HTTP request (65000+ characters) is detected with an HTTP header option "Translate:". An attack to exploit a weakness in the WebDAV component of the IIS web server may be in progress.
5390:0
A, D, R
SERVICE.HTTP
Triggers when an attempt to access the URL "/bin/counter.gif/link=bacillus" is detected. A system may be infected by the Swen worm trying the update a counter on a web page located on the server "ww2.fce.vutbr.cz."
5400:0
A, D, R
SERVICE.HTTP
Fires when a request is made for the script 1.php or 2.php residing on the hosts "www.47df.de" or "www.strato.de," followed by the argument indicating the trojan's listening port number, p=8866.
6055:0
6055:1
6055:2
A, D
R for subsig 1, 2
SERVICE.DNS
Triggers when an IQUERY request arrives with a data section that is greater than 255 characters.
6056:0
6056:1
6056:2
A, D
R for subsig 1, 2
SERVICE.DNS
Triggers when a DNS server response arrives with a long NXT resource where the length of the resource data is greater than 2069 bytes or the length of the TCP stream containing the NXT resource is greater than 3000 bytes.
6057:0
6057:1
6057:2
A, D
R for subsig 1, 2
SERVICE.DNS
Triggers when a DNS server response arrives with a long SIG resource where the length of the resource data is greater than 2069 bytes or the length of the TCP stream that contains the SIG resource is greater than 3000 bytes.
6058:0
6058:1
A, D
R for subsig 1
SERVICE.DNS
Alarms when a DNS query type SRV and DNS query class IN is detected with more than ten pointer jumps in the SRV resource record.
6059:0
6059:1
6059:2
A, D
R for subsig 2
SERVICE.DNS
Alarms when a DNS query type TSIG is detected and the domain name is greater than 255 characters.
This signature is known to detect the Lion work.
6060:0
6060:1
6060:2
6060:3
A, D
R for subsig 2, 3
SERVICE.DNS
Alarms when an NS record is detected with a domain name greater than 255 characters and the IP address is 0.0.0.0, 255.255.255.255 or a multicast address of the form 224.x.x.x.
6100:0
6100:1
A, D
R for subsig 1
SERVICE.RPC
Triggers when attempts are made to register new RPC services on a target host. Port registration is the method used by new services to report their presence to the portmapper and to gain access to a port. Their presence is then advertised by the portmapper.
6101:0
6101:1
A, D
R for subsig 1
SERVICE.RPC
Triggers when attempts are made to unregister existing RPC services on a target host. Port unregistration is the method used by services to report their absence to the portmapper and to remove themselves from the active port map.
6104:0
6104:1
A, D
R for subsig 1
SERVICE.RPC
Triggers when an RPC set request with a source address of 127.x.x.x is detected.
6105:0
6105:1
A, D
R for subsig 1
SERVICE.RPC
Triggers when an RPC unset request with a source address of 127.x.x.x is detected.
6188:0
A, D
SERVICE.RPC
Alarms upon detecting a dot dot slash (../) sequence sent to the statd RPC service.
6189:0
6189:1
A, D
R for subsig 1
SERVICE.RPC
Alarms upon detecting a statd bounce attack on the automount process. This attack targets a vulnerability in the automount process that could be exploited only via localhost.
6190:0
6190:1
A, D
R for subsig 1
SERVICE.RPC
Triggers when a large statd request is sent. This attack could be an attempt to overflow a buffer and gain access to system resources.
6191:0
6191:1
A, D
R for subsig 1
SERVICE.RPC
Fires when an attempt is made to overflow an internal buffer in the tooltalk rpc program.
6192:0
6192:1
A, D
R for subsig 1
SERVICE.RPC
Triggers on an attempt to overflow a buffer in the RPC mountd application. This attack may result in unauthorized access to system resources.
6193:0
6193:1
A, D
R for subsig 1
SERVICE.RPC
Fires when an attempt is made to overflow an internal buffer in the Calendar Manager Service Daemon, rpc.cmsd.
6194:0
6194:1
A, D
R for subsig 1
SERVICE.RPC
Fires when a call to RPC program number 100232 procedure 1 with a UDP packet length greater than 1024 bytes is detected.
6195:0
6195:1
A, D
R for subsig 1
SERVICE.RPC
Detects the exploitation of the RPC AMD Buffer Overflow vulnerability. The trigger for this signature is an RPC call to the berkeley automounter daemons rpc program (300019) procedure 7 that has a UDP length greater than 1024 bytes or a TCP stream length greater than 1024 bytes. The TCP stream length is defined by the contents of the two bytes preceding the RPC header in a TCP packet.
6196:0
6196:1
A, D
R for subsig 1
SERVICE.RPC
Fires when an abnormally long call to the RPC program 100249 (snmpXdmid) and procedure 257 is detected.
6197:0
6197:1
A, D
R for subsig 0
SERVICE.RPC
Fires when an overflow attempt is detected. This alarm looks for an abnormally large argument in the attempt to access yppaswdd.
6276:0
6276:1
A, D
R for subsig 1
SERVICE.RPC
Alarms upon detecting an RPC connection to rpc program number 100083 using procedure 103 with a buffer greater than 1024.
9200:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 12345, which is a known trojan port for NetBus as others.
9201:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 31337, which is a known trojan port for BackFire.
9202:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 1524, which is a common back door placed on machines by worms and hackers.
9203:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2773, which is a known trojan port for SubSeven.
9204:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2774, which is a known trojan port for SubSeven.
9205:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 20034, which is a known trojan port for Netbus Pro.
9206:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 27374, which is a known trojan port for SubSeven.
9207:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 1234, which is a known trojan port for SubSeven.
9208:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 1999, which is a known trojan port for SubSeven.
9209:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 6711, which is a known trojan port for SubSeven.
9210:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 6712, which is a known trojan port for SubSeven.
9211:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 6713, which is a known trojan port for SubSeven.
9212:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 6776, which is a known trojan port for SubSeven.
9213:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 16959, which is a known trojan port for SubSeven.
9214:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 27573, which is a known trojan port for SubSeven.
9215:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 23432, which is a known trojan port for asylum.
9216:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 5400, which is a known trojan port for back-construction.
9217:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 5401, which is a known trojan port for back-construction.
9218:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2115, which is a known trojan port for bugs.
9223:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 36794, which is a known trojan port for NetBus as well Bugbear.
9224:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 10168, which is a known trojan port for lovegate.
9225:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 20168, which is a known trojan port for lovegate.
9226:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 1092, which is a known trojan port for lovegate.
9227:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2018, which is a known trojan port for fizzer.
9228:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2019, which is a known trojan port for fizzer.
9229:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2020, which is a known trojan port for fizzer.
9230:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2021, which is a known trojan port for fizzer.
9231:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 6777, which is a known trojan port for Beagle (Bagle).
9232:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 5190, which is a known trojan port for the Anig worm.
9233:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 3127, which is a known trojan port for the MyDoom.A / Novarg.A virus.
9236:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 3128, which is a known trojan port for the MyDoom.B / Novarg.B virus.
9237:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 8866, which is a known trojan port for the Beagle.B (Bagle.B) virus.
9238:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2766, which is a known trojan port for the DeadHat worm.
9239:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2745, which is a known trojan port for the Bagle.H-J virus.
9240:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 2556, which is a known trojan port for the Bagle (.M.N.O.P) virus.
9241:0
A, D
ATOMIC.TCP
Fires upon detecting a TCP SYN/ACK packet from port 4751, which is a known trojan port for the Bagle.U virus.
1 A = alarm, D = drop, R = reset
2 This signature requires port to application mapping (PAM) configuration via the command ip port-map http port 81.
3 This signature requires PAM configuration via the command ip port-map http port 81.
4 This signature requires PAM configuration via the command ip port-map http port 8200.
How to Load IPS-Based Signatures onto a Router
Before configuring Cisco IOS IPS on a router, you should determine which one of the following deployment scenarios best addresses your situation and configure the associated task, as appropriate:
•
To perform this task, see the section "Installing Cisco IOS IPS on a New Router."
•
To perform this task, see the section "Upgrading to the Latest Cisco IOS IPS Signature Definition File (SDF)."
•
To perform this task, see the section "Merging Built-In Signatures with the attack-drop.sdf File"
•
To use VMS IDS MC, see the documents on the VMS index.
To use SDM, see the document SDM Intrusion Prevention System (IPS) User's Guide.
After you have configured Cisco IOS IPS on your router, refer to the following optional sections:
•
•
Installing Cisco IOS IPS on a New Router
Use this task to install the latest Cisco IOS IPS signatures on a router for the first time.
This task allows you to load the default, built-in signatures or the SDF called "attack-drop.sdf"—but not both. If you want to merge the two signature files, you must load the default, built-in signatures as described in this task. Then, you can merge the default signatures with the attack-drop.sdf file as described in the task "Merging Built-In Signatures with the attack-drop.sdf File."
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Upgrading to the Latest Cisco IOS IPS Signature Definition File (SDF)
Use this task to replace the existing signatures in your router with the latest IPS signature file, attack-drop.sdf.
Note
Although IPS will accept the audit keyword, it will generate the ips keyword when you show the configuration. Also, if you issue the help character (?), the CLI will display the ips keyword instead of the audit keyword, and the Tab key used for command completion will not recognize the audit keyword.
Prerequisites
To install Cisco IOS IPS, you should load a new Cisco IOS image to your router.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Merging Built-In Signatures with the attack-drop.sdf File
You may want to merge the built-in signatures with the attack-drop.sdf file if you find that the built-in signatures are not providing your network with adequate protection from security threats. Use this task to add the SDF and to change default parameters for a specific signature within the SDF or signature engine.
Prerequisites
Before you can merge the attack-drop.sdf file with the built-in signatures, you should already have the built-in signatures loaded onto the router as described in the task "Installing Cisco IOS IPS on a New Router."
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPS
Monitoring Cisco IOS IPS Signatures via Syslog or SDEE
Cisco IOS IPS provides two methods to report IPS intrusion alerts—Cisco IOS logging (syslog) and Security Device Event Exchange (SDEE). Use this task to enable SDEE to report IPS intrusion alerts.
Note
SDEE Overview
SDEE is an application-level communication protocol that is used to exchange IPS messages between IPS clients and IPS servers.
SDEE is always running, but it does not receive and process events from IPS unless SDEE notification is enabled. If it is not enabled and a client sends a request, SDEE will respond with a fault response message, indicating that notification is not enabled.
Storing SDEE Events in the Buffer
When SDEE notification is enabled (via the ip ips notify sdee command), 200 hundred events can automatically be stored in the buffer. When SDEE notification is disabled, all stored events are lost. A new buffer is allocated when the notifications are reenabled.
When specifying the size of an events buffer, note the following functionality:
•
•
•
Prerequisites
To use SDEE, the HTTP server must be enabled (via the ip http server command). If the HTTP server is not enabled, the router cannot respond to the SDEE clients because it cannot not see the requests.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Troubleshooting Tips
To print out new SDEE alerts on the router console, issue the debug ip sdee command.
To clear the event buffer or SDEE subscriptions from the router (which helps with error recovery), issue the clear ip sdee command.
Troubleshooting Cisco IOS IPS
This section contains the following information, which may help you troubleshoot Cisco IOS IPS:
•
•
Interpreting Cisco IOS IPS System Messages
Table 4 lists some of the alarm and error messages that may be shown when using Cisco IOS IPS.
Conditions of an SME Build Failure
There are times when a building SME will fail. The SME can fail for reasons such as attempting to load a corrupted SDF file or if the SME exceeds memory limitations of the router. Should a failure occur, Cisco IOS IPS is designed to handle such failure conditions. Possible failures are as follows:
•
•
•
The default behavior for engine failure allows for packets to be passed unscanned. To prevent traffic from being passed unscanned, issue the ip ips fail closed command, which forces the router to drop all packets if an SME build fails.
Note
Configuration Examples
This section contains the following configuration examples:
•
•
•
Loading the Default Signatures: Example
The following example shows the Cisco IOS IPS commands required to load the default, built-in signatures. Note that a configuration option for specifying an SDF location is not necessary; built-in signatures reside statically in Cisco IOS.
!ip ips po max-events 100ip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!Loading the attack-drop.sdf: Example
The following example shows the basic configuration necessary to load the attack-drop.sdf file onto a router running Cisco IOS IPS. Note that the configuration is almost the same as loading the default signatures onto a router, except for the ip ips sdf location command, which specifies the attack-drop.sdf file.
!ip ips sdf location disk2:attack-drop.sdfip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!Merging the attack-drop.sdf File with the Default, Built-in Signatures: Example
The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended that you copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to recognize the newly merged file (as shown the following example).
!ip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!!! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.Router# copy disk2:attack-drop.sdf ips-sdf! Save the newly merged signatures to a separate file.Router# copy ips-sdf disk2:my-signatures.sdf!! Configure the router to use the new file, my-signatures.sdfRouter# configure terminalRouter(config)# ip ips sdf location disk2:my-signatures.sdf! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.Router(config-if)# interface gig 0/1Router(config-if)# no ip ips MYIPS in!*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled!Router(config-if)# ip ips MYIPS in!Router(config-if)# exitAdditional References
The following sections provide references related to Cisco IOS IPS.
Related Documents
SDM IPS user's guide
VMS IDS MC documentation
IPS and firewall
IPS and firewall commands
Loading images and file systems
The section "File Management" in the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide, Release 12.3
Fragment attack support via VFR
Virtual Fragmentation Reassembly, Cisco IOS Release 12.3(8)T feature module
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents only new, modified, replaced, and obsolete commands.
New Commands in Cisco IOS Release 12.3(8)T
New Command in Cisco IOS Release 12.3(14)T
•
Replaced Commands
1 This command was made obsolete in Cisco IOS Release 12.3(14)T.
Obsolete Commands in Cisco IOS Release 12.3(8)T
•
•
•
Obsolete Commands in Cisco IOS Release 12.3(14)T
clear ip ips configuration
To disable Cisco IOS Firewall Intrusion Prevention System (IPS), remove all intrusion detection configuration entries, and release dynamic resources, use the clear ip ips configuration command in EXEC mode.
clear ip ips configuration
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
12.0(5)T
This command was introduced.
12.3(8)T
The command name was changed from the clear ip audit configuration command to the clear ip ips configuration command.
Examples
The following example clears the existing IPS configuration:
clear ip ips configurationclear ip ips statistics
To reset statistics on packets analyzed and alarms sent, use the clear ip ips statistics command in EXEC mode.
clear ip ips statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
12.0(5)T
This command was introduced.
12.3(8)T
The command name was changed from the clear ip audit statistics command to the clear ip ips statistics command.
Examples
The following example clears all Intrusion Prevention System (IPS) statistics:
clear ip ips statisticsclear ip sdee
To clear Security Device Exchange Event (SDEE) events or subscriptions, use the clear ip sdee command in EXEC configuration mode.
clear ip sdee {events | subscriptions}
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Because subscriptions are properly closed by the Cisco IOS Intrusion Prevention System (IPS) client, this command is typically used only to help with error recovery.
Examples
The following example shows how to clear all open SDEE subscriptions on the router:
Router# clear ip sdee subscriptionsRelated Commands
copy ips-sdf
To load or save the signature definition file (SDF) in the router, use the copy ips-sdf command in EXEC mode.
Syntax for Loading the SDF
copy [/erase] url ips-sdf
Syntax for Saving the SDF
copy ips-sdf url
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Loading Signatures from the SDF
Issue the copy url ips-sdf command to load the SDF in the router from the location specified via the url argument. When the new SDF is loaded, it is merged with the SDF that is already loaded in the router, unless the /erase keyword is issued, which overwrites the current SDF with the new SDF.
Cisco IOS Intrusion Prevention System (IPS) will attempt to retrieve the SDF from each specified location in the order in which they were configured in the startup configuration. If Cisco IOS IPS cannot retrieve the signatures from any of the specified locations, the built-in signatures will be used.
If the no ip ips sdf built-in command is used, Cisco IOS IPS will fail to load. IPS will then rely on the configuration of the ip ips fail command to either fail open or fail closed.
Note
After the signatures are loaded in the router, the signature engines are built. Only after the signature engines are built can Cisco IOS IPS beginning scanning traffic.
Note
Depending on your platform and how many signatures are being loaded, building the engine can take up to several minutes. It is recommended that you enable logging messages to monitor the engine building status.The ip ips sdf location command can also be used to load the SDF. However, unlike the copy ips-sdf command, this command does not force and immediately load the signatures. Signatures are not loaded until the router reboots or IPS is initially applied to an interface (via the ip ips command).
Saving a Generated or Merges SDF
Issue the copy ips-sdf url command to save a newly created SDF file to a specified location. The next time the router is reloaded, IPS can refer to the SDF from the saved location by including the ip ips sdf location command in the configuration.
Tip
Examples
The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended that you copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to recognize the newly merged file (as shown the following example).
!ip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!!! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.Router# copy disk2:attack-drop.sdf ips-sdf! Save the newly merged signatures to a separate file.Router# copy ips-sdf disk2:my-signatures.sdf!! Configure the router to use the new file, my-signatures.sdfRouter# configure terminalRouter(config)# ip ips sdf location disk2:my-signatures.sdf! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.Router(config-if)# interface gig 0/1Router(config-if)# no ip ips MYIPS in!*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled!Router(config-if)# ip ips MYIPS in!Router(config-if)# exitRelated Commands
ip ips sdf location
Specifies the location in which the router should load the SDF.
debug ip ips
To enable debug messages for Cisco IOS Intrusion Prevention System (IPS), use the debug ip ips command in privileged EXEC mode. To disable debugging messages, use the no form of this command.
debug ip ips [engine] [detailed]
no debug ip ips [engine] [detailed]
Syntax Description
engine
(Optional) Displays debug messages only for a specific signature engine.
detailed
(Optional) Displays detailed debug messages for the specified signature engine or for all IPS actions.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows how to enable debug messages for the Cisco IOS IPS:
Router# debug ip ipsdebug ip sdee
To enable debug messages for Security Device Event Exchange (SDEE) notification events, use the debug ip sdee command in privileged EXEC mode. To disable SDEE debugging messages, use the no form of this command.
debug ip sdee {[alerts] [detail] [messages] [requests] [subscriptions]}
no debug ip sdee [alerts] [detail] [messages] [requests] [subscriptions]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following is sample SDEE debug output. In this example, you can see which messages correspond to SDEE alerts, requests, and subscriptions.
Router# debug ip sdee alerts requests subscriptions5d00h:SDEE:got request from client at 10.0.0.25d00h:SDEE:reported 13 events for client at 10.0.0.25d00h:SDEE:GET request for client 10.0.0.2 subscription IDS1720:05d00h:SDEE:reported 50 events for client 10.0.0.2 subscription IDS1720:05d00h: SDEE alert:sigid 2004 name ICMP Echo Req from 10.0.0.2 time 10211740675d00h: SDEE alert:sigid 2004 name ICMP Echo Req from 10.0.0.2 time 10211740715d00h: SDEE alert:sigid 2004 name ICMP Echo Req from 10.0.0.2 time 10211740725d00h: SDEE alert:sigid 2004 name ICMP Echo Req from 10.0.0.2 time 10211751275d00h:SDEE:missed events for IDS1720:0Related Commands
ip ips
To apply an Intrusion Prevention System (IPS) rule to an interface, use the ip ips command in interface configuration mode. To remove an IPS rule from an interface direction, use the no form of this command.
ip ips ips-name {in | out} [list acl]
no ip ips ips-name {in | out} [list acl]
Syntax Description
Defaults
By default, IPS signatures are not applied to an interface or direction.
Command Modes
Interface configuration
Command History
12.0(5)T
This command was introduced.
12.3(8)T
The command name was changed from the ip audit command to the ip ips command.
Usage Guidelines
The ip ips command loads the SDF onto the router and builds the signature engines when IPS is applied to the first interface.
Note
Depending on your platform and how many signatures are being loaded, building the signature engine can take several of minutes. It is recommended that you enable logging messages so you can monitor the engine building status.The ip ips command replaces the ip audit command. If the ip audit command is part of an existing configuration, IPS will interpret it as the ip ips command.
Examples
The following example shows the basic configuration necessary to load the attack-drop.sdf file onto a router running Cisco IOS IPS. Note that the configuration is almost the same as loading the default signatures onto a router, except for the ip ips sdf location command, which specifies the attack-drop.sdf file.
!ip ips sdf location disk2:attack-drop.sdfip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended that you copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to recognize the newly merged file (as shown the following example)
!ip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!!! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.Router# copy disk2:attack-drop.sdf ips-sdf! Save the newly merged signatures to a separate file.Router# copy ips-sdf disk2:my-signatures.sdf!! Configure the router to use the new file, my-signatures.sdfRouter# configure terminalRouter(config)# ip ips sdf location disk2:my-signatures.sdf! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.Router(config-if)# interface gig 0/1Router(config-if)# no ip ips MYIPS in!*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled!Router(config-if)# ip ips MYIPS in!Router(config-if)# exitRelated Commands
copy ips-sdf
Loads or saves the SDF in the router.
ip ips sdf location
Specifies the location in which the router should load the SDF.
ip ips deny-action ips-interface
To create an access control list (ACL) filter for the deny actions ("denyFlowInline" and "denyConnectionInline") on the intrusion prevention system (IPS) interface rather than ingress interface, use the ip ips deny-action ips-interface command in global configuration mode. To return to the default, use the no form of this command.
ip ips deny-action ips-interface
no ip ips deny-action ips-interface
Syntax Description
This command has no arguments or keywords.
Defaults
ACLs filter for the deny actions are applied to the ingress interface.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip ips deny-action ips-interface command to change the default behavior of the ACL filters that are created for the deny actions.
Note
Default ACL Filter Approach
By default, ACL filters for the deny actions are created on the ingress interfaces of the offending packet. Thus, if Cisco IOS IPS is configured in outbound direction on the egress interface and the "deny" ACLs are created on the ingress interface, Cisco IOS IPS will drop the matching traffic before it goes through much processing. Unfortunately, this approach does not work in load balancing scenarios for which there is more than one ingress interface performing load-balancing.
Alternative ACL Filter Approach
The ip ips deny-action ips-interface command enables ACLs to be created on the same interface and in the same direction as Cisco IOS IPS is configured. This alternative approach supports load-balancing scenarios—assuming that the load-balancing interfaces have the same Cisco IOS IPS configuration. However, all outbound Cisco IOS IPS traffic will go through substantial packet path processing before it is eventually dropped by the ACLs.
Examples
The following example shows how to configure load-balancing between interface e0 and interface e1:
ip ips name testip ips deny-action ips-interface! Enables load balancing with e1interface e0ip address 10.1.1.14 255.255.255.0no shut!! Enables load balancing with e0interface e1ip address 10.1.1.16 255.255.255.0no shut!interface e2ip address 10.1.1.18 255.255.255.0ip ips test inno shutip ips fail closed
To instruct the router to drop all packets until the signature engine is built and ready to scan traffic, use the ip ips fail closed command in global configuration mode. To return to the default functionality, use the no form of this command.
ip ips fail closed
no ip ips fail closed
Syntax Description
This command has no arguments or keywords.
Defaults
All packets are passed without being scanned while the signature engine is being built or if the signature engine fails to build.
Command Modes
Global configuration
Command History
Usage Guidelines
Cisco IOS IPS Fails to Load the SDF
By default, the router running Intrusion Prevention System (IPS) will load the built-in signatures if it fails to load the signature definition file (SDF). If this command is issued, the router will drop all packets—unless the user specifies an access control list (ACL) for packets to send to IPS.
IPS Loads the SDF but Fails to Build a Signature Engine
If the router running IPS loads the SDF but fails to build a signature engine, the router will mark the engine "not ready." If an available engine is previously loaded, the IPS will keep the available engine and discard the engine that is not ready for use. If no previous engines have been loaded or "not ready," the router will install the engine that is not ready and rely on the configuration of the ip ips fail closed command.
By default, packets destined for an engine marked "not ready" will be passed without being scanned. If this command is issued, the router will drop all packets that are destined for that signature engine.
Examples
The following example shows how to instruct the router to drop all packets if the attack-drop.sdf file fails to load:
Router(config)# ip ips fail closed
ip ips name
To specify an intrusion prevention system (IPS) rule, use the ip ips name command in global configuration mode. To delete an IPS rule, use the no form of this command.
ip ips name ips-name
no ip ips name ips-name
Syntax Description
Defaults
An IPS rule does not exist.
Command Modes
Global configuration
Command History
12.0(5)T
This command was introduced.
12.3(8)T
The command name was changed from the ip audit name command to the ip ips name command.
Usage Guidelines
The IPS does not load the signatures until the rule is applied to an interface via the ip ips command.
Note
Examples
The following example shows how to configure a router running Cisco IOS IPS to load the default, built-in signatures. Note that a configuration option for specifying an SDF location is not necessary; built-in signatures reside statically in Cisco IOS.
!ip ips po max-events 100ip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!Related Commands
ip ips
Applies an IPS rule to an interface.
show ip ips
Displays IPS information such as configured sessions and signatures.
ip ips notify
To specify the method of event notification, use the ip ips notify command in global configuration mode. To disable event notification, use the no form of this command.
ip ips notify [log | sdee]
no ip ips notify [log | sdee]
Syntax Description
Defaults
Disabled (alert messages are not sent).
Command Modes
Global configuration
Command History
Usage Guidelines
SDEE is always running, but it does not receive and process events from Intrusion Prevention System (IPS) unless SDEE notification is enabled. If it is not enabled and a client sends a request, SDEE will respond with a fault response message, indicating that notification is not enabled.
To use SDEE, the HTTP server must be enabled (via the ip http server command). If the HTTP server is not enabled, the router cannot respond to the SDEE clients because it cannot not see the requests.
Note
Examples
In the following example, event notifications are specified to be sent in SDEE format:
ip ips notify sdeeRelated Commands
ip ips po local
Note
To specify the local Post Office parameters used when sending event notifications to the VPN/Security Management Solution (VMS), use the ip ips po local command in global configuration mode. To set the local Post Office parameters to their default settings, use the no form of this command.
ip ips po local hostid id-number orgid id-number
no ip ips po local [hostid id-number orgid id-number]
Syntax Description
Defaults
The default organization ID is 1. The default host ID is 1.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip ips po local global configuration command to specify the local Post Office parameters used when sending event notifications to the VMS.
Examples
In the following example, the local host is assigned a host ID of 10 and an organization ID of 500:
ip audit po local hostid 10 orgid 500
ip ips po max-events
Note
To specify the maximum number of event notifications that are placed in the router's event queue, use the ip ips po max-events command in global configuration mode. To set the number of recipients to the default setting, use the no form of this command.
ip ips po max-events number-of-events
no ip ips po max-events
Syntax Description
number-of-events
Integer in the range from 1 to 65535 that designates the maximum number of events allowable in the event queue. The default is 100 events.
Defaults
The default number of events is 100.
Command Modes
Global configuration
Command History
Usage Guidelines
Raising the number of events past 100 may cause memory and performance impacts because each event in the event queue requires 32 KB of memory.
Examples
In the following example, the number of events in the event queue is set to 250:
ip ips po max-events 250
ip ips po protected
Note
To specify whether an address is on a protected network, use the ip ips po protected command in global configuration mode. To remove network addresses from the protected network list, use the no form of this command.
ip ips po protected ip-addr [to ip-addr]
no ip ips po protected [ip-addr]
Syntax Description
Defaults
If no addresses are defined as protected, then all addresses are considered outside the protected network.
Command Modes
Global configuration
Command History
Usage Guidelines
You can enter a single address at a time or a range of addresses at a time. You can also make as many entries to the protected networks list as you want. When an attack is detected, the corresponding event contains a flag that denotes whether the source or destination of the packet belongs to a protected network or not.
If you specify an IP address for removal, that address is removed from the list. If you do not specify an address, then all IP addresses are removed from the list.
Examples
In the following example, a range of addresses is added to the protected network list:
ip ips po protected 10.1.1.0 to 10.1.1.255In the following example, three individual addresses are added to the protected network list:
ip ips po protected 10.4.1.1ip ips po protected 10.4.1.8ip ips po protected 10.4.1.25ip ips po remote
Note
To specify one or more set of Post Office parameters for the VPN/Security Management Solution (VMS) receiving event notifications from the router, use the ip ips po remote command in global configuration mode. To remove a VMS' Post Office parameters as defined by host ID, organization ID, and IP address, use the no form of this command.
ip ips po remote hostid host-id orgid org-id rmtaddress ip-address localaddress ip-address [port port-number] [preference preference-number] [timeout seconds] [application {director | logger}]
no ip ips po remote hostid host-id orgid org-id rmtaddress ip-address
Syntax Description
Defaults
Parameter values are not set.
Command Modes
Global configuration
Command History
Usage Guidelines
A router can report to more than one VMS. In this case, use the ip ips po remote command to add each VMS to which the router sends notifications.
More than one route can be established to the same VMS. In this case, you must give each route a preference number that establishes the relative priority of routes. The router always attempts to use the lowest numbered route, switching automatically to the next higher number when a route fails, and then switching back when the route begins functioning again.
Note
Examples
In the following example, two communication routes for the same dual-homed VMS are defined:
ip ips po remote hostid 30 orgid 500 rmtaddress 10.1.99.100 localaddress 10.1.99.1preference 1ip ips po remote hostid 30 orgid 500 rmtaddress 10.1.4.30 localaddress 10.1.4.1 preference2The router uses the first entry to establish communication with the VMS defined with host ID 30 and organization ID 500. If this route fails, then the router will switch to the secondary communications route. As soon as the first route begins functioning again, the router switches back to the primary route and closes the secondary route.
In the following example, a different VMS is assigned a longer heartbeat timeout value because of network congestion, and is designated as a logger application:
ip ips po remote hostid 70 orgid 500 rmtaddress 10.1.8.1 localaddress 10.1.8.100 timeout10 application directorip ips sdf location
To specify the location in which the router will load the signature definition file (SDF), use the ip ips sdf location command in global configuration mode. To remove an SDF location from the configuration, use the no form of this command.
ip ips sdf location url
no ip ips sdf location url
Syntax Description
Defaults
If an SDF location is not specified, the router will load the default, built-in signatures.
Command Modes
Global configuration
Command History
Usage Guidelines
When the ip ips sdf location command is issued, the signatures are not loaded until the router is rebooted or until the Intrusion Prevention System (IPS) is applied to an interface (via the ip ips command). If IPS is already applied to an interface, the signatures will not be loaded. If IPS cannot load the SDF, you will receive an error message and the router will use the built-in IPS signatures.
You can also issue the copy ips-sdf command to load an SDF from a specified location. Unlike the ip ips sdf location command, the signatures are loaded immediately after the copy ips-sdf command is issued.
Examples
The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended that you copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to recognize the newly merged file (as shown the following example).
!ip ips name MYIPS!interface GigabitEthernet0/1ip address 10.1.1.16 255.255.255.0ip ips MYIPS induplex fullspeed 100media-type rj45no negotiation auto!!! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.Router# copy disk2:attack-drop.sdf ips-sdf! Save the newly merged signatures to a separate file.Router# copy ips-sdf disk2:my-signatures.sdf!! Configure the router to use the new file, my-signatures.sdfRouter# configure terminalRouter(config)# ip ips sdf location disk2:my-signatures.sdf! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.Router(config-if)# interface gig 0/1Router(config-if)# no ip ips MYIPS in!*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled!Router(config-if)# ip ips MYIPS in!Router(config-if)# exitRelated Commands
copy ips-sdf
Loads or saves the SDF in the router.
ip ips
Applies the IPS rule to an interface.
ip ips signature
To attach a policy to a signature, use the ip ips signature command in global configuration mode. If the policy disabled a signature, use the no form of this command to reenable the signature. If the policy attached an access list to the signature, use the no form of this command to remove the access list.
ip ips signature signature-id[:sub-signature-id] {delete | disable | list acl-list}
no ip ips signature signature-id[:sub-signature-id]
Syntax Description
Defaults
No policy is attached to a signature, and all signatures within the signature definition file (SDF) are reported, if detected
Command Modes
Global configuration
Command History
12.0(5)T
This command was introduced.
12.3(8)T
The command name was changed from the ip audit signature command to the ip ips signature command to support SDFs.
Usage Guidelines
This command allows you to set three policies: delete a signature, disable the audit of a signature, or qualify the audit of a signature with an access list.
You may want to disable a signature (or set of signatures) if your deployment scenario deems the signatures unnecessary.
If you are attaching an ACL to a signature, then you also need to create an Intrusion Prevention System (IPS) rule with the ip ips name command and apply it to an interface with the ip ips command.
Note
Examples
In the following example, a signature is disabled, another signature has ACL 99 attached to it, and ACL 99 is defined:
ip ips signature 6150 disableip ips signature 1000 list 99access-list 99 deny 10.1.10.0 0.0.0.255access-list 99 permit any
Related Commands
ip sdee events
To set the maximum number of Security Device Exchange Event (SDEE) events that can be stored in the event buffer, use the ip sdee events command in global configuration mode. To change the buffer size or return to the default buffer size, use the no form of this command.
ip sdee events events
no ip sdee events events
Syntax Description
Defaults
200 events
Command Modes
Global configuration
Command History
Usage Guidelines
When SDEE notification is enabled (via the ip ips notify sdee command), 200 hundred events can automatically be stored in the buffer. When SDEE notification is disabled, all stored events are lost. A new buffer is allocated when the notifications are reenabled.
When specifying the size of an events buffer, note the following functionality:
•
•
•
Examples
The following example shows how to set the maximum buffer events size to 500:
configure terminalip ips notify sdeeip sdee events 500Related Commands
ip sdee subscriptions
To set the maximum number of Security Device Event Exchange (SDEE) subscriptions that can be open simultaneously, use the ip sdee subscriptions command in global configuration mode. To change the current selection or return to the default, use the no form of this command.
ip sdee subscriptions subscriptions
no ip sdee subscriptions subscriptions
Syntax Description
Defaults
1 subscription
Command Modes
Global configuration
Command History
Usage Guidelines
After you have enabled SDEE to receive and process events from Intrusion Prevention System (IPS) unless SDEE, you can issue the ip sdee subscriptions command to modify the number of allowed open SDEE subscriptions.
Examples
The following example shows how to change the number of allowed open subscriptions to 2:
configure terminalip ips notify sdeeip sdee events 500ip sdee subscriptions 2Related Commands
no ip ips sdf builtin
To instruct the router not to load the built-in signatures if it cannot find the specified signature definition files (SDFs), use the no ip ips sdf builtin command in global configuration mode.
no ip ips sdf builtin
Syntax Description
This command has no arguments or keywords.
Defaults
If the router fails to load the SDF, the router will load the default, built-in signatures.
Command Modes
Global configuration
Command History
Usage Guidelines
Caution
Examples
The following example shows how to instruct the router not to revert to the default, built-in signatures if the attack-drop.sdf file fails to load onto the router:
Router(config)# no ip ips sdf builtinRelated Commands
copy ips-sdf
Loads or saves the SDF in the router.
ip ips sdf location
Specifies the location in which the router will load the SDF.
show ip ips
To display Intrusion Prevention System (IPS) information such as configured sessions and signatures, use the show ip ips command in privileged EXEC mode.
show ip ips {[all] [configuration] [interfaces] [name name] [statistics [reset]] [sessions [details]] [signatures [details]]}
Syntax Description
Command Modes
Privileged EXEC
Command History
12.0(5)T
This command was introduced.
12.3(8)T
The command name was changed from show ip audit to show ip ips. Also, all show ip ips commands were combined into a single command.
Usage Guidelines
Use the show ip ips configuration EXEC command to display additional configuration information, including default values that may not be displayed using the show running-config command.
Examples
Sample Output for the show ip ips configuration Command
The following example displays the output of the show ip ips configuration command:
Event notification through syslog is enabledEvent notification through Net Director is enabledDefault action(s) for info signatures is alarmDefault action(s) for attack signatures is alarmDefault threshold of recipients for spam signature is 25PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn)Audit Rule ConfigurationAudit name AUDIT.1info actions alarmSample Output for the show ip ips interfaces Command
The following example displays the output of the show ip ips interfaces command:
Interface ConfigurationInterface Ethernet0Inbound IPS audit rule is AUDIT.1info actions alarmOutgoing IPS audit rule is not setInterface Ethernet1Inbound IPS audit rule is AUDIT.1info actions alarmOutgoing IPS audit rule is AUDIT.1info actions alarmSample Output for the show ip ips statistics Command
The following displays the output of the show ip ips statistics command:
Signature audit statistics [process switch:fast switch]signature 2000 packets audited: [0:2]signature 2001 packets audited: [9:9]signature 2004 packets audited: [0:2]signature 3151 packets audited: [0:12]Interfaces configured for audit 2Session creations since subsystem startup or last reset 11Current session counts (estab/half-open/terminating) [0:0:0]Maxever session counts (estab/half-open/terminating) [2:1:0]Last session created 19:18:27Last statistic reset neverHID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0Related Commands
show ip sdee
To display Security Device Event Exchange (SDEE) notification information, use the show ip sdee command in privileged EXEC mode.
show ip sdee {[alerts] [all] [errors] [events] [configuration] [status] [subscriptions]}
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the show ip sdee alerts command. In this example, the alerts are numbered from 1 to 100 (because 100 events are currently in the event buffer). Following the alert number are 3 digits, which indicate whether the alert has been reported for the 3 possible subscriptions. In this example, these alerts have been reported for subscription number 1. The event ID is composed of the alert time and an increasing count, separated by a colon.
Router show ip sdee alertsEvent storage:1000 events using 656000 bytes of memorySDEE AlertsSigID SrcIP DstIP SrcPort DstPort Sev Event ID SigName1:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211478597901 ICMP Echo Req2:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211478887902 ICMP Echo Req3:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211479247903 ICMP Echo Req4:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211479457904 ICMP Echo Req5:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211479487905 ICMP Echo Req6:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211480077906 ICMP Echo Req7:100 2004 10.0.0.2 10.0.0.1 8 0 2 10211480407907 ICMP Echo Req......................................................................................................................96:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750898596 ICMP Echo Req97:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750898597 ICMP Echo Req98:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750898598 ICMP Echo Req99:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750908599 ICMP Echo Req100:000 2004 10.0.0.2 10.0.0.1 8 0 2 10211750918600 ICMP Echo ReqThe following is sample output is from the show ip sdee subscriptions command. In this example, SDEE is enabled, the maximum event buffer size has been set to 100, and the maximum number of subscriptions that can be open at the same time is 1.
Router# show ip sdee subscriptionsSDEE is enabledAlert buffer size:100 alerts 65600 bytesMaximum subscriptions:1SDEE open subscriptions: 1Subscription ID IDS1720:0:Client address 10.0.0.2 port 1500Subscription opened at 13:21:30 MDT July 18 2003Total GET requests:0Max number of events:50Timeout:30Event Start Time:0Report alerts:trueAlert severity level is INFORMATIONALReport errors:falseReport status:falseTable 5 describes the significant fields shown in the display.
The following is sample output from the show ip sdee status command. In this example, the buffer is set to store a maximum of 1000 events.
Router# show ip sdee statusEvent storage:1000 events using 656000 bytes of memorySDEE Status MessagesTime Message Description1:000 22:10:58 UTC Apr 18 2003 applicationStarted STRING.UDP,0 ms2:000 22:10:58 UTC Apr 18 2003 applicationStarted STRING.TCP,0 ms3:000 22:10:58 UTC Apr 18 2003 applicationStarted OTHER,0 ms4:000 22:10:58 UTC Apr 18 2003 applicationStarted SERVICE.FTP,276 ms5:000 22:11:07 UTC Apr 18 2003 applicationStarted SERVICE.SMTP,8884 ms6:000 22:11:07 UTC Apr 18 2003 applicationStarted SERVICE.RPC,72 ms7:000 22:11:07 UTC Apr 18 2003 applicationStarted SERVICE.DNS,132 ms8:000 22:11:15 UTC Apr 18 2003 applicationStarted SERVICE.HTTP,7632 ms9:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.TCP,24 ms10:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.UDP,12 ms11:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.ICMP,12 ms12:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.IPOPTIONS,8 ms13:000 22:11:15 UTC Apr 18 2003 applicationStarted ATOMIC.L3.IP,8 msRelated Commands
Copyright © 2005 Cisco Systems, Inc. All rights reserved.
1 To scan for application layer signatures across fragments, you can enable virtual fragment reassembly.
