One interesting point:
So I enabled my echo and echo-reply signatures fine (inbound
*and/or*outbound on an interface). And I tested by sending a ping to
the box in
question. Only my echo-request signature got triggered. So I thought maybe I
am being fast-switched (or process switched) and hence not hitting the
engine (for the echo-reply) on the way in/out. I disabled process and cef
switching on the interface but still did not work.
End of the day, only transit traffic (not terminating on the box itself) was
hitting my echo-reply signature.
Anybody knows why? Or has better ideas? I dont seem to see whats up here.
Thanks as usual.
Sadiq
On Sun, May 16, 2010 at 11:21 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
> Thanks Adrian and Piotr!
>
> Thats a well written white paper. I am all sorted now. Although the
> documentation of 12.4.T still makes reference to that CLI, which AFAICS,
> does not exist on the code :-)
>
> Sadiq
>
>
> On Sun, May 16, 2010 at 7:19 AM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>
>> Hi Sadiq,
>>
>> You're looking at wrong document (it's for 12.4). Take a look at:
>>
>>
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod
_white_paper0900aecd805c4ea8.pdf
>>
>> HTH,
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, Security)
>> Technical Instructor
>> website: www.MicronicsTraining.com
>> blog: www.ccie1.com
>>
>> �If you can't explain it simply, you don't understand it well enough� -
>> Albert Einstein
>>
>>
>> 2010/5/16 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>
>>> Hi guys,
>>>
>>> It seems to me like the documentation says we can load the signature
>>> definition file via the command "ip ips sdf location .." , as reported by
>>> [1] below, but this seems to be not supported on the box.
>>>
>>> Well, I went ahead and configured my IPS policy on the router, but as it
>>> were, I could not enable the icmp echo and echo-reply signatures (2000
>>> and
>>> 2004).
>>>
>>> Any help/pointers would be very helpful.
>>>
>>> Thanks,
>>> Sadiq
>>>
>>> [1]
>>>
>>>
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cf
g_ips_external_docbase_0900e4b180de56d7_4container_external_docbase_0900e4b18
0e076b5.html#wp1175461
>>>
>>> R6(config)#ip ips ?
>>> auto-update Auto Update
>>> config Location of IPS configuration files
>>> deny-action Specify Deny action
>>> event-action-rules Event Action Rules (SEAP)
>>> fail Specify what to do during any failures
>>> name Specify an IPS rule
>>> notify Specify the notification mechanisms (SDEE or log)
>>> for
>>> the alarms
>>> signature-category Signature Category
>>> signature-definition Signature Definition
>>>
>>> R6#
>>> R6#conf t
>>> Enter configuration commands, one per line. End with CNTL/Z.
>>> R6(config)#ip ips si
>>> R6(config)#ip ips signature-de
>>> R6(config)#ip ips signature-definition
>>> R6(config-sigdef)#si
>>> R6(config-sigdef)#signature 2000 0
>>> Unable to locate sig 2000:0
>>> R6(config-sigdef)#si
>>> R6(config-sigdef)#signature ?
>>> <1-65535> Signature ID value
>>>
>>> R6(config-sigdef)#signature
>>> % Incomplete command.
>>>
>>> R6(config-sigdef)#
>>> R6(config-sigdef)#
>>> R6(config-sigdef)#end
>>> R6#
>>> R6#
>>> R6#dir
>>> May 15 22:57:44.932: %SYS-5-CONFIG_I: Configured from console by console
>>> R6#dir
>>> Directory of flash:/
>>>
>>> 1 -rw- 5650 May 8 2010 16:40:48 +00:00 -0
>>> 2 -rw- 5650 May 8 2010 17:10:14 +00:00 -1
>>> 3 -rw- 5834 May 8 2010 23:02:20 +00:00 -2
>>> 4 -rw- 5834 May 8 2010 23:10:14 +00:00 -3
>>> 5 -rw- 1823 Feb 22 2007 09:09:30 +00:00 sdmconfig-2811.cfg
>>> 13 drw- 0 May 15 2010 22:32:30 +00:00 IPS
>>> 6 -rw- 833024 Feb 22 2007 09:10:16 +00:00 es.tar
>>> 7 -rw- 1052160 Feb 22 2007 09:10:34 +00:00 common.tar
>>> 8 -rw- 1038 Feb 22 2007 09:10:50 +00:00 home.shtml
>>> 9 -rw- 102400 Feb 22 2007 09:11:04 +00:00 home.tar
>>> *10 -rw- 491213 Feb 22 2007 09:11:22 +00:00 128MB.sdf*
>>> 11 -rw- 398305 Feb 22 2007 09:12:04 +00:00
>>> sslclient-win-1.1.0.154.pkg
>>> 12 -rw- 60324084 Mar 19 2010 11:03:00 +00:00
>>> c2800nm-adventerprisek9_sna-mz.124-24.T1.bin
>>>
>>> 64016384 bytes total (733184 bytes free)
>>> R6#
>>> R6#sh ver | i IOS
>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9_SNA-M),
>>> Version
>>> 12.4(24)T1, RELEASE SOFTWARE (fc3)
>>> R6#
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
>
> --
> CCIE #19963
>
--
CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Sun May 16 2010 - 11:37:14 ART