More information, if it helps:
R6#sh run int f0/0
Building configuration...
Current configuration : 168 bytes
!
interface FastEthernet0/0
ip address 204.12.1.6 255.255.255.0
ip ips IPS in
ip ips IPS out
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
end
R6#
R6#
!
!
ip cef
!
!
no ip domain lookup
ip domain name ccie.com
ip ips config location flash:/IPS/ retries 1
ip ips deny-action ips-interface
ip ips name IPS
!
ip ips signature-category
category ios_ips basic
retired false
enabled true
category all
retired true
!
R6#debug ip icmp
ICMP packet debugging is on
R6#!!!!!!!!!!!!!!!!!!!!!!!!!!!! for terminal traffic !!!!!!!!!!!!!!!!!!!
R6#
R6#
May 16 11:16:07.719: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo
Request [204.12.1.3:8 -> 204.12.1.6:0] VRF:NONE RiskRating:100
R6#
May 16 11:16:07.719: ICMP: echo reply sent, src 204.12.1.6, dst 204.12.1.3
R6#
R6#
R6#
R6#
R6#!!!!!!!!!!!!!!!!!!! now for transit traffic!!!!!!!!!!!!!!!!!!!!
R6#
R6#
May 16 11:16:50.257: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo
Request [204.12.1.3:8 -> 54.1.2.254:0] VRF:NONE RiskRating:100
May 16 11:16:50.285: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:100 ICMP Echo
Reply [54.1.2.254:0 -> 204.12.1.3:8] VRF:NONE RiskRating:100
R6#
On Sun, May 16, 2010 at 11:37 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
> One interesting point:
>
> So I enabled my echo and echo-reply signatures fine (inbound
*and/or*outbound on an interface). And I tested by sending a ping to the box
in
> question. Only my echo-request signature got triggered. So I thought maybe
> I am being fast-switched (or process switched) and hence not hitting the
> engine (for the echo-reply) on the way in/out. I disabled process and cef
> switching on the interface but still did not work.
>
> End of the day, only transit traffic (not terminating on the box
> itself) was hitting my echo-reply signature.
>
> Anybody knows why? Or has better ideas? I dont seem to see whats up here.
>
> Thanks as usual.
>
> Sadiq
>
>
> On Sun, May 16, 2010 at 11:21 AM, Sadiq Yakasai
<sadiqtanko_at_gmail.com>wrote:
>
>> Thanks Adrian and Piotr!
>>
>> Thats a well written white paper. I am all sorted now. Although the
>> documentation of 12.4.T still makes reference to that CLI, which AFAICS,
>> does not exist on the code :-)
>>
>> Sadiq
>>
>>
>> On Sun, May 16, 2010 at 7:19 AM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>>
>>> Hi Sadiq,
>>>
>>> You're looking at wrong document (it's for 12.4). Take a look at:
>>>
>>>
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod
_white_paper0900aecd805c4ea8.pdf
>>>
>>> HTH,
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, Security)
>>> Technical Instructor
>>> website: www.MicronicsTraining.com
>>> blog: www.ccie1.com
>>>
>>> �If you can't explain it simply, you don't understand it well enough� -
>>> Albert Einstein
>>>
>>>
>>> 2010/5/16 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>>
>>>> Hi guys,
>>>>
>>>> It seems to me like the documentation says we can load the signature
>>>> definition file via the command "ip ips sdf location .." , as reported
>>>> by
>>>> [1] below, but this seems to be not supported on the box.
>>>>
>>>> Well, I went ahead and configured my IPS policy on the router, but as it
>>>> were, I could not enable the icmp echo and echo-reply signatures (2000
>>>> and
>>>> 2004).
>>>>
>>>> Any help/pointers would be very helpful.
>>>>
>>>> Thanks,
>>>> Sadiq
>>>>
>>>> [1]
>>>>
>>>>
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cf
g_ips_external_docbase_0900e4b180de56d7_4container_external_docbase_0900e4b18
0e076b5.html#wp1175461
>>>>
>>>> R6(config)#ip ips ?
>>>> auto-update Auto Update
>>>> config Location of IPS configuration files
>>>> deny-action Specify Deny action
>>>> event-action-rules Event Action Rules (SEAP)
>>>> fail Specify what to do during any failures
>>>> name Specify an IPS rule
>>>> notify Specify the notification mechanisms (SDEE or log)
>>>> for
>>>> the alarms
>>>> signature-category Signature Category
>>>> signature-definition Signature Definition
>>>>
>>>> R6#
>>>> R6#conf t
>>>> Enter configuration commands, one per line. End with CNTL/Z.
>>>> R6(config)#ip ips si
>>>> R6(config)#ip ips signature-de
>>>> R6(config)#ip ips signature-definition
>>>> R6(config-sigdef)#si
>>>> R6(config-sigdef)#signature 2000 0
>>>> Unable to locate sig 2000:0
>>>> R6(config-sigdef)#si
>>>> R6(config-sigdef)#signature ?
>>>> <1-65535> Signature ID value
>>>>
>>>> R6(config-sigdef)#signature
>>>> % Incomplete command.
>>>>
>>>> R6(config-sigdef)#
>>>> R6(config-sigdef)#
>>>> R6(config-sigdef)#end
>>>> R6#
>>>> R6#
>>>> R6#dir
>>>> May 15 22:57:44.932: %SYS-5-CONFIG_I: Configured from console by console
>>>> R6#dir
>>>> Directory of flash:/
>>>>
>>>> 1 -rw- 5650 May 8 2010 16:40:48 +00:00 -0
>>>> 2 -rw- 5650 May 8 2010 17:10:14 +00:00 -1
>>>> 3 -rw- 5834 May 8 2010 23:02:20 +00:00 -2
>>>> 4 -rw- 5834 May 8 2010 23:10:14 +00:00 -3
>>>> 5 -rw- 1823 Feb 22 2007 09:09:30 +00:00 sdmconfig-2811.cfg
>>>> 13 drw- 0 May 15 2010 22:32:30 +00:00 IPS
>>>> 6 -rw- 833024 Feb 22 2007 09:10:16 +00:00 es.tar
>>>> 7 -rw- 1052160 Feb 22 2007 09:10:34 +00:00 common.tar
>>>> 8 -rw- 1038 Feb 22 2007 09:10:50 +00:00 home.shtml
>>>> 9 -rw- 102400 Feb 22 2007 09:11:04 +00:00 home.tar
>>>> *10 -rw- 491213 Feb 22 2007 09:11:22 +00:00 128MB.sdf*
>>>> 11 -rw- 398305 Feb 22 2007 09:12:04 +00:00
>>>> sslclient-win-1.1.0.154.pkg
>>>> 12 -rw- 60324084 Mar 19 2010 11:03:00 +00:00
>>>> c2800nm-adventerprisek9_sna-mz.124-24.T1.bin
>>>>
>>>> 64016384 bytes total (733184 bytes free)
>>>> R6#
>>>> R6#sh ver | i IOS
>>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9_SNA-M),
>>>> Version
>>>> 12.4(24)T1, RELEASE SOFTWARE (fc3)
>>>> R6#
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> CCIE #19963
>>
>
>
>
> --
> CCIE #19963
>
--
CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Sun May 16 2010 - 12:04:18 ART