Right, possibly. The documentation does not talk about this neither -
understandably.
PS: Behaviour is also seen when Outbound sensor is applied to the interface.
ie Echo Request fires and Echo Reply does not when IPS is applied Outbound
on the interface (where ping is inbound).
Sadiq
On Sun, May 16, 2010 at 12:35 PM, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
> Does outbound ACL work for router generated traffic?
> I think this is a similar case. That's why you see only Echo Request
> triggered by inbound sensor, but not see any signatures triggered by the
> outbound sensor.
>
>
> HTH,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security)
> Technical Instructor
> website: www.MicronicsTraining.com
> blog: www.ccie1.com
>
> �If you can't explain it simply, you don't understand it well enough� -
> Albert Einstein
>
>
> 2010/5/16 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>
>> More information, if it helps:
>>
>> R6#sh run int f0/0
>> Building configuration...
>>
>> Current configuration : 168 bytes
>> !
>> interface FastEthernet0/0
>> ip address 204.12.1.6 255.255.255.0
>> ip ips IPS in
>> ip ips IPS out
>> no ip route-cache cef
>> no ip route-cache
>> duplex auto
>> speed auto
>> end
>>
>> R6#
>> R6#
>> !
>> !
>> ip cef
>> !
>> !
>> no ip domain lookup
>> ip domain name ccie.com
>> ip ips config location flash:/IPS/ retries 1
>> ip ips deny-action ips-interface
>> ip ips name IPS
>> !
>> ip ips signature-category
>> category ios_ips basic
>> retired false
>> enabled true
>> category all
>> retired true
>> !
>>
>>
>> R6#debug ip icmp
>> ICMP packet debugging is on
>> R6#!!!!!!!!!!!!!!!!!!!!!!!!!!!! for terminal traffic !!!!!!!!!!!!!!!!!!!
>> R6#
>> R6#
>> May 16 11:16:07.719: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo
>> Request [204.12.1.3:8 -> 204.12.1.6:0] VRF:NONE RiskRating:100
>> R6#
>> May 16 11:16:07.719: ICMP: echo reply sent, src 204.12.1.6, dst 204.12.1.3
>> R6#
>> R6#
>> R6#
>> R6#
>> R6#!!!!!!!!!!!!!!!!!!! now for transit traffic!!!!!!!!!!!!!!!!!!!!
>> R6#
>> R6#
>> May 16 11:16:50.257: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo
>> Request [204.12.1.3:8 -> 54.1.2.254:0] VRF:NONE RiskRating:100
>> May 16 11:16:50.285: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:100 ICMP Echo
>> Reply [54.1.2.254:0 -> 204.12.1.3:8] VRF:NONE RiskRating:100
>> R6#
>>
>>
>> On Sun, May 16, 2010 at 11:37 AM, Sadiq Yakasai
<sadiqtanko_at_gmail.com>wrote:
>>
>>> One interesting point:
>>>
>>> So I enabled my echo and echo-reply signatures fine (inbound
*and/or*outbound on an interface). And I tested by sending a ping to the box
in
>>> question. Only my echo-request signature got triggered. So I thought
>>> maybe I am being fast-switched (or process switched) and hence not
hitting
>>> the engine (for the echo-reply) on the way in/out. I disabled process and
>>> cef switching on the interface but still did not work.
>>>
>>> End of the day, only transit traffic (not terminating on the box
>>> itself) was hitting my echo-reply signature.
>>>
>>> Anybody knows why? Or has better ideas? I dont seem to see whats up here.
>>>
>>> Thanks as usual.
>>>
>>> Sadiq
>>>
>>>
>>> On Sun, May 16, 2010 at 11:21 AM, Sadiq Yakasai
<sadiqtanko_at_gmail.com>wrote:
>>>
>>>> Thanks Adrian and Piotr!
>>>>
>>>> Thats a well written white paper. I am all sorted now. Although the
>>>> documentation of 12.4.T still makes reference to that CLI, which AFAICS,
>>>> does not exist on the code :-)
>>>>
>>>> Sadiq
>>>>
>>>>
>>>> On Sun, May 16, 2010 at 7:19 AM, Piotr Matusiak <pitt2k_at_gmail.com>wrote:
>>>>
>>>>> Hi Sadiq,
>>>>>
>>>>> You're looking at wrong document (it's for 12.4). Take a look at:
>>>>>
>>>>>
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod
_white_paper0900aecd805c4ea8.pdf
>>>>>
>>>>> HTH,
>>>>> --
>>>>> Piotr Matusiak
>>>>> CCIE #19860 (R&S, Security)
>>>>> Technical Instructor
>>>>> website: www.MicronicsTraining.com
>>>>> blog: www.ccie1.com
>>>>>
>>>>> �If you can't explain it simply, you don't understand it well enough� -
>>>>> Albert Einstein
>>>>>
>>>>>
>>>>> 2010/5/16 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>>>>
>>>>>> Hi guys,
>>>>>>
>>>>>> It seems to me like the documentation says we can load the signature
>>>>>> definition file via the command "ip ips sdf location .." , as reported
>>>>>> by
>>>>>> [1] below, but this seems to be not supported on the box.
>>>>>>
>>>>>> Well, I went ahead and configured my IPS policy on the router, but as
>>>>>> it
>>>>>> were, I could not enable the icmp echo and echo-reply signatures (2000
>>>>>> and
>>>>>> 2004).
>>>>>>
>>>>>> Any help/pointers would be very helpful.
>>>>>>
>>>>>> Thanks,
>>>>>> Sadiq
>>>>>>
>>>>>> [1]
>>>>>>
>>>>>>
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cf
g_ips_external_docbase_0900e4b180de56d7_4container_external_docbase_0900e4b18
0e076b5.html#wp1175461
>>>>>>
>>>>>> R6(config)#ip ips ?
>>>>>> auto-update Auto Update
>>>>>> config Location of IPS configuration files
>>>>>> deny-action Specify Deny action
>>>>>> event-action-rules Event Action Rules (SEAP)
>>>>>> fail Specify what to do during any failures
>>>>>> name Specify an IPS rule
>>>>>> notify Specify the notification mechanisms (SDEE or
>>>>>> log)
>>>>>> for
>>>>>> the alarms
>>>>>> signature-category Signature Category
>>>>>> signature-definition Signature Definition
>>>>>>
>>>>>> R6#
>>>>>> R6#conf t
>>>>>> Enter configuration commands, one per line. End with CNTL/Z.
>>>>>> R6(config)#ip ips si
>>>>>> R6(config)#ip ips signature-de
>>>>>> R6(config)#ip ips signature-definition
>>>>>> R6(config-sigdef)#si
>>>>>> R6(config-sigdef)#signature 2000 0
>>>>>> Unable to locate sig 2000:0
>>>>>> R6(config-sigdef)#si
>>>>>> R6(config-sigdef)#signature ?
>>>>>> <1-65535> Signature ID value
>>>>>>
>>>>>> R6(config-sigdef)#signature
>>>>>> % Incomplete command.
>>>>>>
>>>>>> R6(config-sigdef)#
>>>>>> R6(config-sigdef)#
>>>>>> R6(config-sigdef)#end
>>>>>> R6#
>>>>>> R6#
>>>>>> R6#dir
>>>>>> May 15 22:57:44.932: %SYS-5-CONFIG_I: Configured from console by
>>>>>> console
>>>>>> R6#dir
>>>>>> Directory of flash:/
>>>>>>
>>>>>> 1 -rw- 5650 May 8 2010 16:40:48 +00:00 -0
>>>>>> 2 -rw- 5650 May 8 2010 17:10:14 +00:00 -1
>>>>>> 3 -rw- 5834 May 8 2010 23:02:20 +00:00 -2
>>>>>> 4 -rw- 5834 May 8 2010 23:10:14 +00:00 -3
>>>>>> 5 -rw- 1823 Feb 22 2007 09:09:30 +00:00
>>>>>> sdmconfig-2811.cfg
>>>>>> 13 drw- 0 May 15 2010 22:32:30 +00:00 IPS
>>>>>> 6 -rw- 833024 Feb 22 2007 09:10:16 +00:00 es.tar
>>>>>> 7 -rw- 1052160 Feb 22 2007 09:10:34 +00:00 common.tar
>>>>>> 8 -rw- 1038 Feb 22 2007 09:10:50 +00:00 home.shtml
>>>>>> 9 -rw- 102400 Feb 22 2007 09:11:04 +00:00 home.tar
>>>>>> *10 -rw- 491213 Feb 22 2007 09:11:22 +00:00 128MB.sdf*
>>>>>> 11 -rw- 398305 Feb 22 2007 09:12:04 +00:00
>>>>>> sslclient-win-1.1.0.154.pkg
>>>>>> 12 -rw- 60324084 Mar 19 2010 11:03:00 +00:00
>>>>>> c2800nm-adventerprisek9_sna-mz.124-24.T1.bin
>>>>>>
>>>>>> 64016384 bytes total (733184 bytes free)
>>>>>> R6#
>>>>>> R6#sh ver | i IOS
>>>>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9_SNA-M),
>>>>>> Version
>>>>>> 12.4(24)T1, RELEASE SOFTWARE (fc3)
>>>>>> R6#
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
>>>>>>
Received on Sun May 16 2010 - 13:48:08 ART