Hi,
When I was configuring IOS IPS, I could saw that before I download the
signature package file, all the signatures was enabled, I'm wondering how
this can be.. , however I have used the same router some time back to do the
same lab, but that time it was as expected. Here are the steps I did when
configuring IOS IPS.
1) load the cisco public rsa key
2) retired all signature and enabled only the required category
3) configure IOS IPS parameters such as IPS name, config location, notify
SDEE etc
4) apply the IOS IPS name to interface (both in and out)
then immediately I was able to see the below messages:
R2(config)#ip ips no
R2(config)#ip ips notify S
R2(config)#ip ips notify SDEE
R2(config)#ip is
R2(config)#ip ip
R2(config)#ip ips na
R2(config)#ip ips name iosips
R2(config)#int fa0/0
R2(config-if)#ip ips
R2(config-if)#ip ips n
R2(config-if)#ip ips n
R2(config-if)#ip ips na
R2(config-if)#ip ips iosips in
R2(config-if)#ip ips iosips in
R2(config-if)#ip ips iosips out
R2(config-if)#
R2(config-if)#exit
R2(config)#do sh ip ips sig count
Another IPS operation is accessing the signatures.
R2(config)#
Feb 25 12:41:30.743: %IPS-3-IPS_CONCURRENT_ACCESS: Another IPS operation is
accessing the signatures.
R2(config)#
Feb 25 12:41:47.047: %IPS-6-ENGINE_BUILDS_STARTED: 12:41:47 UTC Feb 25 2011
Feb 25 12:41:47.051: %IPS-6-ENGINE_BUILDING: multi-string - 17 signatures -
1 of 13 engines
Feb 25 12:41:47.091: %IPS-6-ENGINE_READY: multi-string - build time 40 ms -
packets for this engine will be scanned
Feb 25 12:41:47.235: %IPS-6-ENGINE_BUILDING: service-http - 721 signatures -
2 of 13 engines
Feb 25 12:41:47.983: %IPS-6-ENGINE_READY: service-http - build time 748 ms -
packets for this engine will be scanned
Feb 25 12:41:48.407: %IPS-6-ENGINE_BUILDING: string-tcp - 1658 signatures -
3 of 13 engines
R2(config)#
Feb 25 12:41:59.007: %IPS-6-ENGINE_READY: string-tcp - build time 10600 ms -
packets for this engine will be scanned
Feb 25 12:41:59.271: %IPS-6-ENGINE_BUILDING: string-udp - 78 signatures - 4
of 13 engines
Feb 25 12:41:59.351: %IPS-6-ENGINE_READY: string-udp - build time 80 ms -
packets for this engine will be scanned
Feb 25 12:41:59.367: %IPS-6-ENGINE_BUILDING: state - 34 signatures - 5 of 13
engines
Feb 25 12:41:59.387: %IPS-6-ENGINE_READY: state - build time 20 ms - packets
for this engine will be scanned
Feb 25 12:41:59.451: %IPS-6-ENGINE_BUILDING: atomic-ip - 342 signatures - 6
of 13 engines
R2(config)#
Feb 25 12:42:00.607: %IPS-6-ENGINE_READY: atomic-ip - build time 1156 ms -
packets for this engine will be scanned
Feb 25 12:42:00.647: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7
of 13 engines
Feb 25 12:42:00.647: %IPS-6-ENGINE_READY: string-icmp - build time 0 ms -
packets for this engine will be scanned
Feb 25 12:42:00.651: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8
of 13 engines
then I gave the below commands and noticed all the signature are loaded
before downloading IOS-S416-CLI.pkg to idconf..
R2(config)#do sh ip ips sig count
Cisco SDF release version S416.0
Trend SDF release version V0.0
Signature Micro-Engine: multi-string: Total Signatures 17
multi-string enabled signatures: 13
multi-string retired signatures: 17
Signature Micro-Engine: service-http: Total Signatures 721
service-http enabled signatures: 145
service-http retired signatures: 715
service-http compiled signatures: 6
service-http obsoleted signatures: 2
Signature Micro-Engine: string-tcp: Total Signatures 1658
string-tcp enabled signatures: 650
string-tcp retired signatures: 1620
string-tcp compiled signatures: 38
string-tcp obsoleted signatures: 22
Signature Micro-Engine: string-udp: Total Signatures 78
string-udp enabled signatures: 2
string-udp retired signatures: 75
string-udp compiled signatures: 3
string-udp obsoleted signatures: 1
Signature Micro-Engine: state: Total Signatures 34
state enabled signatures: 17
state retired signatures: 34
Signature Micro-Engine: atomic-ip: Total Signatures 342
atomic-ip enabled signatures: 90
atomic-ip retired signatures: 338
atomic-ip compiled signatures: 4
Signature Micro-Engine: string-icmp: Total Signatures 3
string-icmp enabled signatures: 0
string-icmp retired signatures: 3
Signature Micro-Engine: service-ftp: Total Signatures 3
service-ftp enabled signatures: 1
service-ftp retired signatures: 3
Signature Micro-Engine: service-rpc: Total Signatures 76
service-rpc enabled signatures: 44
service-rpc retired signatures: 76
Signature Micro-Engine: service-dns: Total Signatures 39
service-dns enabled signatures: 27
service-dns retired signatures: 39
service-dns obsoleted signatures: 1
Signature Micro-Engine: normalizer: Total Signatures 9
normalizer enabled signatures: 8
normalizer retired signatures: 9
Signature Micro-Engine: service-smb-advanced: Total Signatures 49
service-smb-advanced enabled signatures: 42
service-smb-advanced retired signatures: 49
Signature Micro-Engine: service-msrpc: Total Signatures 33
service-msrpc enabled signatures: 22
service-msrpc retired signatures: 33
service-msrpc obsoleted signatures: 1
Total Signatures: 3062
Total Enabled Signatures: 1061
Total Retired Signatures: 3011
Total Compiled Signatures: 51
Total Obsoleted Signatures: 27
My question is how come router load those signature before loading package
file to idconf..??? (how ever the same lab I did on the same router some
time back,,,)
Thanks
Blogs and organic groups at http://www.ccie.net
Received on Fri Feb 25 2011 - 21:37:29 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART