Re: IOS IPS Signature count issue - Please advise

Just curious.... Is this type of topic part of the ccie r/s lab blueprint? Want to know if I need to study that.... Thanks

Aaron

On Feb 25, 2011, at 12:37 PM, Pemasiri Devanarayana <pemasiri_at_gmail.com> wrote:

> Hi,
>
> When I was configuring IOS IPS, I could saw that before I download the
> signature package file, all the signatures was enabled, I'm wondering how
> this can be.. , however I have used the same router some time back to do the
> same lab, but that time it was as expected. Here are the steps I did when
> configuring IOS IPS.
>
> 1) load the cisco public rsa key
> 2) retired all signature and enabled only the required category
> 3) configure IOS IPS parameters such as IPS name, config location, notify
> SDEE etc
> 4) apply the IOS IPS name to interface (both in and out)
>
> then immediately I was able to see the below messages:
>
>
> R2(config)#ip ips no
> R2(config)#ip ips notify S
> R2(config)#ip ips notify SDEE
> R2(config)#ip is
> R2(config)#ip ip
> R2(config)#ip ips na
> R2(config)#ip ips name iosips
> R2(config)#int fa0/0
> R2(config-if)#ip ips
> R2(config-if)#ip ips n
> R2(config-if)#ip ips n
> R2(config-if)#ip ips na
> R2(config-if)#ip ips iosips in
> R2(config-if)#ip ips iosips in
> R2(config-if)#ip ips iosips out
> R2(config-if)#
> R2(config-if)#exit
> R2(config)#do sh ip ips sig count
> Another IPS operation is accessing the signatures.
> R2(config)#
> Feb 25 12:41:30.743: %IPS-3-IPS_CONCURRENT_ACCESS: Another IPS operation is
> accessing the signatures.
> R2(config)#
> Feb 25 12:41:47.047: %IPS-6-ENGINE_BUILDS_STARTED: 12:41:47 UTC Feb 25 2011
> Feb 25 12:41:47.051: %IPS-6-ENGINE_BUILDING: multi-string - 17 signatures -
> 1 of 13 engines
> Feb 25 12:41:47.091: %IPS-6-ENGINE_READY: multi-string - build time 40 ms -
> packets for this engine will be scanned
> Feb 25 12:41:47.235: %IPS-6-ENGINE_BUILDING: service-http - 721 signatures -
> 2 of 13 engines
> Feb 25 12:41:47.983: %IPS-6-ENGINE_READY: service-http - build time 748 ms -
> packets for this engine will be scanned
> Feb 25 12:41:48.407: %IPS-6-ENGINE_BUILDING: string-tcp - 1658 signatures -
> 3 of 13 engines
> R2(config)#
> Feb 25 12:41:59.007: %IPS-6-ENGINE_READY: string-tcp - build time 10600 ms -
> packets for this engine will be scanned
> Feb 25 12:41:59.271: %IPS-6-ENGINE_BUILDING: string-udp - 78 signatures - 4
> of 13 engines
> Feb 25 12:41:59.351: %IPS-6-ENGINE_READY: string-udp - build time 80 ms -
> packets for this engine will be scanned
> Feb 25 12:41:59.367: %IPS-6-ENGINE_BUILDING: state - 34 signatures - 5 of 13
> engines
> Feb 25 12:41:59.387: %IPS-6-ENGINE_READY: state - build time 20 ms - packets
> for this engine will be scanned
> Feb 25 12:41:59.451: %IPS-6-ENGINE_BUILDING: atomic-ip - 342 signatures - 6
> of 13 engines
> R2(config)#
> Feb 25 12:42:00.607: %IPS-6-ENGINE_READY: atomic-ip - build time 1156 ms -
> packets for this engine will be scanned
> Feb 25 12:42:00.647: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7
> of 13 engines
> Feb 25 12:42:00.647: %IPS-6-ENGINE_READY: string-icmp - build time 0 ms -
> packets for this engine will be scanned
> Feb 25 12:42:00.651: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8
> of 13 engines
>
>
> then I gave the below commands and noticed all the signature are loaded
> before downloading IOS-S416-CLI.pkg to idconf..
>
> R2(config)#do sh ip ips sig count
>
> Cisco SDF release version S416.0
> Trend SDF release version V0.0
>
> Signature Micro-Engine: multi-string: Total Signatures 17
> multi-string enabled signatures: 13
> multi-string retired signatures: 17
>
> Signature Micro-Engine: service-http: Total Signatures 721
> service-http enabled signatures: 145
> service-http retired signatures: 715
> service-http compiled signatures: 6
> service-http obsoleted signatures: 2
>
> Signature Micro-Engine: string-tcp: Total Signatures 1658
> string-tcp enabled signatures: 650
> string-tcp retired signatures: 1620
> string-tcp compiled signatures: 38
> string-tcp obsoleted signatures: 22
>
> Signature Micro-Engine: string-udp: Total Signatures 78
> string-udp enabled signatures: 2
> string-udp retired signatures: 75
> string-udp compiled signatures: 3
> string-udp obsoleted signatures: 1
>
> Signature Micro-Engine: state: Total Signatures 34
> state enabled signatures: 17
> state retired signatures: 34
>
> Signature Micro-Engine: atomic-ip: Total Signatures 342
> atomic-ip enabled signatures: 90
> atomic-ip retired signatures: 338
> atomic-ip compiled signatures: 4
>
> Signature Micro-Engine: string-icmp: Total Signatures 3
> string-icmp enabled signatures: 0
> string-icmp retired signatures: 3
>
> Signature Micro-Engine: service-ftp: Total Signatures 3
> service-ftp enabled signatures: 1
> service-ftp retired signatures: 3
>
> Signature Micro-Engine: service-rpc: Total Signatures 76
> service-rpc enabled signatures: 44
> service-rpc retired signatures: 76
>
> Signature Micro-Engine: service-dns: Total Signatures 39
> service-dns enabled signatures: 27
> service-dns retired signatures: 39
> service-dns obsoleted signatures: 1
>
> Signature Micro-Engine: normalizer: Total Signatures 9
> normalizer enabled signatures: 8
> normalizer retired signatures: 9
>
> Signature Micro-Engine: service-smb-advanced: Total Signatures 49
> service-smb-advanced enabled signatures: 42
> service-smb-advanced retired signatures: 49
>
> Signature Micro-Engine: service-msrpc: Total Signatures 33
> service-msrpc enabled signatures: 22
> service-msrpc retired signatures: 33
> service-msrpc obsoleted signatures: 1
>
> Total Signatures: 3062
> Total Enabled Signatures: 1061
> Total Retired Signatures: 3011
> Total Compiled Signatures: 51
> Total Obsoleted Signatures: 27
>
> My question is how come router load those signature before loading package
> file to idconf..??? (how ever the same lab I did on the same router some
> time back,,,)
>
> Thanks
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Feb 25 2011 - 12:45:11 ART