IPS

Posted on by

Testing on a SDF File

HQ1(config)#do show flash
2 506510 Nov 23 2007 15:22:00 +00:00 sdmips.sdf
3 4052480 Jan 30 2007 16:14:54 +00:00 sdm.tar
4 812032 Jan 4 2006 17:45:48 +00:00 es.tar
5 1007616 Jan 4 2006 17:46:08 +00:00 common.tar
6 1038 Jan 4 2006 17:46:24 +00:00 home.shtml
7 113152 Jan 4 2006 17:46:38 +00:00 home.tar
8 511939 Jan 4 2006 17:46:56 +00:00 128MB.sdf
9 1245 Sep 25 2007 09:23:58 +00:00 Lab3-1_HQ1_initial.txt
10 7671 Dec 17 2006 09:15:36 +00:00 Lab6-3_HQ1_initial.txt
11 1646 Sep 25 2007 13:30:58 +00:00 sdmconfig-2811.cfg
12 3088 Nov 14 2007 13:07:50 +00:00 statrt

if we want to use that sdmips.sdf we need to disable the Builtin SDF using the no ip ips sdf builtin, then we need to specify the location

of that files ip ips sdf location flash://sdmips.sdf

HQ1(config)#do show run | in ips
no ip ips sdf builtin
ip ips sdf location flash://sdmips.sdf
HQ1(config)#ip ips name IPS-RULEZ
HQ1(config)#int f0/0
HQ1(config-if)#ip ips IPS-RULEZ ?
in Inbound IPS
out Outbound IPS

HQ1(config-if)#ip ips IPS-RULEZ in

3d22h: %IPS-6-SDF_LOAD_SUCCESS: SDF loaded successfully from flash://sdmips.sdf
3d22h: %IPS-6-ENGINE_BUILDING: OTHER – 4 signatures – 1 of 15 engines
3d22h: %IPS-6-ENGINE_READY: OTHER – 0 ms – packets for this engine will be scann
ed
3d22h: %IPS-6-ENGINE_BUILDING: MULTI-STRING – 0 signatures – 2 of 15 engines
3d22h: %IPS-6-ENGINE_BUILD_SKIPPED: MULTI-STRING – there are no new signature de
finitions for this engine
3d22h: %IPS-6-ENGINE_BUILDING: STRING.ICMP – 1 signatures – 3 of 15 engines
3d22h: %IPS-6-ENGINE_READY: STRING.ICMP – 36 ms – packets for this engine will b
e scanned
3d22h: %IPS-6-ENGINE_BUILDING: STRING.UDP – 16 signatures – 4 of 15 engines
3d22h: %IPS-6-ENGINE_READY: STRING.UDP – 420 ms – packets for this engine will b
e scanned
3d22h: %IPS-6-ENGINE_BUILDING: STRING.TCP – 61 signatures – 5 of 15 engines
3d22h: %IPS-6-ENGINE_READY: STRING.TCP – 2576 ms – packets for this engine will
be scanned
3d22h: %IPS-6-ENGINE_BUILDING: SERVICE.FTP – 3 signatures – 6 of 15 engines
3d22h: %IPS-6-ENGINE_READY: SERVICE.FTP – 20 ms – packets for this engine will b
e scanned
3d22h: %IPS-6-ENGINE_BUILDING: SERVICE.SMTP – 2 signatures – 7 of 15 engines
3d22h: %IPS-6-ENGINE_READY: SERVICE.SMTP – 48 ms – packets for this engine will
be scanned
3d22h: %IPS-6-ENGINE_BUILDING: SERVICE.RPC – 29 signatures – 8 of 15 engines
3d22h: %IPS-6-ENGINE_READY: SERVICE.RPC – 148 ms – packets for this engine will
be scanned
3d22h: %IPS-6-ENGINE_BUILDING: SERVICE.DNS – 31 signatures – 9 of 15 engines
3d22h: %IPS-6-ENGINE_READY: SERVICE.DNS – 28 ms – packets for this engine will b
e scanned
3d22h: %IPS-6-ENGINE_BUILDING: SERVICE.HTTP – 131 signatures – 10 of 15 engines
HQ1(config-if)#
3d22h: %IPS-6-ENGINE_READY: SERVICE.HTTP – 14536 ms – packets for this engine wi
ll be scanned
3d22h: %IPS-6-ENGINE_BUILDING: ATOMIC.TCP – 10 signatures – 11 of 15 engines
3d22h: %IPS-6-ENGINE_READY: ATOMIC.TCP – 8 ms – packets for this engine will be
scanned
3d22h: %IPS-6-ENGINE_BUILDING: ATOMIC.UDP – 8 signatures – 12 of 15 engines
3d22h: %IPS-6-ENGINE_READY: ATOMIC.UDP – 4 ms – packets for this engine will be
scanned
3d22h: %IPS-6-ENGINE_BUILDING: ATOMIC.ICMP – 0 signatures – 13 of 15 engines
3d22h: %IPS-6-ENGINE_BUILD_SKIPPED: ATOMIC.ICMP – there are no new signature def
initions for this engine
3d22h: %IPS-6-ENGINE_BUILDING: ATOMIC.IPOPTIONS – 1 signatures – 14 of 15 engine
s
3d22h: %IPS-6-ENGINE_READY: ATOMIC.IPOPTIONS – 0 ms – packets for this engine wi
ll be scanned
3d22h: %IPS-6-ENGINE_BUILDING: ATOMIC.L3.IP – 4 signatures – 15 of 15 engines
HQ1(config-if)#exit
HQ1(config)#ip ips notify log ! to send it to a syslog server

Lets check this out with SDM

HQ1#conf ter
Enter configuration commands, one per line. End with CNTL/Z.
HQ1(config)#ip http server
HQ1(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

HQ1(config)#
3d22h: %SSH-5-ENABLED: SSH 1.99 has been enabled
HQ1(config)#
3d22h: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue “write memory” to s
ave new certificate
HQ1(config)#ip http authentication local
HQ1(config)#username Victor pass cisco
HQ1(config)#line vty 0 4
HQ1(config-line)#privi le 15
HQ1(config-line)#login local
HQ1(config-line)#transport input telnet
HQ1(config-line)#transport input telnet ssh

11.jpg
From the picture we coud determine what signature file is having an alert

is occuring HQ1(config)#ip ips signature 3050 ?
<0-65535> Sub signature id
delete Delete the specified signature
disable Disable the specified signature
list Specify an access list to match

HQ1(config)#ip ips signature 3050 0 ?
delete Delete the specified signature
disable Disable the specified signature
list Specify an access list to match

HQ1(config)#ip ips signature 3050 0 list ?
<1-199> Numbered access list
WORD Named access list

HQ1(config)#ip ips signature 3050 0 list 1
%IPS Signature 3050:0 will use acl
1
HQ1(config)#access-list 1 deny any
HQ1(config)#

22.jpg

Hmmmm starting to like the Visual Managment in Cisco Implementation 🙂

A Networker Blog

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s