Saturday, August 1, 2015

Configuring an Intrusion Prevention System (IPS) Using the CLI and CCP

I finally got my CompTIA Security+ certification kit which includes the hardcopy cert and a wallet ID. I feel that I still have a long way to go in learning more about network security. Cisco released their Cybersecurity specialist course which will compete against GCIH and ECSA. I've checked there are no OCG and training videos yet as of this writing. This would be definitely on my exam to do list.


I attended Cisco's FirePower (a.k.a SourceFire) Next-Generation IPS (NGIPS) training just this week and it looks like the 4200 series IPS would be replaced soon. The training catapulted me to finish my CCNP Security track by taking the new IPS exam which is SITCS (300-207). Below is the IPS lab I did while studying for my CompTIA Security+.


R1(config)#no ip domain-lookup
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Jun  1 10:41:05.899: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun  1 10:41:06.899: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jun  1 10:41:35.167: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#clock rate 64000


R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun  1 10:41:25.387: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jun  1 10:41:26.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun  1 10:41:49.811: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#clock rate 64000


R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jun  1 10:43:51.607: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun  1 10:43:52.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
*Jun  1 10:44:29.159: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jun  1 10:44:30.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#do ping 10.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms


R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2


R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2


R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1
R2(config)#do ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R2(config)#do ping 192.168.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms


R1#ping 192.168.3.1 source 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/64 ms


R1(config)#security passwords min-length 10
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#exit
R1(config)#service password-encryption
R1(config)#do show run
Building configuration...

Current configuration : 1321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
/line
filtering...
line con 0
 exec-timeout 5 0
 password 7 070C285F4D061A0A19020A1F17  
 logging synchronous
 login
line aux 0
 exec-timeout 5 0
 password 7 1511021F07252A313023343100  
 login
line vty 0 4
 exec-timeout 5 0
 password 7 02050D4808091935555E080A16  
 login
!
scheduler allocate 20000 1000
end


R2#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


C:\Users\John Lloyd>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 192.168.1.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1


R2#ping 192.168.1.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


R1#show run
Building configuration...

Current configuration : 1321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 10.1.1.1 255.255.255.252
 no fair-queue
 clock rate 64000
!
interface Serial0/0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/1/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Serial0/1/1
 no ip address
 shutdown
 clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 5 0
 password 7 070C285F4D061A0A19020A1F17
 logging synchronous
 login
line aux 0
 exec-timeout 5 0
 password 7 1511021F07252A313023343100
 login
line vty 0 4
 exec-timeout 5 0
 password 7 02050D4808091935555E080A16
 login
!
scheduler allocate 20000 1000
end


R1#show flash
-#- --length-- -----date/time------ path
1     37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2         2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3      2938880 Sep 07 2010 05:51:14 cpexpress.tar
4         1038 Sep 07 2010 05:51:26 home.shtml
5       122880 Sep 07 2010 05:51:40 home.tar
6       527849 Sep 07 2010 05:51:54 128MB.sdf
7      1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8       415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
9         1368 May 31 2015 00:56:00 pre_autosec.cfg

21151744 bytes available (42848256 bytes used)

R1#mkdir ?
  flash:  Directory name
  <cr>

R1#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
R1#show flash
-#- --length-- -----date/time------ path
1     37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2         2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3      2938880 Sep 07 2010 05:51:14 cpexpress.tar
4         1038 Sep 07 2010 05:51:26 home.shtml
5       122880 Sep 07 2010 05:51:40 home.tar
6       527849 Sep 07 2010 05:51:54 128MB.sdf
7      1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8       415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
9         1368 May 31 2015 00:56:00 pre_autosec.cfg
10           0 Jun 01 2015 11:02:56 ipsdir   

21147648 bytes available (42852352 bytes used)

R1#dir flash:ipsdir
Directory of flash:/ipsdir/

No files in directory   

64000000 bytes total (21147648 bytes free)


crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit


R1(config)#crypto key pubkey-chain rsa
R1(config-pubkey-chain)#named-key realm-cisco.pub signature
Translating "realm-cisco.pub"

R1(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....

R1(config-pubkey)#$64886 F70D0101 01050003 82010F00 3082010A 02820101
R1(config-pubkey)#$C7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R1(config-pubkey)#$BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R1(config-pubkey)#$FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R1(config-pubkey)#$8AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R1(config-pubkey)#$AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R1(config-pubkey)#$189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R1(config-pubkey)#$3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R1(config-pubkey)#$A4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R1(config-pubkey)#F3020301 0001
R1(config-pubkey)#quit
R1(config-pubkey-key)#do show run
Building configuration...

Current configuration : 2109 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
crypto key pubkey-chain rsa   
 named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001
  quit   
!

R1(config)#ip ips ?
  auto-update           Auto Update
  config                Location of IPS configuration files
  deny-action           Specify Deny action
  event-action-rules    Event Action Rules (SEAP)
  fail                  Specify what to do during any failures
  name                  Specify an IPS rule
  notify                Specify the notification mechanisms (SDEE or log) for
                        the alarms
  signature-category    Signature Category
  signature-definition  Signature Definition

R1(config)#ip ips name ?
  WORD  Name of IPS rule

R1(config)#ip ips name IOSIPS
R1(config)#ip ips config ?
  location  Location of IPS configuration files

R1(config)#ip ips config location ?
  WORD  Directory path of IPS configuration files
  <cr>

R1(config)#ip ips config location flash:ipsdir    // IPS SIGNATURE STORAGE LOCATION
R1(config)#ip http server    // MUST BE ENABLED TO USE SDEE
R1(config)#ip ips notify ?
  SDEE  Send events to SDEE
  log   Send events as syslog messages

R1(config)#ip ips notify sdee    // SECURITY DEVICE EVENT EXCHANGE; IDS ALERT FORMAT AND TRANSPORT PROTOCOL
R1(config)#ip ips notify log     // ENABLED BY DEFAULT


R1#show clock
*11:12:24.187 UTC Mon Jun 1 2015

R1#show run | i timestamp
service timestamps debug datetime msec
service timestamps log datetime msec  

R1(config)#logging 192.168.1.3    // SEND SYSLOG TO PC-A

R1#show logging
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,  
                0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 39 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  disabled, xml disabled,
                     filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

    Trap logging: level informational, 43 message lines logged
        Logging to 192.168.1.3  (udp port 514,  audit disabled,
              authentication disabled, encryption disabled, link up),
              2 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled


C:\Users\John Lloyd>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 192.168.1.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

C:\Users\John Lloyd>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms


R1(config)#ip ips ?
  auto-update           Auto Update
  config                Location of IPS configuration files
  deny-action           Specify Deny action
  event-action-rules    Event Action Rules (SEAP)
  fail                  Specify what to do during any failures
  name                  Specify an IPS rule
  notify                Specify the notification mechanisms (SDEE or log) for
                        the alarms
  signature-category    Signature Category
  signature-definition  Signature Definition

R1(config)#ip ips signature-category
R1(config-ips-category)#?
IPS signature category configuration commands:
  category  Category keyword
  exit      Exit from Category Mode
  no        Negate or set default values of a command

R1(config-ips-category)#category ?
  adware/spyware         Adware/Spyware (more sub-categories)
  all                    All Categories
  attack                 Attack (more sub-categories)
  ddos                   DDoS (more sub-categories)
  dos                    DoS (more sub-categories)
  email                  Email (more sub-categories)
  instant_messaging      Instant Messaging (more sub-categories)
  ios_ips                IOS IPS (more sub-categories)
  l2/l3/l4_protocol      L2/L3/L4 Protocol (more sub-categories)
  network_services       Network Services (more sub-categories)
  os                     OS (more sub-categories)
  other_services         Other Services (more sub-categories)
  p2p                    P2P (more sub-categories)
  reconnaissance         Reconnaissance (more sub-categories)
  viruses/worms/trojans  Viruses/Worms/Trojans (more sub-categories)
  web_server             Web Server (more sub-categories)

R1(config-ips-category)#category all   
R1(config-ips-category-action)#?
Category Options for configuration:
  alert-severity   Alarm Severity Rating
  enabled          Enable Category Signatures
  event-action     Action
  exit             Exit from Category Actions Mode
  fidelity-rating  Signature Fidelity Rating
  no               Negate or set default values of a command
  retired          Retire Category Signatures

R1(config-ips-category-action)#retired ?
  false  False
  true   True

R1(config-ips-category-action)#retired true    // REQUIRED TO RETIRE ALL SINGATURES IN IOS IPS; OTHERWISE ROUTER WILL RUN OUT OF MEMORY
R1(config-ips-category-action)#exit
R1(config-ips-category)#category ios_ips
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exit
R1(config-ips-category)#exit
Do you want to accept these changes? [confirm] <ENTER>
R1(config)#
*Jun  1 11:21:32.643: Applying Category configuration to signatures ...


R1(config)#interface serial0/0/0
R1(config-if)#ip ips ?
  WORD  Name of defined IPS rule

R1(config-if)#ip ips IOSIPS ?
  in   Inbound IPS
  out  Outbound IPS

R1(config-if)#ip ips IOSIPS in
R1(config-if)#
*Jun  1 11:24:48.963: %IPS-6-ENGINE_BUILDS_STARTED:  11:24:48 UTC Jun 1 2015
*Jun  1 11:24:48.963: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Jun  1 11:24:48.971: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned
*Jun  1 11:24:48.971: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms




R1(config-if)#interface fastethernet0/1     // DESIRABLE TO CONFIGURE IPS TO PREVENT INTERNAL ATTACKS
R1(config-if)#ip ips IOSIPS in


R1(config)#enable password cisco12345


R1#ping 192.168.1.3     // PING TO TFTP SERVER

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms


R1#copy tftp://192.168.1.3/IOS-S364-CLI.pkg idconf   // idconf KEYWORD REQUIRED
Loading IOS-S364-CLI.pkg from 192.168.1.3 (via FastEthernet0/1): !!!O!!!!!!!!!!!!!!!!!!!!!!!
*Jun  1 11:33:07.675: %IPS-3-INVALID_DIGITAL_SIGNATURE: Invalid Digital Signature found (signature verification failure).!   
[OK - 6812253 bytes]

R1#dir flash:ipsdir
Directory of flash:/ipsdir/

   11  -rw-         704   Jun 1 2015 11:24:48 +00:00  R1-sigdef-default.xml
   12  -rw-         255   Jun 1 2015 11:24:48 +00:00  R1-sigdef-delta.xml
   13  -rw-        6632   Jun 1 2015 11:32:28 +00:00  R1-sigdef-typedef.xml
   14  -rw-       28282   Jun 1 2015 11:32:32 +00:00  R1-sigdef-category.xml
   15  -rw-         304   Jun 1 2015 11:24:50 +00:00  R1-seap-delta.xml
   16  -rw-         491   Jun 1 2015 11:24:50 +00:00  R1-seap-typedef.xml

64000000 bytes total (21094400 bytes free)

R1#show ip ips ?
  all                 IPS all available information
  auto-update         IPS auto-update configuration
  category            Category
  configuration       IPS configuration
  event-action-rules  Event Action Rules (SEAP)
  interfaces          IPS interfaces
  name                IPS name
  sessions            IPS sessions
  signature-category  Signature Category
  signatures          IPS signatures
  statistics          IPS statistics

R1#show ip ips signature ?
  count       Counts of signatures enabled, retired, and compiled
  detail      Detailed display of signature parameters
  engine      Display signatures for one selected engine
  sigid       Signature ID for the selected signature
  statistics  Display of signature statistics
  |           Output modifiers
  <cr>

R1#show ip ips signature count

Cisco SDF release version S0.0
Trend SDF release version V0.0

Signature Micro-Engine: multi-string (INACTIVE)

Signature Micro-Engine: service-http (INACTIVE)

Signature Micro-Engine: string-tcp (INACTIVE)

Signature Micro-Engine: string-udp (INACTIVE)

Signature Micro-Engine: state (INACTIVE)

Signature Micro-Engine: atomic-ip: Total Signatures 3
      atomic-ip enabled signatures: 0
      atomic-ip compiled signatures: 3

Signature Micro-Engine: string-icmp (INACTIVE)

Signature Micro-Engine: service-ftp (INACTIVE)

Signature Micro-Engine: service-rpc (INACTIVE)

Signature Micro-Engine: service-dns (INACTIVE)

Signature Micro-Engine: normalizer (INACTIVE)

Signature Micro-Engine: service-smb-advanced (INACTIVE)

Signature Micro-Engine: service-msrpc (INACTIVE)

Total Signatures: 3
   Total Enabled Signatures: 0
   Total Retired Signatures: 0
   Total Compiled Signatures: 3  


R1(config)#crypto key pubkey-chain rsa
R1(config-pubkey-chain)#no named-key realm-cisco.pub signature

R1#cd ?
  archive:  Directory name
  cns:      Directory name
  flash:    Directory name
  null:     Directory name
  nvram:    Directory name
  syslog:   Directory name
  system:   Directory name
  tar:      Directory name
  tmpsys:   Directory name
  xmodem:   Directory name
  ymodem:   Directory name
  <cr>

R1#cd flash:ipsdir
R1#dir
Directory of flash:/ipsdir/

   11  -rw-         704   Jun 1 2015 11:24:48 +00:00  R1-sigdef-default.xml
   12  -rw-         255   Jun 1 2015 11:24:48 +00:00  R1-sigdef-delta.xml
   13  -rw-        6632   Jun 1 2015 11:47:38 +00:00  R1-sigdef-typedef.xml
   14  -rw-       28282   Jun 1 2015 11:47:42 +00:00  R1-sigdef-category.xml
   15  -rw-         304   Jun 1 2015 11:24:50 +00:00  R1-seap-delta.xml
   16  -rw-         491   Jun 1 2015 11:24:50 +00:00  R1-seap-typedef.xml

64000000 bytes total (21094400 bytes free)
R1#del R1-sigdef-default.xml
Delete filename [/ipsdir/R1-sigdef-default.xml]?
Delete flash:/ipsdir/R1-sigdef-default.xml? [confirm]
R1#del R1-sigdef-delta.xml
Delete filename [/ipsdir/R1-sigdef-delta.xml]?
Delete flash:/ipsdir/R1-sigdef-delta.xml? [confirm]
R1#del R1-sigdef-typedef.xml
Delete filename [/ipsdir/R1-sigdef-typedef.xml]?
Delete flash:/ipsdir/R1-sigdef-typedef.xml? [confirm]
R1#del R1-sigdef-category.xml
Delete filename [/ipsdir/R1-sigdef-category.xml]?
Delete flash:/ipsdir/R1-sigdef-category.xml? [confirm]
R1#del R1-seap-delta.xml
Delete filename [/ipsdir/R1-seap-delta.xml]?
Delete flash:/ipsdir/R1-seap-delta.xml? [confirm]
R1#del R1-seap-typedef.xml
Delete filename [/ipsdir/R1-seap-typedef.xml]?
Delete flash:/ipsdir/R1-seap-typedef.xml? [confirm]
R1#dir
Directory of flash:/ipsdir/

No files in directory

64000000 bytes total (21147648 bytes free)

R1#cd ..
R1#dir
Directory of flash:/

    1  -rw-    37124796  Apr 11 2015 10:34:16 +00:00  c1841-advipservicesk9-mz.124-20.T4.bin
    2  -rw-        2898   Sep 7 2010 05:50:46 +00:00  cpconfig-18xx.cfg
    3  -rw-     2938880   Sep 7 2010 05:51:14 +00:00  cpexpress.tar
    4  -rw-        1038   Sep 7 2010 05:51:26 +00:00  home.shtml
    5  -rw-      122880   Sep 7 2010 05:51:40 +00:00  home.tar
    6  -rw-      527849   Sep 7 2010 05:51:54 +00:00  128MB.sdf
    7  -rw-     1697952   Sep 7 2010 05:52:26 +00:00  securedesktop-ios-3.1.1.45-k9.pkg
    8  -rw-      415956   Sep 7 2010 05:52:48 +00:00  sslclient-win-1.1.4.176.pkg
    9  -rw-        1368  May 31 2015 00:56:00 +00:00  pre_autosec.cfg
   10  drw-           0   Jun 1 2015 11:02:56 +00:00  ipsdir

64000000 bytes total (21147648 bytes free)


The public key string can be found on this link.

R1(config)#crypto key pubkey-chain rsa
R1(config-pubkey-chain)# named-key realm-cisco.pub signature
Translating "realm-cisco.pub"

R1(config-pubkey-key)#  key-string
Enter a public key as a hexidecimal number ....

R1(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101
R1(config-pubkey)#$D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R1(config-pubkey)#$912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R1(config-pubkey)#$085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R1(config-pubkey)#$0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R1(config-pubkey)#$994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R1(config-pubkey)#$5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R1(config-pubkey)#$A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R1(config-pubkey)#$80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R1(config-pubkey)#   F3020301 0001
R1(config-pubkey)# quit

R1#copy tftp://192.168.1.3/IOS-S364-CLI.pkg idconf   // RE-DOWNLOAD IOS-S364-CLI.pkg IN CISCO'S DOWNLOAD SITE; TOOK SEVERAL MINUTES TO FINISH BUIDLING SIGNATURE ENGINE
Loading IOS-S364-CLI.pkg from 192.168.1.3 (via FastEthernet0/1): !!!OO!!!!!!!!!!!!!!!!!!!!!!
*Jun  1 12:06:44.135: %IPS-6-ENGINE_BUILDS_STARTED:  12:06:44 UTC Jun 1 2015
*Jun  1 12:06:44.139: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines
*Jun  1 12:06:44.147: %IPS-6-ENGINE_READY: multi-string - build time 8 ms - packets for this engine will be scanned
*Jun  1 12:06:44.167: %IPS-6-ENGINE_BUILDING: service-http - 629 signatures - 2 of 13 engines
*Jun  1 12:07:24.055: %IPS-6-ENGINE_READY: service-http - build time 39888 ms - packets for this engine will be scanned
*Jun  1 12:07:24.091: %IPS-6-ENGINE_BUILDING: string-tcp - 1065 signatures - 3 of 13 engines
*Jun  1 12:09:07.887: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5753:0 - failed to compile regular expression
*Jun  1 12:09:23.251: %IPS-6-ENGINE_READY: string-tcp - build time 119160 ms - packets for this engine will be scanned
*Jun  1 12:09:23.259: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
*Jun  1 12:09:25.031: %IPS-6-ENGINE_READY: string-udp - build time 1772 ms - packets for this engine will be scanned
*Jun  1 12:09:25.031: %IPS-6-ENGINE_BUILDING: state - 28 signatures - 5 of 13 engines
*Jun  1 12:09:25.215: %IPS-6-ENGINE_READY: state - build time 184 ms - packets for this engine will be scanned
*Jun  1 12:09:25.271: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 6 of 13 engines
*Jun  1 12:09:26.399: %IPS-5-PACKET_UNSCANNED: atomic-ip - fail open - packets passed unscanned
*Jun  1 12:09:26.471: %IPS-6-ENGINE_READY: atomic-ip - build time 1200 ms - packets for this engine will be scanned
*Jun  1 12:09:26.507: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Jun  1 12:09:26.563: %IPS-6-ENGINE_READY: string-icmp - build time 56 ms - packets for this engine will be scanned
*Jun  1 12:09:26.563: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Jun  1 12:09:26.587: %IPS-6-ENGINE_READY: service-ftp - build time 24 ms - packets for this engine will be scanned
*Jun  1 12:09:26.591: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
*Jun  1 12:09:26.971: %IPS-6-ENGINE_READY: service-rpc - build time 380 ms - packets for this engine will be scanned
*Jun  1 12:09:26.975: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
*Jun  1 12:09:27.051: %IPS-6-ENGINE_READY: service-dns - build time 76 ms - packets for this engine will be scanned%IDConf: Fail to load file tftp://192.168.1.3/IOS-S364-CLI.pkg
*Jun  1 12:09:39.619: %IPS-4-SDF_PARSE_FAILED: file tftp://192.168.1.3/IOS-S364-CLI.pkg: no element found at Line 145453 Col 11 Byte 6164480 Len 0

R1#dir flash:ipsdir
Directory of flash:/ipsdir/

   15  -rw-        6632   Jun 1 2015 12:05:52 +00:00  R1-sigdef-typedef.xml
   16  -rw-       28282   Jun 1 2015 12:05:56 +00:00  R1-sigdef-category.xml
   14  -rw-      229737   Jun 1 2015 12:09:38 +00:00  R1-sigdef-default.xml

64000000 bytes total (20877312 bytes free)

R1#show ip ips signature count

Cisco SDF release version S339.0
Trend SDF release version V0.0

Signature Micro-Engine: multi-string: Total Signatures 8
      multi-string enabled signatures: 8
      multi-string retired signatures: 8

Signature Micro-Engine: service-http: Total Signatures 629
      service-http enabled signatures: 132
      service-http retired signatures: 438
      service-http compiled signatures: 191
      service-http obsoleted signatures: 1

Signature Micro-Engine: string-tcp: Total Signatures 1066
      string-tcp enabled signatures: 558
      string-tcp retired signatures: 827
      string-tcp compiled signatures: 237
      string-tcp Inactive - compile failure: 1
      string-tcp obsoleted signatures: 12

Signature Micro-Engine: string-udp: Total Signatures 75
      string-udp enabled signatures: 2
      string-udp retired signatures: 38
      string-udp compiled signatures: 37
      string-udp obsoleted signatures: 1

Signature Micro-Engine: state: Total Signatures 28
      state enabled signatures: 15
      state retired signatures: 24
      state compiled signatures: 4

Signature Micro-Engine: atomic-ip: Total Signatures 303
      atomic-ip enabled signatures: 103
      atomic-ip retired signatures: 270
      atomic-ip compiled signatures: 33

Signature Micro-Engine: string-icmp: Total Signatures 3
      string-icmp enabled signatures: 0
      string-icmp retired signatures: 1
      string-icmp compiled signatures: 2

Signature Micro-Engine: service-ftp: Total Signatures 3
      service-ftp enabled signatures: 1
      service-ftp retired signatures: 2
      service-ftp compiled signatures: 1

Signature Micro-Engine: service-rpc: Total Signatures 75
      service-rpc enabled signatures: 44
      service-rpc retired signatures: 37
      service-rpc compiled signatures: 38

Signature Micro-Engine: service-dns: Total Signatures 38
      service-dns enabled signatures: 30
      service-dns retired signatures: 9
      service-dns compiled signatures: 29

Signature Micro-Engine: normalizer: Total Signatures 9
      normalizer enabled signatures: 8
      normalizer retired signatures: 1
      normalizer compiled signatures: 8

Signature Micro-Engine: service-smb-advanced: Total Signatures 42
      service-smb-advanced enabled signatures: 42
      service-smb-advanced retired signatures: 42

Signature Micro-Engine: service-msrpc: Total Signatures 27
      service-msrpc enabled signatures: 27
      service-msrpc retired signatures: 25
      service-msrpc compiled signatures: 2
      service-msrpc obsoleted signatures: 1

Total Signatures: 2306
   Total Enabled Signatures: 970
   Total Retired Signatures: 1722
   Total Compiled Signatures: 582
   Total Signatures with compile failures: 1
   Total Obsoleted Signatures: 15

R1#show ip ips all

IPS Signature File Configuration Status
    Configured Config Locations: flash:ipsdir/
    Last signature default load time: 12:09:27 UTC Jun 1 2015
    Last signature delta load time: -none-
    Last event action (SEAP) load time: -none-

    General SEAP Config:
    Global Deny Timeout: 3600 seconds
    Global Overrides Status: Enabled
    Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS Syslog and SDEE Notification Status
    Event notification through syslog is enabled
    Event notification through SDEE is enabled

IPS Signature Status
    Total Active Signatures: 582
    Total Inactive Signatures: 1724

IPS Packet Scanning and Interface Status
    IPS Rule Configuration
      IPS name IOSIPS
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Interface Configuration
      Interface Serial0/0/0
        Inbound IPS rule is IOSIPS  
        Outgoing IPS rule is not set   
      Interface FastEthernet0/1
        Inbound IPS rule is IOSIPS  
        Outgoing IPS rule is not set   

IPS Category CLI Configuration:
    Category all:
        Retire: True
    Category ios_ips:
        Retire: False


R2#ping 10.1.1.1   

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

R2#ping 192.168.1.3     // PING TO R1 SERIAL0/0/0 AND PC-A ARE SUCCESSFUL BECAUSE ALL SINGATURES WERE RETIRED

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms


R1(config)#ip ips signature-definition
R1(config-sigdef)#?
IPS signature configuration commands:
  exit       Exit from Signature Definition Mode
  signature  Signature keyword

R1(config-sigdef)#signature ?
  <1-65535>  Signature ID value

R1(config-sigdef)#signature 2004 ?
  <0-65535>  Signature SubID value
  <cr>

R1(config-sigdef)#signature 2004 0   // ICMP SIGNATURE
R1(config-sigdef-sig)#?
Category Options for configuration:
  alert-severity   Alarm Severity Rating
  engine           Engine
  exit             Exit from Category Actions Mode
  fidelity-rating  Signature Fidelity Rating
  no               Negate or set default values of a command
  status           Status

R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#?
Status options for signatures:
  enabled  Enable Category Signatures
  exit     Exit from status submode
  no       Negate or set default values of a command
  retired  Retire Category Signatures

R1(config-sigdef-sig-status)#retired ?
  false  FALSE
  true   TRUE

R1(config-sigdef-sig-status)#retired false
R1(config-sigdef-sig-status)#enabled ?
  false  FALSE
  true   TRUE

R1(config-sigdef-sig-status)#enabled true
R1(config-sigdef-sig-status)#?
Status options for signatures:
  enabled  Enable Category Signatures
  exit     Exit from status submode
  no       Negate or set default values of a command
  retired  Retire Category Signatures

R1(config-sigdef-sig-status)#engine
R1(config-sigdef-sig-engine)#?
Engine options for signatures:
  event-action  Action
  exit          Exit from engine submode
  no            Negate or set default values of a command

R1(config-sigdef-sig-engine)#event-action ?
  deny-attacker-inline    Deny Attacker
  deny-connection-inline  Deny Connection
  deny-packet-inline      Deny Packet
  produce-alert           Produce Alert
  reset-tcp-connection    Reset TCP Connection
  <cr>

R1(config-sigdef-sig-engine)#event-action produce-alert
R1(config-sigdef-sig-engine)#event-action deny-packet-inline
R1(config-sigdef-sig-engine)#event-action reset-tcp-connection
R1(config-sigdef-sig-engine)#exit
R1(config-sigdef-sig)#exit
R1(config-sigdef)#exit
Do you want to accept these changes? [confirm] <ENTER>

*Jun  1 12:30:29.415: %IPS-6-ENGINE_BUILDS_STARTED:  12:30:29 UTC Jun 1 2015
*Jun  1 12:30:29.967: %IPS-6-ENGINE_BUILDING: string-tcp - 1066 signatures - 1 of 13 engines
*Jun  1 12:32:33.323: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5753:0 - failed to compile regular expression
*Jun  1 12:32:43.743: %IPS-6-ENGINE_READY: string-tcp - build time 133776 ms - packets for this engine will be scanned
*Jun  1 12:32:44.495: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 2 of 13 engines
*Jun  1 12:32:45.207: %IPS-6-ENGINE_READY: atomic-ip - build time 712 ms - packets for this engine will be scanned
*Jun  1 12:32:45.443: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 136028 ms
R1(config)#
*Jun  1 12:33:26.487: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 ICMP Echo Request [192.168.1.3:8 -> 172.16.1.254:0] VRF:NONE RiskRating:25


R2#ping 10.1.1.1   // BLOCKED BY IPS SIGNATURE

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2#ping 192.168.1.3    // BLOCKED BY IPS SIGNATURE

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


R1(config-ips-category)#category ios_ips ?
  advanced  Advanced
  basic     Basic
  <cr>

R1(config-ips-category)#category ios_ips basic ?
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#enabled true
R1(config-ips-category-action)#event-action produce-alert
R1(config-ips-category-action)#event-action deny-packet-inline
R1(config-ips-category-action)#event-action reset-tcp-connection

R1(config-ips-category)#category all


R2#ping 10.2.2.1     // PING TO R3 SERIAL0/0/0 INTERFACE (WITHOUT IPS)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms

R2#ping 192.168.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms


R3#show run
Building configuration...

Current configuration : 929 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
 clock rate 2000000
!
interface Serial0/0/1
 ip address 10.2.2.1 255.255.255.252
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.2.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
scheduler allocate 20000 1000
end

R3(config)#enable secret cisco12345
R3(config)#ip http server
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#ip http authentication local


R3#show flash
-#- --length-- -----date/time------ path
1     37124796 Apr 11 2015 10:46:06 c1841-advipservicesk9-mz.124-20.T4.bin
2          913 May 02 2015 12:59:48 pre_autosec.cfg

26873856 bytes available (37130240 bytes used)


R3#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
R3#dir flash:ipsdir
Directory of flash:/ipsdir/

No files in directory

64004096 bytes total (26869760 bytes free)



















R3#
*Jun  6 12:29:34.535: %IPS-6-ENGINE_BUILDS_STARTED:  12:29:34 UTC Jun 6 2015
*Jun  6 12:29:34.535: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines
*Jun  6 12:29:34.547: %IPS-6-ENGINE_READY: multi-string - build time 12 ms - packets for this engine will be scanned
*Jun  6 12:29:34.567: %IPS-6-ENGINE_BUILDING: service-http - 629 signatures - 2 of 13 engines
*Jun  6 12:29:44.231: %IPS-6-ENGINE_READY: service-http - build time 9664 ms - packets for this engine will be scanned
*Jun  6 12:29:44.263: %IPS-6-ENGINE_BUILDING: string-tcp - 1065 signatures - 3 of 13 engines
R3#
*Jun  6 12:30:14.239: %RE-4-COMPILE_FAILED: Compile failed on pattern number 0 - states 1 - [Nn][Ee][Tt][Ww][Oo][Rr][Kk][\x3c][0-9][0-9]?[0-9]?[.][0-9][0-9]?[0-9]?[.][0-9][0-9]?[0-9]?[.][0-9][0-9]?[0-9]?\x20([A-Za-z\x2D0-9]?){100}\x20[^A-Za-z\x20>]+[>]
*Jun  6 12:30:14.239: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5464:1 - failed to compile regular expression
*Jun  6 12:30:15.215: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5489:2 - failed to compile regular expression
*Jun  6 12:30:15.655: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5489:7 - failed to compile regular expression
*Jun  6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3137:6 - compiles discontinued for this engine
*Jun  6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5675:0 - compiles discontinued for this engine
*Jun  6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5455:1 - compiles discontinued for this engine
*Jun  6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3784:0 - compiles discontinued for this engine
*Jun  6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3528:0 - compiles discontinued for this engine
*Jun  6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3173:0 - compiles discontinued for this engine
*Jun  6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3550:0 - compiles discontinued for this engine
*Jun  6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5769:1 - compiles discontinued for this engine
*Jun  6 12:30:16.175: %IPS-6-ENGINE_READY: string-tcp - build time 31912 ms - packets for this engine will be scanned
*Jun  6 12:30:16.183: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
*Jun  6 12:30:17.027: %IPS-6-ENGINE_READY: string-udp - build time 844 ms - packets for this engine will be scanned
*Jun  6 12:30:17.027: %IPS-6-ENGINE_BUILDING: state - 28 signatures - 5 of 13 engines
*Jun  6 12:30:17.107: %IPS-6-ENGINE_READY: state - build time 80 ms - packets for this engine will be scanned
*Jun  6 12:30:17.383: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 6 of 13 engines
*Jun  6 12:30:17.883: Cannot allocate ATOMIC SME extension
*Jun  6 12:30:17.883: %IPS-3-ENGINE_BUILD_FAILED: atomic-ip - 500 ms - engine build failed
*Jun  6 12:30:18.019: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Jun  6 12:30:18.071: %IPS-6-ENGINE_READY: string-icmp - build time 52 ms - packets for this engine will be scanned
*Jun  6 12:30:18.071: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Jun  6 12:30:18.095: %IPS-6-ENGINE_READY: service-ftp - build time 24 ms - packets for this engine will be scanned
*Jun  6 12:30:18.099: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
*Jun  6 12:30:18.347: %IPS-3-ENGINE_BUILD_FAILED: service-rpc - 248 ms - engine build failed
*Jun  6 12:30:18.395: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
*Jun  6 12:30:18.439: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-dns 6054:1 - failed to compile regular expression
*Jun  6 12:30:18.447: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-dns 6054:0 - failed to compile regular expression
*Jun  6 12:30:18.455: %IPS-3-ENGINE_BUILD_FAILED: service-dns - 60 ms - engine build failed
*Jun  6 12:30:18.479: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
*Jun  6 12:30:18.479: %IPS-6-ENGINE_READY: normalizer - build time 0 ms - packets for this engine will be scanned
*Jun  6 12:30:18.519: %IPS-3-ENGINE_BUILD_FAILED: service-smb-advanced - 36 ms - engine build failed
*Jun  6 12:30:18.575: %IPS-3-ENGINE_BUILD_FAILED: service-msrpc - 32 ms - engine build failed
*Jun  6 12:30:36.651: %IPS-4-IPS_SIGNATURE_FILE: tftp://192.168.3.3/IOS-S364-CLI.pkg - read_len < 0


C:\Users\PC-C>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
   IPv4 Address. . . . . . . . . . . : 192.168.3.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.3.1

C:\Users\PC-C>ping 192.168.3.1

Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.3.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms


R3#show ip ips signature count

Cisco SDF release version S339.0
Trend SDF release version V0.0

Signature Micro-Engine: multi-string: Total Signatures 8
      multi-string enabled signatures: 8
      multi-string retired signatures: 8

Signature Micro-Engine: service-http: Total Signatures 629
      service-http enabled signatures: 132
      service-http retired signatures: 532
      service-http compiled signatures: 97
      service-http obsoleted signatures: 1

Signature Micro-Engine: string-tcp: Total Signatures 1066
      string-tcp enabled signatures: 558
      string-tcp retired signatures: 948
      string-tcp compiled signatures: 100
      string-tcp Inactive - compile failure: 17
      string-tcp obsoleted signatures: 12

Signature Micro-Engine: string-udp: Total Signatures 75
      string-udp enabled signatures: 2
      string-udp retired signatures: 54
      string-udp compiled signatures: 21
      string-udp obsoleted signatures: 1

Signature Micro-Engine: state: Total Signatures 28
      state enabled signatures: 15
      state retired signatures: 25
      state compiled signatures: 3

Signature Micro-Engine: atomic-ip: Total Signatures 303
      atomic-ip enabled signatures: 0
      atomic-ip compiled signatures: 3

Signature Micro-Engine: string-icmp (INACTIVE)

Signature Micro-Engine: service-ftp: Total Signatures 3
      service-ftp enabled signatures: 1
      service-ftp retired signatures: 2
      service-ftp compiled signatures: 1

Signature Micro-Engine: service-rpc (INACTIVE)

Signature Micro-Engine: service-dns (INACTIVE)

Signature Micro-Engine: normalizer: Total Signatures 9
      normalizer enabled signatures: 8
      normalizer retired signatures: 1
      normalizer compiled signatures: 8

Signature Micro-Engine: service-smb-advanced (INACTIVE)

Signature Micro-Engine: service-msrpc (INACTIVE)

Total Signatures: 2306
   Total Enabled Signatures: 724
   Total Retired Signatures: 1570
   Total Compiled Signatures: 233
   Total Signatures with compile failures: 17
   Total Obsoleted Signatures: 14

No comments:

Post a Comment