I finally got my CompTIA Security+ certification kit which includes the hardcopy cert and a wallet ID. I feel that I still have a long way to go in learning more about network security. Cisco released their Cybersecurity specialist course which will compete against GCIH and ECSA. I've checked there are no OCG and training videos yet as of this writing. This would be definitely on my exam to do list.
I attended Cisco's FirePower (a.k.a SourceFire) Next-Generation IPS (NGIPS) training just this week and it looks like the 4200 series IPS would be replaced soon. The training catapulted me to finish my CCNP Security track by taking the new IPS exam which is SITCS (300-207). Below is the IPS lab I did while studying for my CompTIA Security+.
R1(config)#no ip domain-lookup
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Jun 1 10:41:05.899: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 1 10:41:06.899: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jun 1 10:41:35.167: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#clock rate 64000
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 1 10:41:25.387: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jun 1 10:41:26.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 1 10:41:49.811: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#clock rate 64000
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jun 1 10:43:51.607: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 1 10:43:52.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
*Jun 1 10:44:29.159: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jun 1 10:44:30.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#do ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2
R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1
R2(config)#do ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R2(config)#do ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R1#ping 192.168.3.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/64 ms
R1(config)#security passwords min-length 10
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#exit
R1(config)#service password-encryption
R1(config)#do show run
Building configuration...
Current configuration : 1321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
/line
filtering...
line con 0
exec-timeout 5 0
password 7 070C285F4D061A0A19020A1F17
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 1511021F07252A313023343100
login
line vty 0 4
exec-timeout 5 0
password 7 02050D4808091935555E080A16
login
!
scheduler allocate 20000 1000
end
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
R2#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R1#show run
Building configuration...
Current configuration : 1321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password 7 070C285F4D061A0A19020A1F17
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 1511021F07252A313023343100
login
line vty 0 4
exec-timeout 5 0
password 7 02050D4808091935555E080A16
login
!
scheduler allocate 20000 1000
end
R1#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
9 1368 May 31 2015 00:56:00 pre_autosec.cfg
21151744 bytes available (42848256 bytes used)
R1#mkdir ?
flash: Directory name
<cr>
R1#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
R1#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
9 1368 May 31 2015 00:56:00 pre_autosec.cfg
10 0 Jun 01 2015 11:02:56 ipsdir
21147648 bytes available (42852352 bytes used)
R1#dir flash:ipsdir
Directory of flash:/ipsdir/
No files in directory
64000000 bytes total (21147648 bytes free)
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
R1(config)#crypto key pubkey-chain rsa
R1(config-pubkey-chain)#named-key realm-cisco.pub signature
Translating "realm-cisco.pub"
R1(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
R1(config-pubkey)#$64886 F70D0101 01050003 82010F00 3082010A 02820101
R1(config-pubkey)#$C7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R1(config-pubkey)#$BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R1(config-pubkey)#$FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R1(config-pubkey)#$8AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R1(config-pubkey)#$AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R1(config-pubkey)#$189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R1(config-pubkey)#$3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R1(config-pubkey)#$A4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R1(config-pubkey)#F3020301 0001
R1(config-pubkey)#quit
R1(config-pubkey-key)#do show run
Building configuration...
Current configuration : 2109 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
R1(config)#ip ips ?
auto-update Auto Update
config Location of IPS configuration files
deny-action Specify Deny action
event-action-rules Event Action Rules (SEAP)
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition
R1(config)#ip ips name ?
WORD Name of IPS rule
R1(config)#ip ips name IOSIPS
R1(config)#ip ips config ?
location Location of IPS configuration files
R1(config)#ip ips config location ?
WORD Directory path of IPS configuration files
<cr>
R1(config)#ip ips config location flash:ipsdir // IPS SIGNATURE STORAGE LOCATION
R1(config)#ip http server // MUST BE ENABLED TO USE SDEE
R1(config)#ip ips notify ?
SDEE Send events to SDEE
log Send events as syslog messages
R1(config)#ip ips notify sdee // SECURITY DEVICE EVENT EXCHANGE; IDS ALERT FORMAT AND TRANSPORT PROTOCOL
R1(config)#ip ips notify log // ENABLED BY DEFAULT
R1#show clock
*11:12:24.187 UTC Mon Jun 1 2015
R1#show run | i timestamp
service timestamps debug datetime msec
service timestamps log datetime msec
R1(config)#logging 192.168.1.3 // SEND SYSLOG TO PC-A
R1#show logging
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 39 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 43 message lines logged
Logging to 192.168.1.3 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
2 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
R1(config)#ip ips ?
auto-update Auto Update
config Location of IPS configuration files
deny-action Specify Deny action
event-action-rules Event Action Rules (SEAP)
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition
R1(config)#ip ips signature-category
R1(config-ips-category)#?
IPS signature category configuration commands:
category Category keyword
exit Exit from Category Mode
no Negate or set default values of a command
R1(config-ips-category)#category ?
adware/spyware Adware/Spyware (more sub-categories)
all All Categories
attack Attack (more sub-categories)
ddos DDoS (more sub-categories)
dos DoS (more sub-categories)
email Email (more sub-categories)
instant_messaging Instant Messaging (more sub-categories)
ios_ips IOS IPS (more sub-categories)
l2/l3/l4_protocol L2/L3/L4 Protocol (more sub-categories)
network_services Network Services (more sub-categories)
os OS (more sub-categories)
other_services Other Services (more sub-categories)
p2p P2P (more sub-categories)
reconnaissance Reconnaissance (more sub-categories)
viruses/worms/trojans Viruses/Worms/Trojans (more sub-categories)
web_server Web Server (more sub-categories)
R1(config-ips-category)#category all
R1(config-ips-category-action)#?
Category Options for configuration:
alert-severity Alarm Severity Rating
enabled Enable Category Signatures
event-action Action
exit Exit from Category Actions Mode
fidelity-rating Signature Fidelity Rating
no Negate or set default values of a command
retired Retire Category Signatures
R1(config-ips-category-action)#retired ?
false False
true True
R1(config-ips-category-action)#retired true // REQUIRED TO RETIRE ALL SINGATURES IN IOS IPS; OTHERWISE ROUTER WILL RUN OUT OF MEMORY
R1(config-ips-category-action)#exit
R1(config-ips-category)#category ios_ips
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exit
R1(config-ips-category)#exit
Do you want to accept these changes? [confirm] <ENTER>
R1(config)#
*Jun 1 11:21:32.643: Applying Category configuration to signatures ...
R1(config)#interface serial0/0/0
R1(config-if)#ip ips ?
WORD Name of defined IPS rule
R1(config-if)#ip ips IOSIPS ?
in Inbound IPS
out Outbound IPS
R1(config-if)#ip ips IOSIPS in
R1(config-if)#
*Jun 1 11:24:48.963: %IPS-6-ENGINE_BUILDS_STARTED: 11:24:48 UTC Jun 1 2015
*Jun 1 11:24:48.963: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Jun 1 11:24:48.971: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned
*Jun 1 11:24:48.971: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms
R1(config-if)#interface fastethernet0/1 // DESIRABLE TO CONFIGURE IPS TO PREVENT INTERNAL ATTACKS
R1(config-if)#ip ips IOSIPS in
R1(config)#enable password cisco12345
R1#ping 192.168.1.3 // PING TO TFTP SERVER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#copy tftp://192.168.1.3/IOS-S364-CLI.pkg idconf // idconf KEYWORD REQUIRED
Loading IOS-S364-CLI.pkg from 192.168.1.3 (via FastEthernet0/1): !!!O!!!!!!!!!!!!!!!!!!!!!!!
*Jun 1 11:33:07.675: %IPS-3-INVALID_DIGITAL_SIGNATURE: Invalid Digital Signature found (signature verification failure).!
[OK - 6812253 bytes]
R1#dir flash:ipsdir
Directory of flash:/ipsdir/
11 -rw- 704 Jun 1 2015 11:24:48 +00:00 R1-sigdef-default.xml
12 -rw- 255 Jun 1 2015 11:24:48 +00:00 R1-sigdef-delta.xml
13 -rw- 6632 Jun 1 2015 11:32:28 +00:00 R1-sigdef-typedef.xml
14 -rw- 28282 Jun 1 2015 11:32:32 +00:00 R1-sigdef-category.xml
15 -rw- 304 Jun 1 2015 11:24:50 +00:00 R1-seap-delta.xml
16 -rw- 491 Jun 1 2015 11:24:50 +00:00 R1-seap-typedef.xml
64000000 bytes total (21094400 bytes free)
R1#show ip ips ?
all IPS all available information
auto-update IPS auto-update configuration
category Category
configuration IPS configuration
event-action-rules Event Action Rules (SEAP)
interfaces IPS interfaces
name IPS name
sessions IPS sessions
signature-category Signature Category
signatures IPS signatures
statistics IPS statistics
R1#show ip ips signature ?
count Counts of signatures enabled, retired, and compiled
detail Detailed display of signature parameters
engine Display signatures for one selected engine
sigid Signature ID for the selected signature
statistics Display of signature statistics
| Output modifiers
<cr>
R1#show ip ips signature count
Cisco SDF release version S0.0
Trend SDF release version V0.0
Signature Micro-Engine: multi-string (INACTIVE)
Signature Micro-Engine: service-http (INACTIVE)
Signature Micro-Engine: string-tcp (INACTIVE)
Signature Micro-Engine: string-udp (INACTIVE)
Signature Micro-Engine: state (INACTIVE)
Signature Micro-Engine: atomic-ip: Total Signatures 3
atomic-ip enabled signatures: 0
atomic-ip compiled signatures: 3
Signature Micro-Engine: string-icmp (INACTIVE)
Signature Micro-Engine: service-ftp (INACTIVE)
Signature Micro-Engine: service-rpc (INACTIVE)
Signature Micro-Engine: service-dns (INACTIVE)
Signature Micro-Engine: normalizer (INACTIVE)
Signature Micro-Engine: service-smb-advanced (INACTIVE)
Signature Micro-Engine: service-msrpc (INACTIVE)
Total Signatures: 3
Total Enabled Signatures: 0
Total Retired Signatures: 0
Total Compiled Signatures: 3
R1(config)#crypto key pubkey-chain rsa
R1(config-pubkey-chain)#no named-key realm-cisco.pub signature
R1#cd ?
archive: Directory name
cns: Directory name
flash: Directory name
null: Directory name
nvram: Directory name
syslog: Directory name
system: Directory name
tar: Directory name
tmpsys: Directory name
xmodem: Directory name
ymodem: Directory name
<cr>
R1#cd flash:ipsdir
R1#dir
Directory of flash:/ipsdir/
11 -rw- 704 Jun 1 2015 11:24:48 +00:00 R1-sigdef-default.xml
12 -rw- 255 Jun 1 2015 11:24:48 +00:00 R1-sigdef-delta.xml
13 -rw- 6632 Jun 1 2015 11:47:38 +00:00 R1-sigdef-typedef.xml
14 -rw- 28282 Jun 1 2015 11:47:42 +00:00 R1-sigdef-category.xml
15 -rw- 304 Jun 1 2015 11:24:50 +00:00 R1-seap-delta.xml
16 -rw- 491 Jun 1 2015 11:24:50 +00:00 R1-seap-typedef.xml
64000000 bytes total (21094400 bytes free)
R1#del R1-sigdef-default.xml
Delete filename [/ipsdir/R1-sigdef-default.xml]?
Delete flash:/ipsdir/R1-sigdef-default.xml? [confirm]
R1#del R1-sigdef-delta.xml
Delete filename [/ipsdir/R1-sigdef-delta.xml]?
Delete flash:/ipsdir/R1-sigdef-delta.xml? [confirm]
R1#del R1-sigdef-typedef.xml
Delete filename [/ipsdir/R1-sigdef-typedef.xml]?
Delete flash:/ipsdir/R1-sigdef-typedef.xml? [confirm]
R1#del R1-sigdef-category.xml
Delete filename [/ipsdir/R1-sigdef-category.xml]?
Delete flash:/ipsdir/R1-sigdef-category.xml? [confirm]
R1#del R1-seap-delta.xml
Delete filename [/ipsdir/R1-seap-delta.xml]?
Delete flash:/ipsdir/R1-seap-delta.xml? [confirm]
R1#del R1-seap-typedef.xml
Delete filename [/ipsdir/R1-seap-typedef.xml]?
Delete flash:/ipsdir/R1-seap-typedef.xml? [confirm]
R1#dir
Directory of flash:/ipsdir/
No files in directory
64000000 bytes total (21147648 bytes free)
R1#cd ..
R1#dir
Directory of flash:/
1 -rw- 37124796 Apr 11 2015 10:34:16 +00:00 c1841-advipservicesk9-mz.124-20.T4.bin
2 -rw- 2898 Sep 7 2010 05:50:46 +00:00 cpconfig-18xx.cfg
3 -rw- 2938880 Sep 7 2010 05:51:14 +00:00 cpexpress.tar
4 -rw- 1038 Sep 7 2010 05:51:26 +00:00 home.shtml
5 -rw- 122880 Sep 7 2010 05:51:40 +00:00 home.tar
6 -rw- 527849 Sep 7 2010 05:51:54 +00:00 128MB.sdf
7 -rw- 1697952 Sep 7 2010 05:52:26 +00:00 securedesktop-ios-3.1.1.45-k9.pkg
8 -rw- 415956 Sep 7 2010 05:52:48 +00:00 sslclient-win-1.1.4.176.pkg
9 -rw- 1368 May 31 2015 00:56:00 +00:00 pre_autosec.cfg
10 drw- 0 Jun 1 2015 11:02:56 +00:00 ipsdir
64000000 bytes total (21147648 bytes free)
The public key string can be found on this link.
R1(config)#crypto key pubkey-chain rsa
R1(config-pubkey-chain)# named-key realm-cisco.pub signature
Translating "realm-cisco.pub"
R1(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....
R1(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101
R1(config-pubkey)#$D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R1(config-pubkey)#$912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R1(config-pubkey)#$085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R1(config-pubkey)#$0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R1(config-pubkey)#$994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R1(config-pubkey)#$5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R1(config-pubkey)#$A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R1(config-pubkey)#$80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R1(config-pubkey)# F3020301 0001
R1(config-pubkey)# quit
R1#copy tftp://192.168.1.3/IOS-S364-CLI.pkg idconf // RE-DOWNLOAD IOS-S364-CLI.pkg IN CISCO'S DOWNLOAD SITE; TOOK SEVERAL MINUTES TO FINISH BUIDLING SIGNATURE ENGINE
Loading IOS-S364-CLI.pkg from 192.168.1.3 (via FastEthernet0/1): !!!OO!!!!!!!!!!!!!!!!!!!!!!
*Jun 1 12:06:44.135: %IPS-6-ENGINE_BUILDS_STARTED: 12:06:44 UTC Jun 1 2015
*Jun 1 12:06:44.139: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines
*Jun 1 12:06:44.147: %IPS-6-ENGINE_READY: multi-string - build time 8 ms - packets for this engine will be scanned
*Jun 1 12:06:44.167: %IPS-6-ENGINE_BUILDING: service-http - 629 signatures - 2 of 13 engines
*Jun 1 12:07:24.055: %IPS-6-ENGINE_READY: service-http - build time 39888 ms - packets for this engine will be scanned
*Jun 1 12:07:24.091: %IPS-6-ENGINE_BUILDING: string-tcp - 1065 signatures - 3 of 13 engines
*Jun 1 12:09:07.887: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5753:0 - failed to compile regular expression
*Jun 1 12:09:23.251: %IPS-6-ENGINE_READY: string-tcp - build time 119160 ms - packets for this engine will be scanned
*Jun 1 12:09:23.259: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
*Jun 1 12:09:25.031: %IPS-6-ENGINE_READY: string-udp - build time 1772 ms - packets for this engine will be scanned
*Jun 1 12:09:25.031: %IPS-6-ENGINE_BUILDING: state - 28 signatures - 5 of 13 engines
*Jun 1 12:09:25.215: %IPS-6-ENGINE_READY: state - build time 184 ms - packets for this engine will be scanned
*Jun 1 12:09:25.271: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 6 of 13 engines
*Jun 1 12:09:26.399: %IPS-5-PACKET_UNSCANNED: atomic-ip - fail open - packets passed unscanned
*Jun 1 12:09:26.471: %IPS-6-ENGINE_READY: atomic-ip - build time 1200 ms - packets for this engine will be scanned
*Jun 1 12:09:26.507: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Jun 1 12:09:26.563: %IPS-6-ENGINE_READY: string-icmp - build time 56 ms - packets for this engine will be scanned
*Jun 1 12:09:26.563: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Jun 1 12:09:26.587: %IPS-6-ENGINE_READY: service-ftp - build time 24 ms - packets for this engine will be scanned
*Jun 1 12:09:26.591: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
*Jun 1 12:09:26.971: %IPS-6-ENGINE_READY: service-rpc - build time 380 ms - packets for this engine will be scanned
*Jun 1 12:09:26.975: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
*Jun 1 12:09:27.051: %IPS-6-ENGINE_READY: service-dns - build time 76 ms - packets for this engine will be scanned%IDConf: Fail to load file tftp://192.168.1.3/IOS-S364-CLI.pkg
*Jun 1 12:09:39.619: %IPS-4-SDF_PARSE_FAILED: file tftp://192.168.1.3/IOS-S364-CLI.pkg: no element found at Line 145453 Col 11 Byte 6164480 Len 0
R1#dir flash:ipsdir
Directory of flash:/ipsdir/
15 -rw- 6632 Jun 1 2015 12:05:52 +00:00 R1-sigdef-typedef.xml
16 -rw- 28282 Jun 1 2015 12:05:56 +00:00 R1-sigdef-category.xml
14 -rw- 229737 Jun 1 2015 12:09:38 +00:00 R1-sigdef-default.xml
64000000 bytes total (20877312 bytes free)
R1#show ip ips signature count
Cisco SDF release version S339.0
Trend SDF release version V0.0
Signature Micro-Engine: multi-string: Total Signatures 8
multi-string enabled signatures: 8
multi-string retired signatures: 8
Signature Micro-Engine: service-http: Total Signatures 629
service-http enabled signatures: 132
service-http retired signatures: 438
service-http compiled signatures: 191
service-http obsoleted signatures: 1
Signature Micro-Engine: string-tcp: Total Signatures 1066
string-tcp enabled signatures: 558
string-tcp retired signatures: 827
string-tcp compiled signatures: 237
string-tcp Inactive - compile failure: 1
string-tcp obsoleted signatures: 12
Signature Micro-Engine: string-udp: Total Signatures 75
string-udp enabled signatures: 2
string-udp retired signatures: 38
string-udp compiled signatures: 37
string-udp obsoleted signatures: 1
Signature Micro-Engine: state: Total Signatures 28
state enabled signatures: 15
state retired signatures: 24
state compiled signatures: 4
Signature Micro-Engine: atomic-ip: Total Signatures 303
atomic-ip enabled signatures: 103
atomic-ip retired signatures: 270
atomic-ip compiled signatures: 33
Signature Micro-Engine: string-icmp: Total Signatures 3
string-icmp enabled signatures: 0
string-icmp retired signatures: 1
string-icmp compiled signatures: 2
Signature Micro-Engine: service-ftp: Total Signatures 3
service-ftp enabled signatures: 1
service-ftp retired signatures: 2
service-ftp compiled signatures: 1
Signature Micro-Engine: service-rpc: Total Signatures 75
service-rpc enabled signatures: 44
service-rpc retired signatures: 37
service-rpc compiled signatures: 38
Signature Micro-Engine: service-dns: Total Signatures 38
service-dns enabled signatures: 30
service-dns retired signatures: 9
service-dns compiled signatures: 29
Signature Micro-Engine: normalizer: Total Signatures 9
normalizer enabled signatures: 8
normalizer retired signatures: 1
normalizer compiled signatures: 8
Signature Micro-Engine: service-smb-advanced: Total Signatures 42
service-smb-advanced enabled signatures: 42
service-smb-advanced retired signatures: 42
Signature Micro-Engine: service-msrpc: Total Signatures 27
service-msrpc enabled signatures: 27
service-msrpc retired signatures: 25
service-msrpc compiled signatures: 2
service-msrpc obsoleted signatures: 1
Total Signatures: 2306
Total Enabled Signatures: 970
Total Retired Signatures: 1722
Total Compiled Signatures: 582
Total Signatures with compile failures: 1
Total Obsoleted Signatures: 15
R1#show ip ips all
IPS Signature File Configuration Status
Configured Config Locations: flash:ipsdir/
Last signature default load time: 12:09:27 UTC Jun 1 2015
Last signature delta load time: -none-
Last event action (SEAP) load time: -none-
General SEAP Config:
Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled
IPS Auto Update is not currently configured
IPS Syslog and SDEE Notification Status
Event notification through syslog is enabled
Event notification through SDEE is enabled
IPS Signature Status
Total Active Signatures: 582
Total Inactive Signatures: 1724
IPS Packet Scanning and Interface Status
IPS Rule Configuration
IPS name IOSIPS
IPS fail closed is disabled
IPS deny-action ips-interface is false
Interface Configuration
Interface Serial0/0/0
Inbound IPS rule is IOSIPS
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is IOSIPS
Outgoing IPS rule is not set
IPS Category CLI Configuration:
Category all:
Retire: True
Category ios_ips:
Retire: False
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#ping 192.168.1.3 // PING TO R1 SERIAL0/0/0 AND PC-A ARE SUCCESSFUL BECAUSE ALL SINGATURES WERE RETIRED
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R1(config)#ip ips signature-definition
R1(config-sigdef)#?
IPS signature configuration commands:
exit Exit from Signature Definition Mode
signature Signature keyword
R1(config-sigdef)#signature ?
<1-65535> Signature ID value
R1(config-sigdef)#signature 2004 ?
<0-65535> Signature SubID value
<cr>
R1(config-sigdef)#signature 2004 0 // ICMP SIGNATURE
R1(config-sigdef-sig)#?
Category Options for configuration:
alert-severity Alarm Severity Rating
engine Engine
exit Exit from Category Actions Mode
fidelity-rating Signature Fidelity Rating
no Negate or set default values of a command
status Status
R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#?
Status options for signatures:
enabled Enable Category Signatures
exit Exit from status submode
no Negate or set default values of a command
retired Retire Category Signatures
R1(config-sigdef-sig-status)#retired ?
false FALSE
true TRUE
R1(config-sigdef-sig-status)#retired false
R1(config-sigdef-sig-status)#enabled ?
false FALSE
true TRUE
R1(config-sigdef-sig-status)#enabled true
R1(config-sigdef-sig-status)#?
Status options for signatures:
enabled Enable Category Signatures
exit Exit from status submode
no Negate or set default values of a command
retired Retire Category Signatures
R1(config-sigdef-sig-status)#engine
R1(config-sigdef-sig-engine)#?
Engine options for signatures:
event-action Action
exit Exit from engine submode
no Negate or set default values of a command
R1(config-sigdef-sig-engine)#event-action ?
deny-attacker-inline Deny Attacker
deny-connection-inline Deny Connection
deny-packet-inline Deny Packet
produce-alert Produce Alert
reset-tcp-connection Reset TCP Connection
<cr>
R1(config-sigdef-sig-engine)#event-action produce-alert
R1(config-sigdef-sig-engine)#event-action deny-packet-inline
R1(config-sigdef-sig-engine)#event-action reset-tcp-connection
R1(config-sigdef-sig-engine)#exit
R1(config-sigdef-sig)#exit
R1(config-sigdef)#exit
Do you want to accept these changes? [confirm] <ENTER>
*Jun 1 12:30:29.415: %IPS-6-ENGINE_BUILDS_STARTED: 12:30:29 UTC Jun 1 2015
*Jun 1 12:30:29.967: %IPS-6-ENGINE_BUILDING: string-tcp - 1066 signatures - 1 of 13 engines
*Jun 1 12:32:33.323: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5753:0 - failed to compile regular expression
*Jun 1 12:32:43.743: %IPS-6-ENGINE_READY: string-tcp - build time 133776 ms - packets for this engine will be scanned
*Jun 1 12:32:44.495: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 2 of 13 engines
*Jun 1 12:32:45.207: %IPS-6-ENGINE_READY: atomic-ip - build time 712 ms - packets for this engine will be scanned
*Jun 1 12:32:45.443: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 136028 ms
R1(config)#
*Jun 1 12:33:26.487: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 ICMP Echo Request [192.168.1.3:8 -> 172.16.1.254:0] VRF:NONE RiskRating:25
R2#ping 10.1.1.1 // BLOCKED BY IPS SIGNATURE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.1.3 // BLOCKED BY IPS SIGNATURE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-ips-category)#category ios_ips ?
advanced Advanced
basic Basic
<cr>
R1(config-ips-category)#category ios_ips basic ?
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#enabled true
R1(config-ips-category-action)#event-action produce-alert
R1(config-ips-category-action)#event-action deny-packet-inline
R1(config-ips-category-action)#event-action reset-tcp-connection
R1(config-ips-category)#category all
R2#ping 10.2.2.1 // PING TO R3 SERIAL0/0/0 INTERFACE (WITHOUT IPS)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R3#show run
Building configuration...
Current configuration : 929 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.2.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
R3(config)#enable secret cisco12345
R3(config)#ip http server
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#ip http authentication local
R3#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:46:06 c1841-advipservicesk9-mz.124-20.T4.bin
2 913 May 02 2015 12:59:48 pre_autosec.cfg
26873856 bytes available (37130240 bytes used)
R3#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
R3#dir flash:ipsdir
Directory of flash:/ipsdir/
No files in directory
64004096 bytes total (26869760 bytes free)
R3#
*Jun 6 12:29:34.535: %IPS-6-ENGINE_BUILDS_STARTED: 12:29:34 UTC Jun 6 2015
*Jun 6 12:29:34.535: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines
*Jun 6 12:29:34.547: %IPS-6-ENGINE_READY: multi-string - build time 12 ms - packets for this engine will be scanned
*Jun 6 12:29:34.567: %IPS-6-ENGINE_BUILDING: service-http - 629 signatures - 2 of 13 engines
*Jun 6 12:29:44.231: %IPS-6-ENGINE_READY: service-http - build time 9664 ms - packets for this engine will be scanned
*Jun 6 12:29:44.263: %IPS-6-ENGINE_BUILDING: string-tcp - 1065 signatures - 3 of 13 engines
R3#
*Jun 6 12:30:14.239: %RE-4-COMPILE_FAILED: Compile failed on pattern number 0 - states 1 - [Nn][Ee][Tt][Ww][Oo][Rr][Kk][\x3c][0-9][0-9]?[0-9]?[.][0-9][0-9]?[0-9]?[.][0-9][0-9]?[0-9]?[.][0-9][0-9]?[0-9]?\x20([A-Za-z\x2D0-9]?){100}\x20[^A-Za-z\x20>]+[>]
*Jun 6 12:30:14.239: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5464:1 - failed to compile regular expression
*Jun 6 12:30:15.215: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5489:2 - failed to compile regular expression
*Jun 6 12:30:15.655: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5489:7 - failed to compile regular expression
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3137:6 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5675:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5455:1 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3784:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3528:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3173:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3550:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5769:1 - compiles discontinued for this engine
*Jun 6 12:30:16.175: %IPS-6-ENGINE_READY: string-tcp - build time 31912 ms - packets for this engine will be scanned
*Jun 6 12:30:16.183: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
*Jun 6 12:30:17.027: %IPS-6-ENGINE_READY: string-udp - build time 844 ms - packets for this engine will be scanned
*Jun 6 12:30:17.027: %IPS-6-ENGINE_BUILDING: state - 28 signatures - 5 of 13 engines
*Jun 6 12:30:17.107: %IPS-6-ENGINE_READY: state - build time 80 ms - packets for this engine will be scanned
*Jun 6 12:30:17.383: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 6 of 13 engines
*Jun 6 12:30:17.883: Cannot allocate ATOMIC SME extension
*Jun 6 12:30:17.883: %IPS-3-ENGINE_BUILD_FAILED: atomic-ip - 500 ms - engine build failed
*Jun 6 12:30:18.019: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Jun 6 12:30:18.071: %IPS-6-ENGINE_READY: string-icmp - build time 52 ms - packets for this engine will be scanned
*Jun 6 12:30:18.071: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Jun 6 12:30:18.095: %IPS-6-ENGINE_READY: service-ftp - build time 24 ms - packets for this engine will be scanned
*Jun 6 12:30:18.099: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
*Jun 6 12:30:18.347: %IPS-3-ENGINE_BUILD_FAILED: service-rpc - 248 ms - engine build failed
*Jun 6 12:30:18.395: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
*Jun 6 12:30:18.439: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-dns 6054:1 - failed to compile regular expression
*Jun 6 12:30:18.447: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-dns 6054:0 - failed to compile regular expression
*Jun 6 12:30:18.455: %IPS-3-ENGINE_BUILD_FAILED: service-dns - 60 ms - engine build failed
*Jun 6 12:30:18.479: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
*Jun 6 12:30:18.479: %IPS-6-ENGINE_READY: normalizer - build time 0 ms - packets for this engine will be scanned
*Jun 6 12:30:18.519: %IPS-3-ENGINE_BUILD_FAILED: service-smb-advanced - 36 ms - engine build failed
*Jun 6 12:30:18.575: %IPS-3-ENGINE_BUILD_FAILED: service-msrpc - 32 ms - engine build failed
*Jun 6 12:30:36.651: %IPS-4-IPS_SIGNATURE_FILE: tftp://192.168.3.3/IOS-S364-CLI.pkg - read_len < 0
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
C:\Users\PC-C>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
R3#show ip ips signature count
Cisco SDF release version S339.0
Trend SDF release version V0.0
Signature Micro-Engine: multi-string: Total Signatures 8
multi-string enabled signatures: 8
multi-string retired signatures: 8
Signature Micro-Engine: service-http: Total Signatures 629
service-http enabled signatures: 132
service-http retired signatures: 532
service-http compiled signatures: 97
service-http obsoleted signatures: 1
Signature Micro-Engine: string-tcp: Total Signatures 1066
string-tcp enabled signatures: 558
string-tcp retired signatures: 948
string-tcp compiled signatures: 100
string-tcp Inactive - compile failure: 17
string-tcp obsoleted signatures: 12
Signature Micro-Engine: string-udp: Total Signatures 75
string-udp enabled signatures: 2
string-udp retired signatures: 54
string-udp compiled signatures: 21
string-udp obsoleted signatures: 1
Signature Micro-Engine: state: Total Signatures 28
state enabled signatures: 15
state retired signatures: 25
state compiled signatures: 3
Signature Micro-Engine: atomic-ip: Total Signatures 303
atomic-ip enabled signatures: 0
atomic-ip compiled signatures: 3
Signature Micro-Engine: string-icmp (INACTIVE)
Signature Micro-Engine: service-ftp: Total Signatures 3
service-ftp enabled signatures: 1
service-ftp retired signatures: 2
service-ftp compiled signatures: 1
Signature Micro-Engine: service-rpc (INACTIVE)
Signature Micro-Engine: service-dns (INACTIVE)
Signature Micro-Engine: normalizer: Total Signatures 9
normalizer enabled signatures: 8
normalizer retired signatures: 1
normalizer compiled signatures: 8
Signature Micro-Engine: service-smb-advanced (INACTIVE)
Signature Micro-Engine: service-msrpc (INACTIVE)
Total Signatures: 2306
Total Enabled Signatures: 724
Total Retired Signatures: 1570
Total Compiled Signatures: 233
Total Signatures with compile failures: 17
Total Obsoleted Signatures: 14
I attended Cisco's FirePower (a.k.a SourceFire) Next-Generation IPS (NGIPS) training just this week and it looks like the 4200 series IPS would be replaced soon. The training catapulted me to finish my CCNP Security track by taking the new IPS exam which is SITCS (300-207). Below is the IPS lab I did while studying for my CompTIA Security+.
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Jun 1 10:41:05.899: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 1 10:41:06.899: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jun 1 10:41:35.167: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#clock rate 64000
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 1 10:41:25.387: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jun 1 10:41:26.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 1 10:41:49.811: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#clock rate 64000
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jun 1 10:43:51.607: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 1 10:43:52.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#
*Jun 1 10:44:29.159: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jun 1 10:44:30.159: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#do ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2
R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1
R2(config)#do ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R2(config)#do ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R1#ping 192.168.3.1 source 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/57/64 ms
R1(config)#security passwords min-length 10
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#exit
R1(config)#service password-encryption
R1(config)#do show run
Building configuration...
Current configuration : 1321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
/line
filtering...
line con 0
exec-timeout 5 0
password 7 070C285F4D061A0A19020A1F17
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 1511021F07252A313023343100
login
line vty 0 4
exec-timeout 5 0
password 7 02050D4808091935555E080A16
login
!
scheduler allocate 20000 1000
end
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
R2#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R1#show run
Building configuration...
Current configuration : 1321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password 7 070C285F4D061A0A19020A1F17
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 1511021F07252A313023343100
login
line vty 0 4
exec-timeout 5 0
password 7 02050D4808091935555E080A16
login
!
scheduler allocate 20000 1000
end
R1#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
9 1368 May 31 2015 00:56:00 pre_autosec.cfg
21151744 bytes available (42848256 bytes used)
R1#mkdir ?
flash: Directory name
<cr>
R1#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
R1#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
9 1368 May 31 2015 00:56:00 pre_autosec.cfg
10 0 Jun 01 2015 11:02:56 ipsdir
21147648 bytes available (42852352 bytes used)
R1#dir flash:ipsdir
Directory of flash:/ipsdir/
No files in directory
64000000 bytes total (21147648 bytes free)
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
R1(config)#crypto key pubkey-chain rsa
R1(config-pubkey-chain)#named-key realm-cisco.pub signature
Translating "realm-cisco.pub"
R1(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....
R1(config-pubkey)#$64886 F70D0101 01050003 82010F00 3082010A 02820101
R1(config-pubkey)#$C7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R1(config-pubkey)#$BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R1(config-pubkey)#$FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R1(config-pubkey)#$8AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R1(config-pubkey)#$AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R1(config-pubkey)#$189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R1(config-pubkey)#$3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R1(config-pubkey)#$A4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R1(config-pubkey)#F3020301 0001
R1(config-pubkey)#quit
R1(config-pubkey-key)#do show run
Building configuration...
Current configuration : 2109 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
R1(config)#ip ips ?
auto-update Auto Update
config Location of IPS configuration files
deny-action Specify Deny action
event-action-rules Event Action Rules (SEAP)
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition
R1(config)#ip ips name ?
WORD Name of IPS rule
R1(config)#ip ips name IOSIPS
R1(config)#ip ips config ?
location Location of IPS configuration files
R1(config)#ip ips config location ?
WORD Directory path of IPS configuration files
<cr>
R1(config)#ip ips config location flash:ipsdir // IPS SIGNATURE STORAGE LOCATION
R1(config)#ip http server // MUST BE ENABLED TO USE SDEE
R1(config)#ip ips notify ?
SDEE Send events to SDEE
log Send events as syslog messages
R1(config)#ip ips notify sdee // SECURITY DEVICE EVENT EXCHANGE; IDS ALERT FORMAT AND TRANSPORT PROTOCOL
R1(config)#ip ips notify log // ENABLED BY DEFAULT
R1#show clock
*11:12:24.187 UTC Mon Jun 1 2015
R1#show run | i timestamp
service timestamps debug datetime msec
service timestamps log datetime msec
R1(config)#logging 192.168.1.3 // SEND SYSLOG TO PC-A
R1#show logging
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 39 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 43 message lines logged
Logging to 192.168.1.3 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link up),
2 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
R1(config)#ip ips ?
auto-update Auto Update
config Location of IPS configuration files
deny-action Specify Deny action
event-action-rules Event Action Rules (SEAP)
fail Specify what to do during any failures
name Specify an IPS rule
notify Specify the notification mechanisms (SDEE or log) for
the alarms
signature-category Signature Category
signature-definition Signature Definition
R1(config)#ip ips signature-category
R1(config-ips-category)#?
IPS signature category configuration commands:
category Category keyword
exit Exit from Category Mode
no Negate or set default values of a command
R1(config-ips-category)#category ?
adware/spyware Adware/Spyware (more sub-categories)
all All Categories
attack Attack (more sub-categories)
ddos DDoS (more sub-categories)
dos DoS (more sub-categories)
email Email (more sub-categories)
instant_messaging Instant Messaging (more sub-categories)
ios_ips IOS IPS (more sub-categories)
l2/l3/l4_protocol L2/L3/L4 Protocol (more sub-categories)
network_services Network Services (more sub-categories)
os OS (more sub-categories)
other_services Other Services (more sub-categories)
p2p P2P (more sub-categories)
reconnaissance Reconnaissance (more sub-categories)
viruses/worms/trojans Viruses/Worms/Trojans (more sub-categories)
web_server Web Server (more sub-categories)
R1(config-ips-category)#category all
R1(config-ips-category-action)#?
Category Options for configuration:
alert-severity Alarm Severity Rating
enabled Enable Category Signatures
event-action Action
exit Exit from Category Actions Mode
fidelity-rating Signature Fidelity Rating
no Negate or set default values of a command
retired Retire Category Signatures
R1(config-ips-category-action)#retired ?
false False
true True
R1(config-ips-category-action)#retired true // REQUIRED TO RETIRE ALL SINGATURES IN IOS IPS; OTHERWISE ROUTER WILL RUN OUT OF MEMORY
R1(config-ips-category-action)#exit
R1(config-ips-category)#category ios_ips
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exit
R1(config-ips-category)#exit
Do you want to accept these changes? [confirm] <ENTER>
R1(config)#
*Jun 1 11:21:32.643: Applying Category configuration to signatures ...
R1(config)#interface serial0/0/0
R1(config-if)#ip ips ?
WORD Name of defined IPS rule
R1(config-if)#ip ips IOSIPS ?
in Inbound IPS
out Outbound IPS
R1(config-if)#ip ips IOSIPS in
R1(config-if)#
*Jun 1 11:24:48.963: %IPS-6-ENGINE_BUILDS_STARTED: 11:24:48 UTC Jun 1 2015
*Jun 1 11:24:48.963: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*Jun 1 11:24:48.971: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned
*Jun 1 11:24:48.971: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms
R1(config-if)#interface fastethernet0/1 // DESIRABLE TO CONFIGURE IPS TO PREVENT INTERNAL ATTACKS
R1(config-if)#ip ips IOSIPS in
R1(config)#enable password cisco12345
R1#ping 192.168.1.3 // PING TO TFTP SERVER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#copy tftp://192.168.1.3/IOS-S364-CLI.pkg idconf // idconf KEYWORD REQUIRED
Loading IOS-S364-CLI.pkg from 192.168.1.3 (via FastEthernet0/1): !!!O!!!!!!!!!!!!!!!!!!!!!!!
*Jun 1 11:33:07.675: %IPS-3-INVALID_DIGITAL_SIGNATURE: Invalid Digital Signature found (signature verification failure).!
[OK - 6812253 bytes]
R1#dir flash:ipsdir
Directory of flash:/ipsdir/
11 -rw- 704 Jun 1 2015 11:24:48 +00:00 R1-sigdef-default.xml
12 -rw- 255 Jun 1 2015 11:24:48 +00:00 R1-sigdef-delta.xml
13 -rw- 6632 Jun 1 2015 11:32:28 +00:00 R1-sigdef-typedef.xml
14 -rw- 28282 Jun 1 2015 11:32:32 +00:00 R1-sigdef-category.xml
15 -rw- 304 Jun 1 2015 11:24:50 +00:00 R1-seap-delta.xml
16 -rw- 491 Jun 1 2015 11:24:50 +00:00 R1-seap-typedef.xml
64000000 bytes total (21094400 bytes free)
R1#show ip ips ?
all IPS all available information
auto-update IPS auto-update configuration
category Category
configuration IPS configuration
event-action-rules Event Action Rules (SEAP)
interfaces IPS interfaces
name IPS name
sessions IPS sessions
signature-category Signature Category
signatures IPS signatures
statistics IPS statistics
R1#show ip ips signature ?
count Counts of signatures enabled, retired, and compiled
detail Detailed display of signature parameters
engine Display signatures for one selected engine
sigid Signature ID for the selected signature
statistics Display of signature statistics
| Output modifiers
<cr>
R1#show ip ips signature count
Cisco SDF release version S0.0
Trend SDF release version V0.0
Signature Micro-Engine: multi-string (INACTIVE)
Signature Micro-Engine: service-http (INACTIVE)
Signature Micro-Engine: string-tcp (INACTIVE)
Signature Micro-Engine: string-udp (INACTIVE)
Signature Micro-Engine: state (INACTIVE)
Signature Micro-Engine: atomic-ip: Total Signatures 3
atomic-ip enabled signatures: 0
atomic-ip compiled signatures: 3
Signature Micro-Engine: string-icmp (INACTIVE)
Signature Micro-Engine: service-ftp (INACTIVE)
Signature Micro-Engine: service-rpc (INACTIVE)
Signature Micro-Engine: service-dns (INACTIVE)
Signature Micro-Engine: normalizer (INACTIVE)
Signature Micro-Engine: service-smb-advanced (INACTIVE)
Signature Micro-Engine: service-msrpc (INACTIVE)
Total Signatures: 3
Total Enabled Signatures: 0
Total Retired Signatures: 0
Total Compiled Signatures: 3
R1(config)#crypto key pubkey-chain rsa
R1(config-pubkey-chain)#no named-key realm-cisco.pub signature
R1#cd ?
archive: Directory name
cns: Directory name
flash: Directory name
null: Directory name
nvram: Directory name
syslog: Directory name
system: Directory name
tar: Directory name
tmpsys: Directory name
xmodem: Directory name
ymodem: Directory name
<cr>
R1#cd flash:ipsdir
R1#dir
Directory of flash:/ipsdir/
11 -rw- 704 Jun 1 2015 11:24:48 +00:00 R1-sigdef-default.xml
12 -rw- 255 Jun 1 2015 11:24:48 +00:00 R1-sigdef-delta.xml
13 -rw- 6632 Jun 1 2015 11:47:38 +00:00 R1-sigdef-typedef.xml
14 -rw- 28282 Jun 1 2015 11:47:42 +00:00 R1-sigdef-category.xml
15 -rw- 304 Jun 1 2015 11:24:50 +00:00 R1-seap-delta.xml
16 -rw- 491 Jun 1 2015 11:24:50 +00:00 R1-seap-typedef.xml
64000000 bytes total (21094400 bytes free)
R1#del R1-sigdef-default.xml
Delete filename [/ipsdir/R1-sigdef-default.xml]?
Delete flash:/ipsdir/R1-sigdef-default.xml? [confirm]
R1#del R1-sigdef-delta.xml
Delete filename [/ipsdir/R1-sigdef-delta.xml]?
Delete flash:/ipsdir/R1-sigdef-delta.xml? [confirm]
R1#del R1-sigdef-typedef.xml
Delete filename [/ipsdir/R1-sigdef-typedef.xml]?
Delete flash:/ipsdir/R1-sigdef-typedef.xml? [confirm]
R1#del R1-sigdef-category.xml
Delete filename [/ipsdir/R1-sigdef-category.xml]?
Delete flash:/ipsdir/R1-sigdef-category.xml? [confirm]
R1#del R1-seap-delta.xml
Delete filename [/ipsdir/R1-seap-delta.xml]?
Delete flash:/ipsdir/R1-seap-delta.xml? [confirm]
R1#del R1-seap-typedef.xml
Delete filename [/ipsdir/R1-seap-typedef.xml]?
Delete flash:/ipsdir/R1-seap-typedef.xml? [confirm]
R1#dir
Directory of flash:/ipsdir/
No files in directory
64000000 bytes total (21147648 bytes free)
R1#cd ..
R1#dir
Directory of flash:/
1 -rw- 37124796 Apr 11 2015 10:34:16 +00:00 c1841-advipservicesk9-mz.124-20.T4.bin
2 -rw- 2898 Sep 7 2010 05:50:46 +00:00 cpconfig-18xx.cfg
3 -rw- 2938880 Sep 7 2010 05:51:14 +00:00 cpexpress.tar
4 -rw- 1038 Sep 7 2010 05:51:26 +00:00 home.shtml
5 -rw- 122880 Sep 7 2010 05:51:40 +00:00 home.tar
6 -rw- 527849 Sep 7 2010 05:51:54 +00:00 128MB.sdf
7 -rw- 1697952 Sep 7 2010 05:52:26 +00:00 securedesktop-ios-3.1.1.45-k9.pkg
8 -rw- 415956 Sep 7 2010 05:52:48 +00:00 sslclient-win-1.1.4.176.pkg
9 -rw- 1368 May 31 2015 00:56:00 +00:00 pre_autosec.cfg
10 drw- 0 Jun 1 2015 11:02:56 +00:00 ipsdir
64000000 bytes total (21147648 bytes free)
The public key string can be found on this link.
R1(config)#crypto key pubkey-chain rsa
R1(config-pubkey-chain)# named-key realm-cisco.pub signature
Translating "realm-cisco.pub"
R1(config-pubkey-key)# key-string
Enter a public key as a hexidecimal number ....
R1(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101
R1(config-pubkey)#$D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
R1(config-pubkey)#$912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
R1(config-pubkey)#$085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
R1(config-pubkey)#$0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
R1(config-pubkey)#$994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
R1(config-pubkey)#$5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
R1(config-pubkey)#$A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
R1(config-pubkey)#$80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
R1(config-pubkey)# F3020301 0001
R1(config-pubkey)# quit
R1#copy tftp://192.168.1.3/IOS-S364-CLI.pkg idconf // RE-DOWNLOAD IOS-S364-CLI.pkg IN CISCO'S DOWNLOAD SITE; TOOK SEVERAL MINUTES TO FINISH BUIDLING SIGNATURE ENGINE
Loading IOS-S364-CLI.pkg from 192.168.1.3 (via FastEthernet0/1): !!!OO!!!!!!!!!!!!!!!!!!!!!!
*Jun 1 12:06:44.135: %IPS-6-ENGINE_BUILDS_STARTED: 12:06:44 UTC Jun 1 2015
*Jun 1 12:06:44.139: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines
*Jun 1 12:06:44.147: %IPS-6-ENGINE_READY: multi-string - build time 8 ms - packets for this engine will be scanned
*Jun 1 12:06:44.167: %IPS-6-ENGINE_BUILDING: service-http - 629 signatures - 2 of 13 engines
*Jun 1 12:07:24.055: %IPS-6-ENGINE_READY: service-http - build time 39888 ms - packets for this engine will be scanned
*Jun 1 12:07:24.091: %IPS-6-ENGINE_BUILDING: string-tcp - 1065 signatures - 3 of 13 engines
*Jun 1 12:09:07.887: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5753:0 - failed to compile regular expression
*Jun 1 12:09:23.251: %IPS-6-ENGINE_READY: string-tcp - build time 119160 ms - packets for this engine will be scanned
*Jun 1 12:09:23.259: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
*Jun 1 12:09:25.031: %IPS-6-ENGINE_READY: string-udp - build time 1772 ms - packets for this engine will be scanned
*Jun 1 12:09:25.031: %IPS-6-ENGINE_BUILDING: state - 28 signatures - 5 of 13 engines
*Jun 1 12:09:25.215: %IPS-6-ENGINE_READY: state - build time 184 ms - packets for this engine will be scanned
*Jun 1 12:09:25.271: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 6 of 13 engines
*Jun 1 12:09:26.399: %IPS-5-PACKET_UNSCANNED: atomic-ip - fail open - packets passed unscanned
*Jun 1 12:09:26.471: %IPS-6-ENGINE_READY: atomic-ip - build time 1200 ms - packets for this engine will be scanned
*Jun 1 12:09:26.507: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Jun 1 12:09:26.563: %IPS-6-ENGINE_READY: string-icmp - build time 56 ms - packets for this engine will be scanned
*Jun 1 12:09:26.563: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Jun 1 12:09:26.587: %IPS-6-ENGINE_READY: service-ftp - build time 24 ms - packets for this engine will be scanned
*Jun 1 12:09:26.591: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
*Jun 1 12:09:26.971: %IPS-6-ENGINE_READY: service-rpc - build time 380 ms - packets for this engine will be scanned
*Jun 1 12:09:26.975: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
*Jun 1 12:09:27.051: %IPS-6-ENGINE_READY: service-dns - build time 76 ms - packets for this engine will be scanned%IDConf: Fail to load file tftp://192.168.1.3/IOS-S364-CLI.pkg
*Jun 1 12:09:39.619: %IPS-4-SDF_PARSE_FAILED: file tftp://192.168.1.3/IOS-S364-CLI.pkg: no element found at Line 145453 Col 11 Byte 6164480 Len 0
R1#dir flash:ipsdir
Directory of flash:/ipsdir/
15 -rw- 6632 Jun 1 2015 12:05:52 +00:00 R1-sigdef-typedef.xml
16 -rw- 28282 Jun 1 2015 12:05:56 +00:00 R1-sigdef-category.xml
14 -rw- 229737 Jun 1 2015 12:09:38 +00:00 R1-sigdef-default.xml
64000000 bytes total (20877312 bytes free)
R1#show ip ips signature count
Cisco SDF release version S339.0
Trend SDF release version V0.0
Signature Micro-Engine: multi-string: Total Signatures 8
multi-string enabled signatures: 8
multi-string retired signatures: 8
Signature Micro-Engine: service-http: Total Signatures 629
service-http enabled signatures: 132
service-http retired signatures: 438
service-http compiled signatures: 191
service-http obsoleted signatures: 1
Signature Micro-Engine: string-tcp: Total Signatures 1066
string-tcp enabled signatures: 558
string-tcp retired signatures: 827
string-tcp compiled signatures: 237
string-tcp Inactive - compile failure: 1
string-tcp obsoleted signatures: 12
Signature Micro-Engine: string-udp: Total Signatures 75
string-udp enabled signatures: 2
string-udp retired signatures: 38
string-udp compiled signatures: 37
string-udp obsoleted signatures: 1
Signature Micro-Engine: state: Total Signatures 28
state enabled signatures: 15
state retired signatures: 24
state compiled signatures: 4
Signature Micro-Engine: atomic-ip: Total Signatures 303
atomic-ip enabled signatures: 103
atomic-ip retired signatures: 270
atomic-ip compiled signatures: 33
Signature Micro-Engine: string-icmp: Total Signatures 3
string-icmp enabled signatures: 0
string-icmp retired signatures: 1
string-icmp compiled signatures: 2
Signature Micro-Engine: service-ftp: Total Signatures 3
service-ftp enabled signatures: 1
service-ftp retired signatures: 2
service-ftp compiled signatures: 1
Signature Micro-Engine: service-rpc: Total Signatures 75
service-rpc enabled signatures: 44
service-rpc retired signatures: 37
service-rpc compiled signatures: 38
Signature Micro-Engine: service-dns: Total Signatures 38
service-dns enabled signatures: 30
service-dns retired signatures: 9
service-dns compiled signatures: 29
Signature Micro-Engine: normalizer: Total Signatures 9
normalizer enabled signatures: 8
normalizer retired signatures: 1
normalizer compiled signatures: 8
Signature Micro-Engine: service-smb-advanced: Total Signatures 42
service-smb-advanced enabled signatures: 42
service-smb-advanced retired signatures: 42
Signature Micro-Engine: service-msrpc: Total Signatures 27
service-msrpc enabled signatures: 27
service-msrpc retired signatures: 25
service-msrpc compiled signatures: 2
service-msrpc obsoleted signatures: 1
Total Signatures: 2306
Total Enabled Signatures: 970
Total Retired Signatures: 1722
Total Compiled Signatures: 582
Total Signatures with compile failures: 1
Total Obsoleted Signatures: 15
R1#show ip ips all
IPS Signature File Configuration Status
Configured Config Locations: flash:ipsdir/
Last signature default load time: 12:09:27 UTC Jun 1 2015
Last signature delta load time: -none-
Last event action (SEAP) load time: -none-
General SEAP Config:
Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled
IPS Auto Update is not currently configured
IPS Syslog and SDEE Notification Status
Event notification through syslog is enabled
Event notification through SDEE is enabled
IPS Signature Status
Total Active Signatures: 582
Total Inactive Signatures: 1724
IPS Packet Scanning and Interface Status
IPS Rule Configuration
IPS name IOSIPS
IPS fail closed is disabled
IPS deny-action ips-interface is false
Interface Configuration
Interface Serial0/0/0
Inbound IPS rule is IOSIPS
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is IOSIPS
Outgoing IPS rule is not set
IPS Category CLI Configuration:
Category all:
Retire: True
Category ios_ips:
Retire: False
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#ping 192.168.1.3 // PING TO R1 SERIAL0/0/0 AND PC-A ARE SUCCESSFUL BECAUSE ALL SINGATURES WERE RETIRED
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R1(config)#ip ips signature-definition
R1(config-sigdef)#?
IPS signature configuration commands:
exit Exit from Signature Definition Mode
signature Signature keyword
R1(config-sigdef)#signature ?
<1-65535> Signature ID value
R1(config-sigdef)#signature 2004 ?
<0-65535> Signature SubID value
<cr>
R1(config-sigdef)#signature 2004 0 // ICMP SIGNATURE
R1(config-sigdef-sig)#?
Category Options for configuration:
alert-severity Alarm Severity Rating
engine Engine
exit Exit from Category Actions Mode
fidelity-rating Signature Fidelity Rating
no Negate or set default values of a command
status Status
R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#?
Status options for signatures:
enabled Enable Category Signatures
exit Exit from status submode
no Negate or set default values of a command
retired Retire Category Signatures
R1(config-sigdef-sig-status)#retired ?
false FALSE
true TRUE
R1(config-sigdef-sig-status)#retired false
R1(config-sigdef-sig-status)#enabled ?
false FALSE
true TRUE
R1(config-sigdef-sig-status)#enabled true
R1(config-sigdef-sig-status)#?
Status options for signatures:
enabled Enable Category Signatures
exit Exit from status submode
no Negate or set default values of a command
retired Retire Category Signatures
R1(config-sigdef-sig-status)#engine
R1(config-sigdef-sig-engine)#?
Engine options for signatures:
event-action Action
exit Exit from engine submode
no Negate or set default values of a command
R1(config-sigdef-sig-engine)#event-action ?
deny-attacker-inline Deny Attacker
deny-connection-inline Deny Connection
deny-packet-inline Deny Packet
produce-alert Produce Alert
reset-tcp-connection Reset TCP Connection
<cr>
R1(config-sigdef-sig-engine)#event-action produce-alert
R1(config-sigdef-sig-engine)#event-action deny-packet-inline
R1(config-sigdef-sig-engine)#event-action reset-tcp-connection
R1(config-sigdef-sig-engine)#exit
R1(config-sigdef-sig)#exit
R1(config-sigdef)#exit
Do you want to accept these changes? [confirm] <ENTER>
*Jun 1 12:30:29.415: %IPS-6-ENGINE_BUILDS_STARTED: 12:30:29 UTC Jun 1 2015
*Jun 1 12:30:29.967: %IPS-6-ENGINE_BUILDING: string-tcp - 1066 signatures - 1 of 13 engines
*Jun 1 12:32:33.323: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5753:0 - failed to compile regular expression
*Jun 1 12:32:43.743: %IPS-6-ENGINE_READY: string-tcp - build time 133776 ms - packets for this engine will be scanned
*Jun 1 12:32:44.495: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 2 of 13 engines
*Jun 1 12:32:45.207: %IPS-6-ENGINE_READY: atomic-ip - build time 712 ms - packets for this engine will be scanned
*Jun 1 12:32:45.443: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 136028 ms
R1(config)#
*Jun 1 12:33:26.487: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:25 ICMP Echo Request [192.168.1.3:8 -> 172.16.1.254:0] VRF:NONE RiskRating:25
R2#ping 10.1.1.1 // BLOCKED BY IPS SIGNATURE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#ping 192.168.1.3 // BLOCKED BY IPS SIGNATURE
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-ips-category)#category ios_ips ?
advanced Advanced
basic Basic
<cr>
R1(config-ips-category)#category ios_ips basic ?
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#enabled true
R1(config-ips-category-action)#event-action produce-alert
R1(config-ips-category-action)#event-action deny-packet-inline
R1(config-ips-category-action)#event-action reset-tcp-connection
R1(config-ips-category)#category all
R2#ping 10.2.2.1 // PING TO R3 SERIAL0/0/0 INTERFACE (WITHOUT IPS)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2#ping 192.168.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R3#show run
Building configuration...
Current configuration : 929 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.252
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.2.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
R3(config)#enable secret cisco12345
R3(config)#ip http server
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#ip http authentication local
R3#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:46:06 c1841-advipservicesk9-mz.124-20.T4.bin
2 913 May 02 2015 12:59:48 pre_autosec.cfg
26873856 bytes available (37130240 bytes used)
R3#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir
R3#dir flash:ipsdir
Directory of flash:/ipsdir/
No files in directory
64004096 bytes total (26869760 bytes free)
R3#
*Jun 6 12:29:34.535: %IPS-6-ENGINE_BUILDS_STARTED: 12:29:34 UTC Jun 6 2015
*Jun 6 12:29:34.535: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines
*Jun 6 12:29:34.547: %IPS-6-ENGINE_READY: multi-string - build time 12 ms - packets for this engine will be scanned
*Jun 6 12:29:34.567: %IPS-6-ENGINE_BUILDING: service-http - 629 signatures - 2 of 13 engines
*Jun 6 12:29:44.231: %IPS-6-ENGINE_READY: service-http - build time 9664 ms - packets for this engine will be scanned
*Jun 6 12:29:44.263: %IPS-6-ENGINE_BUILDING: string-tcp - 1065 signatures - 3 of 13 engines
R3#
*Jun 6 12:30:14.239: %RE-4-COMPILE_FAILED: Compile failed on pattern number 0 - states 1 - [Nn][Ee][Tt][Ww][Oo][Rr][Kk][\x3c][0-9][0-9]?[0-9]?[.][0-9][0-9]?[0-9]?[.][0-9][0-9]?[0-9]?[.][0-9][0-9]?[0-9]?\x20([A-Za-z\x2D0-9]?){100}\x20[^A-Za-z\x20>]+[>]
*Jun 6 12:30:14.239: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5464:1 - failed to compile regular expression
*Jun 6 12:30:15.215: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5489:2 - failed to compile regular expression
*Jun 6 12:30:15.655: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5489:7 - failed to compile regular expression
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3137:6 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5675:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5455:1 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3784:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3528:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3173:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 3550:0 - compiles discontinued for this engine
*Jun 6 12:30:15.663: %IPS-4-SIGNATURE_COMPILE_FAILURE: string-tcp 5769:1 - compiles discontinued for this engine
*Jun 6 12:30:16.175: %IPS-6-ENGINE_READY: string-tcp - build time 31912 ms - packets for this engine will be scanned
*Jun 6 12:30:16.183: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines
*Jun 6 12:30:17.027: %IPS-6-ENGINE_READY: string-udp - build time 844 ms - packets for this engine will be scanned
*Jun 6 12:30:17.027: %IPS-6-ENGINE_BUILDING: state - 28 signatures - 5 of 13 engines
*Jun 6 12:30:17.107: %IPS-6-ENGINE_READY: state - build time 80 ms - packets for this engine will be scanned
*Jun 6 12:30:17.383: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 6 of 13 engines
*Jun 6 12:30:17.883: Cannot allocate ATOMIC SME extension
*Jun 6 12:30:17.883: %IPS-3-ENGINE_BUILD_FAILED: atomic-ip - 500 ms - engine build failed
*Jun 6 12:30:18.019: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines
*Jun 6 12:30:18.071: %IPS-6-ENGINE_READY: string-icmp - build time 52 ms - packets for this engine will be scanned
*Jun 6 12:30:18.071: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines
*Jun 6 12:30:18.095: %IPS-6-ENGINE_READY: service-ftp - build time 24 ms - packets for this engine will be scanned
*Jun 6 12:30:18.099: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines
*Jun 6 12:30:18.347: %IPS-3-ENGINE_BUILD_FAILED: service-rpc - 248 ms - engine build failed
*Jun 6 12:30:18.395: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines
*Jun 6 12:30:18.439: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-dns 6054:1 - failed to compile regular expression
*Jun 6 12:30:18.447: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-dns 6054:0 - failed to compile regular expression
*Jun 6 12:30:18.455: %IPS-3-ENGINE_BUILD_FAILED: service-dns - 60 ms - engine build failed
*Jun 6 12:30:18.479: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines
*Jun 6 12:30:18.479: %IPS-6-ENGINE_READY: normalizer - build time 0 ms - packets for this engine will be scanned
*Jun 6 12:30:18.519: %IPS-3-ENGINE_BUILD_FAILED: service-smb-advanced - 36 ms - engine build failed
*Jun 6 12:30:18.575: %IPS-3-ENGINE_BUILD_FAILED: service-msrpc - 32 ms - engine build failed
*Jun 6 12:30:36.651: %IPS-4-IPS_SIGNATURE_FILE: tftp://192.168.3.3/IOS-S364-CLI.pkg - read_len < 0
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
C:\Users\PC-C>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Reply from 192.168.3.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
R3#show ip ips signature count
Cisco SDF release version S339.0
Trend SDF release version V0.0
Signature Micro-Engine: multi-string: Total Signatures 8
multi-string enabled signatures: 8
multi-string retired signatures: 8
Signature Micro-Engine: service-http: Total Signatures 629
service-http enabled signatures: 132
service-http retired signatures: 532
service-http compiled signatures: 97
service-http obsoleted signatures: 1
Signature Micro-Engine: string-tcp: Total Signatures 1066
string-tcp enabled signatures: 558
string-tcp retired signatures: 948
string-tcp compiled signatures: 100
string-tcp Inactive - compile failure: 17
string-tcp obsoleted signatures: 12
Signature Micro-Engine: string-udp: Total Signatures 75
string-udp enabled signatures: 2
string-udp retired signatures: 54
string-udp compiled signatures: 21
string-udp obsoleted signatures: 1
Signature Micro-Engine: state: Total Signatures 28
state enabled signatures: 15
state retired signatures: 25
state compiled signatures: 3
Signature Micro-Engine: atomic-ip: Total Signatures 303
atomic-ip enabled signatures: 0
atomic-ip compiled signatures: 3
Signature Micro-Engine: string-icmp (INACTIVE)
Signature Micro-Engine: service-ftp: Total Signatures 3
service-ftp enabled signatures: 1
service-ftp retired signatures: 2
service-ftp compiled signatures: 1
Signature Micro-Engine: service-rpc (INACTIVE)
Signature Micro-Engine: service-dns (INACTIVE)
Signature Micro-Engine: normalizer: Total Signatures 9
normalizer enabled signatures: 8
normalizer retired signatures: 1
normalizer compiled signatures: 8
Signature Micro-Engine: service-smb-advanced (INACTIVE)
Signature Micro-Engine: service-msrpc (INACTIVE)
Total Signatures: 2306
Total Enabled Signatures: 724
Total Retired Signatures: 1570
Total Compiled Signatures: 233
Total Signatures with compile failures: 17
Total Obsoleted Signatures: 14
No comments:
Post a Comment