IOS IPS (Intrusion Prevention System)

Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Cisco IOS Intrusion Prevention System

IPS is watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When packets in a session match a signature, Cisco IOS IPS can take any of the  actions:
- Send an alarm to a syslog server or a centralized management interface
- Drop the packet
- Reset the connection
- Deny traffic from the source IP address of the attacker for a specified amount of time
- Deny traffic on the connection for which the signature was seen for a specified amount of time

*SDEE is application-level communication protocol, used to exchange IPS messages between IPS clients and IPS servers.

First you need to specify the location in which the router loads the SDF (Signature Definition File), because in the IOS there are NO DEFAULT SIGNATURES:
(config)# ip ips sdf location disk2:attack-drop.sdf

If you're configuring the IP IPS on a new router, first CREATE the IPS, name it, and define it, in this case to send the events as SYSLOG messages:
(config)#ip ips name MYIPS
(config)#ip ips notify log
*Be sure to have a SYSLOG SERVER defined:
(config)#logging ON

Specify where the IPS configuration will be stored:
(config)#ip ips config location flash:MYIPS

Apply the configured IPS to the interface:
(config-if)#ip ips MYIPS out
#sh ip ips signatures
Cisco SDF release version S0.0
Trend SDF release version V0.0
En  - possible values are Y, Y*, N, or N*
      Y:  signature is enabled
      N:  enabled=false in the signature definition file
      *:  retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
      Y:  signature is compiled
      Ni: signature not compiled due to invalid or missing parameters
      Nr: signature not compiled because it is retired
      Nf: signature compile failed
      No: signature is obsoleted
      Nd: signature is disallowed
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits             EC=event-count          AI=alert-interval
GST=global-summary-threshold   SI=summary-interval     SM=summary-mode
SW=swap-attacker-victim        SFR=sig-fidelity-rating Rel=release
Signature Micro-Engine: atomic-ip (INACTIVE)
Signature Micro-Engine: normalizer (INACTIVE)
Signature Micro-Engine: service-http-v2 (INACTIVE)
Signature Micro-Engine: service-http (INACTIVE)

You might need to generate the SDF using the .txt file downloaded from the to your flash:
#more flash:downloaded_key.txt <-COPY THE CONTENT TO LATER PASTE INTO THE KEY

Now create the key:
(config)#crypto key pubkey-chain rsa
(config-pubkey-chain)#named-key DOWNLOADED_KEY signature

Enter a public key as a hexidecimal number ....
(config-pubkey)#(ENTER THE COPIED CONTENT HERE, and type "quit")

Most Popular Posts