Cisco Docs: Secure DATA PLANE>Security Configuration Guide:Cisco IOS Intrusion Prevention System
IPS is watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When packets in a session match a signature, Cisco IOS IPS can take any of the actions:
- Send an alarm to a syslog server or a centralized management interface
- Drop the packet
- Reset the connection
- Deny traffic from the source IP address of the attacker for a specified amount of time
- Deny traffic on the connection for which the signature was seen for a specified amount of time
*SDEE is application-level communication protocol, used to exchange IPS messages between IPS clients and IPS servers.
First you need to specify the location in which the router loads the SDF (Signature Definition File), because in the IOS there are NO DEFAULT SIGNATURES:
(config)# ip ips sdf location disk2:attack-drop.sdf
If you're configuring the IP IPS on a new router, first CREATE the IPS, name it, and define it, in this case to send the events as SYSLOG messages:
(config)#ip ips name MYIPS
(config)#ip ips notify log
*Be sure to have a SYSLOG SERVER defined:
Specify where the IPS configuration will be stored:
(config)#ip ips config location flash:MYIPS
Apply the configured IPS to the interface:
(config-if)#ip ips MYIPS out
*THIS WILL NOT WORK UNLESS YOU HAVE THE SIGNATURES. To check the signatures:
#sh ip ips signatures
Cisco SDF release version S0.0
Trend SDF release version V0.0
En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Nd: signature is disallowed
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release
Signature Micro-Engine: atomic-ip (INACTIVE)
Signature Micro-Engine: normalizer (INACTIVE)
Signature Micro-Engine: service-http-v2 (INACTIVE)
Signature Micro-Engine: service-http (INACTIVE)
You might need to generate the SDF using the .txt file downloaded from the cisco.com to your flash:
#more flash:downloaded_key.txt <-COPY THE CONTENT TO LATER PASTE INTO THE KEY
Now create the key:
(config)#crypto key pubkey-chain rsa
(config-pubkey-chain)#named-key DOWNLOADED_KEY signature
Enter a public key as a hexidecimal number ....
(config-pubkey)#(ENTER THE COPIED CONTENT HERE, and type "quit")
Most Popular Posts
First of all, I need to explain why I decided to write such a post. It's quite simple to everyone who ever tried to Deploy/Configure/Und...
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
Before we get into the details about each technology, and how you should choose which one best fits in your environment, I would strongly ad...
It's 2018, and looking back at 2017 I must say that I'm quite happy, because having all in mind - it seems that Cisco is taking Clou...
Before we get deeper into the ACI (Application Centric Infrastructure) as the Cisco's official SDN solution, we need to clarify a few te...
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
After a few months of heavy preps, I managed to pass the exam. I got the electronic certificate, and supposedly I'll get a Cloud Archite...
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
Before we start, let's make sure we know what we're talking about here. A few concepts need to be clarified: OLTP vs OLA...