16.1 Key Terms
IPS
= Intrusion prevention system. Intrusion prevention systems, primarily using
signature matching, can alert administrators about an attack on the network and
can prevent the initial packet from entering the network.
signature
files = Package of signatures that update an IDS/IPS against new attack
methods. IOS IPS signature packages are similar to the signatures used on the
IPS/IDS appliances.
Cisco
public key = The Cisco public key is needed for the IOS-based IPS to
verify Cisco’s digital signature of the IPS signature package provided by
Cisco.
signature
micro-engines = Part of IDS/IPS that supports a group of signatures in a
common category.
enabled
signature = A signature that is enabled. A signature needs to be both
enabled and nonretired to be used by an IPS/IDS system.
disabled
signature = A signature that is disabled. A signature needs to be both
enabled and nonretired to be used by an IPS/IDS system.
retired
signature = If a particular signature is deemed old and no longer a
common threat, it can be retired, which reduces memory used by the IOS IPS.
unretired
signature = In IPS, if a new variant would cause old signatures to
become valid again, the signature can be assigned as “unretired” which will
make the signature available for use, and will consume memory on the IOS
router.
16.2 Things to
Remember
16.2.1 Matrix for Retired/Unretired/Enabled/Disabled
Compiling/Allowing
Action = Retired
Enabled – No
memory consumption, and no action related to the signature during packet
analysis
Disable – No
memory consumption, and no action related to the signature during packet
analysis
Compiling/Allowing
Action = Unretired
Enabled -
Consumes memory, and the signature is considered during packet analysis
Disabled -
Consumes memory, but no action related to the signature during packet analysis
16.3 Command
References
Command >
Description
show
ip sdee alerts > Allow viewing of alert events from the CLI
show
ip ips configuration > Allow viewing of the IPS configuration from
the CLI
ip
ips sdm_ips_rule in > Apply a rule named sdm_ips_rule inbound on the
current interface it is being configured under
16.4 Command
Examples
Output from the
Console While Signatures Are Compiled …
R1# show process
cpu sorted | include seconds
CLI Commands for
Configuring IPS
R1 (config)# ip
ips notify SDEE
R1 (config)# ip
ips name sdm_ips_rule
R1 (config)# ip
ips signature-category
R1 (config-ips-category)# category all
R1 (config-ips-category-action)# retired true
R1 (config-ips-category-action)# exit
R1 (config-ips-category)# category ios_ips basic
R1 (config-ips-category-action)# retired false
R1 (config-ips-category-action)# exit
R1 (config-ips-category)# exit
R1 (config)#
interface FastEthernet1/0
R1 (config-if)# ip
ips sdm_ips_rule_in
R1 (config-if)# exit
R1 (config)# ip
ips config location ftp://10.0.0.2/ips5
R1 (config)# ip
ips signature-definition
R1 (config-sigdef)#
signature 2004
R1 (config-sigdef-sig)# status
R1 (config-sigdef-sig-status)# enabled true
R1 (config-sigdef-sig-status)# retired false
R1 (config-sigdef-sig-status)# exit
R1 (config-sigdef-sig)# exit
R1 (config-sigdef)# exit
R1# show ip ips
configuration
R1# show ip ips
signatures sigid 2004 subid 0
R1# show ip ips
signatures count
Viewing Alerts from
the CLI
R1# show ip sdee
alerts
R1# show ip ips
statistics
Comments
Post a Comment