IOS Based IPS --> No Alerts??

Unanswered Question
Apr 10th, 2007
User Badges:

We are trying to setup a 2811 router to run IOS based IPS. We followed all the procedures but we can't seem to get the system to send any alerts via syslog. We have tried various port scanners with no luck. Are we missing something?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wmblake755 Tue, 04/10/2007 - 11:12
User Badges:

Here is the IOS version:

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Experimental Version 12.4(20070215:163920) [jenneyc-V124_11_T1 107]

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Sun 11-Mar-07 12:16 by jenneyc


Also, this is the only message we got that might be considered a IDS alert. But we don't get any alerts when we perform normal port scans.


<188>2459: Apr 10 15:04:47.885: %IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:75 [10.15.250.30:0 -> 10.11.100.61:0] RiskRating:63



rtrwan-anf000#sho ip ips configuration

Configured Config Locations: flash:ips5/

Last signature default load time: 16:57:56 est Mar 14 2007

Last signature delta load time: 12:03:57 est Apr 10 2007

Last event action (SEAP) load time: -none-

General SEAP Config:

Global Deny Timeout: 3600 seconds

Global Overrides Status: Enabled

Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS fail closed is disabled

Fastpath ips is enabled

Quick run mode is enabled

Event notification through syslog is enabled

Event notification through SDEE is disabled

Total Active Signatures: 1090

Total Inactive Signatures: 899

IPS Rule Configuration

IPS name testips

IPS Category CLI Configuration:

Category all:

Retire: False

Category viruses/worms/trojans all-viruses/worms/trojans:

Retire: False

Category p2p bittorrent:

Retire: False

Category p2p edonkey:

Retire: False

Category p2p kazaa:

Retire: False

Category reconnaissance:

Retire: False Alert

Interface Configuration

Interface FastEthernet0/0.1

Inbound IPS rule is testips

Outgoing IPS rule is testips

Interface FastEthernet0/0.2

Inbound IPS rule is testips

Outgoing IPS rule is testips

Interface Serial0/0/0

Inbound IPS rule is testips

Outgoing IPS rule is testips

Interface Serial0/0/0.34

Inbound IPS rule is testips

Outgoing IPS rule is testips

Interface Serial0/0/0.35

Inbound IPS rule is testips

Outgoing IPS rule is testips


ymzhang Tue, 04/10/2007 - 11:33
User Badges:

Your configuration seems ok. Can you please provide the following output:

1. show ip ips signature (as attachment)

2. What port scanning tool you used and how you used it.


Your configuration has syslog/sdee enabled.If you have configured syslog server properly, the ips alerts will be sent to syslog server. So the question is whether IPS actually working and will be able to trigger events as expected.


If you know how to use metasploit, you can try use that to test it. "3Com 3CDaemon FTP Server Overflow" should trigger signature 3166/3173. (Use 'show ip ips signautre | in 3166' to check, it should show something like "3166:0 Y Y A HIGH 0 1 0 0 0 FA N 100 S190")


Thanks,

-Chris

rhermes Wed, 04/11/2007 - 11:06
User Badges:
  • Gold, 750 points or more

Try enabling sig 2004, ICMP Echo Request and then ping the interface of the router that has the IPS policy attached to it.

Actions

This Discussion