IOS IPS analysis of triggering traffic

Unanswered Question
Apr 29th, 2007
User Badges:

I'm trying to figure out how to select signatures. I suppose one could just watch the alert chatter and disable or delete signatures that seem too noisy. Doesn't seem very secure.

I'd prefer to analyse the traffic that's triggering them, but if I only get, say, a dozen hits a day, how to I analyze that traffic? Sniffing doesn't seem too practical. Is there any way to set debugging or alerts to save/send the suspect packets? Alerts for packets out of order, long SMTP headers, might be benign, might not. How do I tell?

As they say in the military, never ask a question if you don't know what you'll do with the answer.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rodrigo Gurriti Sun, 04/29/2007 - 14:03
User Badges:

I dont know what you are using. but the best way is log them or get the event on the fly and go to cisco mysdn and search for the sig number and find out if you can disable them or do something

On my IPS' I tune the number of events and also summarize the signatures that are prune to be nothing or not very important ( like ports scan and others )

If you running an router with ips on it you have limited options with the signatures but if you have an sensor blade or a appliance you can select it to log the packets from the attack and have it analyzed on ethereal or tcpdump. Those would be nice because you would not need to sniff for long time, the IPS will only sniff the attack so you dont have a 80MB file :)

kwallewein Wed, 05/02/2007 - 16:40
User Badges:

I found this response really frustrating.

As the thread title says, it's IOS IPS. That's a router with IPS on it.

Looking up messages in MySDN is obviously NOT sufficient. A large number of signatures may or may not be attacks. How can I tell? Should I respond? Should I raise the threshold? Should I disable the signature?

As I said "I suppose one could just watch the alert chatter and disable or delete signatures that seem too noisy. Doesn't seem very secure."

Everyone says IOS IPS is limited in some mysterious unspecified ways. Nobody says how. It's useless, un-actionable information.

So, am I stuck guessing?


Rodrigo Gurriti Wed, 05/02/2007 - 17:02
User Badges:

Well I'm sorry, if my answer is not to your satisfaction but I've been using MySDN for around 6 months and I find it very useful. MySDN provides me enough information to make some decisions about tunning my IDS's Appliances. To tell you the truth the only router with IPS's that I ever used was 1710 for a SOHO and the IPS options to tune the built in device is very little.

I recommend you getting an NM-CIDS for your router, it provides you with all the customizable options that an IPS appliance like an IDS-4215 would ( 4215 run at speeds of 80mb/s while the CIDS runs at 45).

I dont really recommend an router doing an ASA/IPS applicance job's, but you know if that is your budget.


you can always try :

show ip ips signatures detail | include

so you can identify a few things about the signatures.

kwallewein Wed, 05/02/2007 - 20:24
User Badges:

There's a term from mathematics: "necessary but not sufficient". That's MySDN. Sure, it's a great site, but without knowing more detail about what triggered the alerts, I can't make a valid decision about how to respond.

I'm running an 1811w with very current IOS and lots of RAM, FWIW.

ASA/IPS appliances are new to me. I'm a router man from way back, always felt them to be more powerful than PIXes and the like, but objective info in this business, especially for the small business market, is just about non-existent.

In any case, thanks for the suggestion about the NM-CIDS, but I don't think they're available for 1800s.

If they were, would they protect me from brute force password guessing via RDP (remote desktop protocol) connections? I don't worry about all those wierd, subtle attacks and virus signatures (I have antivirus software, thanks) -- let's just block the script kiddies.


Rodrigo Gurriti Thu, 05/03/2007 - 04:06
User Badges:

yeap they would, I dont know if they have a signature for that, but you always can create one, that is what I did for ssh brutal force. I had about 50 different IPs every day banging on my ssh at least for 3 hours before they would give up, that takes a lot resorces out of my machine.

I created a simple rule, more than 5 trys in less than than 2 mins I'd block the connection :)

PS. you can always use the IDS-4210 running at least 5.1 they are cheepppppp :) that would fix

kwallewein Thu, 05/03/2007 - 06:26
User Badges:

I can only find pricing on IDS-4215: NOT cheap for small businesses that have no on-site IT staff. More expensive than the 1811W router with IOS IPS.

The Cisco techs don't recommend 5.x for IOS yet -- they say it has issues. I'm not clear what the difference is. They also say custom signatures aren't supported.

One thing that puzzles me: the standard set of signatures do NOT seem well suited to typical small businesses. Those are only going to have a few inbound ports open: HTTP, HTTPS, SSL, SMTP, RDP, maybe POP3 if they're crazy. Every one of those should have a prebuilt password guessing signature. Any site that doesn't already run decent virus protection deserves what it gets -- dump those signatures altogether.


Rodrigo Gurriti Thu, 05/03/2007 - 13:54
User Badges:

Well they recomend right now version 6.x because is the lastest out. I 2 customers, one has a 4215 and runs 6.0 and the other one is kind a little be like your case, very low budget but I got him a 4210 with 5.1 software, it does the job and since the has appliance is behind the firewall is harder to exploit the appliance.

it has bugs but since he does not want to get smatnet or a newer appliance like a 4215 the IDS-4210 does the trick

PS. I got it used on EBa*** ( i dont think I can say that here LOL)

kwallewein Thu, 05/03/2007 - 14:13
User Badges:

I got smartnet, no problem there. Man it's a complex topic!


This Discussion