Cisco IOS IPS ?

Answered Question
May 29th, 2007

Hi,

I am currently studying CCSP SNRS by Greg Bastien. I have the following Lab scenario and would like clarification on what I am seeing. I want to verify that my IPS setup is working, so I have run 'angry ip' port/ip address scan at the router. When I use 'sh ip ips statistics' I see 'signature 3051:1 packets checked: [0:1]' which translates to 'TCP Connection Window Size DoS ATOMIC.TCP'.

Is this signature 3051 an indication that the router has seen the IP scan ? and considered this a reconnassaince attack. Are there any other ways of verifying the attack ?

I have this problem too.
0 votes
Correct Answer by ymzhang about 9 years 6 months ago

Hi,

If you see signature alert messages, then it means there is a match and IPS fires an alert message which is the default setting of a signatures.

In your case, it only means that the 3051:1 signature saw one packet matching, so it just recorded the information. For this signature to fire (which means for ips to identify an attack, it has to check other parameters as well).

If you look into the details of the definition of this signature, it has a global summary threshold and summary interval settings. Which means the ips has to see this signature match within the summary interval for the number of times defined in the summary threshold, then it will validate a signature match, thus send alarm and perform actions defined in the signature.

So in your case, it just shows there is a packet matching this signature. You might be able to find more detailed information if you run a sniffer and capture your "angry ip' traffic sent to the router.

Thanks,

-Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ymzhang Tue, 05/29/2007 - 10:08

Hi,

If you see signature alert messages, then it means there is a match and IPS fires an alert message which is the default setting of a signatures.

In your case, it only means that the 3051:1 signature saw one packet matching, so it just recorded the information. For this signature to fire (which means for ips to identify an attack, it has to check other parameters as well).

If you look into the details of the definition of this signature, it has a global summary threshold and summary interval settings. Which means the ips has to see this signature match within the summary interval for the number of times defined in the summary threshold, then it will validate a signature match, thus send alarm and perform actions defined in the signature.

So in your case, it just shows there is a packet matching this signature. You might be able to find more detailed information if you run a sniffer and capture your "angry ip' traffic sent to the router.

Thanks,

-Chris

Actions

This Discussion