How to see the events generated by IOS IPS in MARS

Unanswered Question
Feb 11th, 2009
User Badges:

Hi folks,

We've deployed latest IPS signature 5.x Format on 871W routers. All of them have the following:


Router(config)#ip http secure-server

Router(config)#ip ips notify sdee

Router(config)#ip sdee subscriptions 3

Router(config)#ip sdee events 1000

Router(config)#no ip ips notify log


What do I have to do else to send events to MARS. MARS device is referenced as logging device in the router config and for some reason I don't see anything in MARS related to events generated by IPS in the routers in question.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
rhermes Thu, 02/12/2009 - 09:21
User Badges:
  • Gold, 750 points or more

SDEE messages are not sent form the router like syslog. They will not magicly appear at your MARS box. The router is now an SDEE server and MARS need to be the SDEE client, contact the server (your router), have credentials and request the SDEE events.

If you have not configured MARS to go get the SDEE events, they won't appear in MARS.

zheka_pefti Thu, 02/12/2009 - 16:50
User Badges:

Thansk, man!

I figured it later and configured MARS by adding IPS under every router in Security and Monitor Devices section of Device Configuration and Discovery information. Testing connectivity worked and looks like MARS is able to connect to the router via port 443. Now then I don't see any incidents relating to IPS events. It can't be that none of signatures fired on more than 30 routers.

I just don't want to go to the router and enable ips logging with "ip ips notify log" to see if in fact there are any IPS events.


Eugene

rhermes Thu, 02/12/2009 - 17:34
User Badges:
  • Gold, 750 points or more

You can test your event flow by enabling a simple-to-stimulate sig, like 2004 ICMP Echo Reply and run a few pings past your router. Somtimes it's wise to keep a known signature firing at predetermined intervals so you know when your sensor takes a dirt nap.

zheka_pefti Fri, 02/13/2009 - 17:43
User Badges:

Sorry, but I think I am still missing something. I manually enabled signature 2004, subsig 0


Store999_LAB#sh ip ips signature sigid 2004 subid 0


SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel

----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---

2004:0 Y* Nr A MED 0 1 0 200 30 FA N 100 S1


Then I run continuous ping to one of the interfaces where IPS is applied. Nothing seem to happen even if I log all IPS events to the router's log with "ip ips notify log".


And this is the output of "show ip ips configuration"


Store999_LAB# sh ip ips config


IPS Signature File Configuration Status

Configured Config Locations: flash:ips/

Last signature default load time: 16:48:53 PST Feb 10 2009

Last signature delta load time: 11:55:16 PST Feb 13 2009

Last event action (SEAP) load time: 12:46:13 PST Feb 13 2009


General SEAP Config:

Global Deny Timeout: 3600 seconds

Global Overrides Status: Enabled

Global Filters Status: Enabled


IPS Auto Update is not currently configured


IPS Syslog and SDEE Notification Status

Event notification through syslog is enabled

Event notification through SDEE is enabled


IPS Signature Status

Total Active Signatures: 338

Total Inactive Signatures: 2168


IPS Packet Scanning and Interface Status

IPS Rule Configuration

IPS name IPS

IPS fail closed is disabled

IPS deny-action ips-interface is false

Interface Configuration

Interface FastEthernet4

Inbound IPS rule is IPS

Outgoing IPS rule is not set

Interface Dot11Radio0

Inbound IPS rule is IPS

Outgoing IPS rule is not set

Interface Vlan1

Inbound IPS rule is IPS

Outgoing IPS rule is not set

Interface Vlan3

Inbound IPS rule is IPS

Outgoing IPS rule is not set


IPS Category CLI Configuration:

Category all:

Retire: True

Category ios_ips basic:

Retire: False


zheka_pefti Mon, 02/16/2009 - 16:58
User Badges:

Well, thanks a lot for the article. It was nice to walk through all the configuration steps again. I realized why signature 2004 subid 0 didn't fire. My assumption that the basic set has this signature unretired was wrong. It was in fact retired. I had to unretire this particular signature so that an alert start reported to the router's syslog.

Now back to MARS, I see SDEE reports as well:


Store999_LAB#sh ip sdee alert

Alert storage: 1000 alerts using 480000 bytes of memory

SDEE Alerts

SigID Sig Name SrcIP:SrcPort DstIP:DstPort VRF

or Summary Info

1: 2004:0 ICMP Echo Request 208.181.53.145:8 208.181.53.151:0 NONE

2: 2004:0 ICMP Echo Request 208.181.53.145:8 208.181.53.151:0 NONE


but nothing shows up in MARS under incidents. I've got 3 subscriptions to SDEE and 1000 events configured for SDEE. And of course "ip ips notify SDEE" is present in the router's config.

What else should I do to see at least this alert about fired signature 2004 in MARS.



Actions

This Discussion