02-11-2009 12:46 PM - edited 03-10-2019 04:30 AM
Hi folks,
We've deployed latest IPS signature 5.x Format on 871W routers. All of them have the following:
Router(config)#ip http secure-server
Router(config)#ip ips notify sdee
Router(config)#ip sdee subscriptions 3
Router(config)#ip sdee events 1000
Router(config)#no ip ips notify log
What do I have to do else to send events to MARS. MARS device is referenced as logging device in the router config and for some reason I don't see anything in MARS related to events generated by IPS in the routers in question.
02-12-2009 09:21 AM
SDEE messages are not sent form the router like syslog. They will not magicly appear at your MARS box. The router is now an SDEE server and MARS need to be the SDEE client, contact the server (your router), have credentials and request the SDEE events.
If you have not configured MARS to go get the SDEE events, they won't appear in MARS.
02-12-2009 04:50 PM
Thansk, man!
I figured it later and configured MARS by adding IPS under every router in Security and Monitor Devices section of Device Configuration and Discovery information. Testing connectivity worked and looks like MARS is able to connect to the router via port 443. Now then I don't see any incidents relating to IPS events. It can't be that none of signatures fired on more than 30 routers.
I just don't want to go to the router and enable ips logging with "ip ips notify log" to see if in fact there are any IPS events.
Eugene
02-12-2009 05:34 PM
You can test your event flow by enabling a simple-to-stimulate sig, like 2004 ICMP Echo Reply and run a few pings past your router. Somtimes it's wise to keep a known signature firing at predetermined intervals so you know when your sensor takes a dirt nap.
02-13-2009 05:43 PM
Sorry, but I think I am still missing something. I manually enabled signature 2004, subsig 0
Store999_LAB#sh ip ips signature sigid 2004 subid 0
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
2004:0 Y* Nr A MED 0 1 0 200 30 FA N 100 S1
Then I run continuous ping to one of the interfaces where IPS is applied. Nothing seem to happen even if I log all IPS events to the router's log with "ip ips notify log".
And this is the output of "show ip ips configuration"
Store999_LAB# sh ip ips config
IPS Signature File Configuration Status
Configured Config Locations: flash:ips/
Last signature default load time: 16:48:53 PST Feb 10 2009
Last signature delta load time: 11:55:16 PST Feb 13 2009
Last event action (SEAP) load time: 12:46:13 PST Feb 13 2009
General SEAP Config:
Global Deny Timeout: 3600 seconds
Global Overrides Status: Enabled
Global Filters Status: Enabled
IPS Auto Update is not currently configured
IPS Syslog and SDEE Notification Status
Event notification through syslog is enabled
Event notification through SDEE is enabled
IPS Signature Status
Total Active Signatures: 338
Total Inactive Signatures: 2168
IPS Packet Scanning and Interface Status
IPS Rule Configuration
IPS name IPS
IPS fail closed is disabled
IPS deny-action ips-interface is false
Interface Configuration
Interface FastEthernet4
Inbound IPS rule is IPS
Outgoing IPS rule is not set
Interface Dot11Radio0
Inbound IPS rule is IPS
Outgoing IPS rule is not set
Interface Vlan1
Inbound IPS rule is IPS
Outgoing IPS rule is not set
Interface Vlan3
Inbound IPS rule is IPS
Outgoing IPS rule is not set
IPS Category CLI Configuration:
Category all:
Retire: True
Category ios_ips basic:
Retire: False
02-15-2009 08:00 AM
If you're not seeing any events in your log, your router might not be configured properly. Check out the touble shooting section of this doc:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps7264/ps6634/IOS_IPS_Technical_Review.pdf
02-16-2009 04:58 PM
Well, thanks a lot for the article. It was nice to walk through all the configuration steps again. I realized why signature 2004 subid 0 didn't fire. My assumption that the basic set has this signature unretired was wrong. It was in fact retired. I had to unretire this particular signature so that an alert start reported to the router's syslog.
Now back to MARS, I see SDEE reports as well:
Store999_LAB#sh ip sdee alert
Alert storage: 1000 alerts using 480000 bytes of memory
SDEE Alerts
SigID Sig Name SrcIP:SrcPort DstIP:DstPort VRF
or Summary Info
1: 2004:0 ICMP Echo Request 208.181.53.145:8 208.181.53.151:0 NONE
2: 2004:0 ICMP Echo Request 208.181.53.145:8 208.181.53.151:0 NONE
but nothing shows up in MARS under incidents. I've got 3 subscriptions to SDEE and 1000 events configured for SDEE. And of course "ip ips notify SDEE" is present in the router's config.
What else should I do to see at least this alert about fired signature 2004 in MARS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide