How to enable IPS IPS/IDS in cisco 2811

Unanswered Question
Apr 19th, 2009
User Badges:

Hi all,


I have a Cisco 2811 with IOS Version 12.4(20)T and I need to enable IPS or IDS in this. What is the config for this?

First of all, I need to know whether I can do IPS/IDS in my router as well..


- Ribin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
roshan.maskey Sun, 04/19/2009 - 03:12
User Badges:

Hi Ribin,


Cisco Router supports IOS IPS 5.x.


The following is the sample configuration:

Step 1: Verify if you have signature file (128MB.sdf or 256MB.sdf)

router# sh flash


Step2: Specify router to use sig-definition file

router(config)# ip ips sdf location flash://128MB.sdf


Step3: create signature_rule

router(config)# ip ips name myips_rule


Step4: Apply IPS rule to interface

router(config)# interface fa0/0

router(config-if)# ip ips myips_rule in


Step5: Enable IPS SDEE notification

router(config)# ip ips notify sdee


You can further tune IPS signature using SDM


H2H

Roshan

ribin.jones Sun, 04/19/2009 - 03:38
User Badges:

Hi,


I don't have 128MB.sdf or 256MB.sdf. But I do have a attack-drop.sdf. Any idea what it might be?

ribin.jones Sun, 04/19/2009 - 03:51
User Badges:

hi,


Also, I see the below from my config prompt


Router(config)#ip ips ?

auto-update Auto Update

config Location of IPS configuration files

deny-action Specify Deny action

event-action-rules Event Action Rules (SEAP)

fail Specify what to do during any failures

name Specify an IPS rule

notify Specify the notification mechanisms (SDEE or log) for

the alarms

signature-category Signature Category

signature-definition Signature Definition



I don't see

ips sdf command.

roshan.maskey Sun, 04/19/2009 - 04:05
User Badges:

Hi Ribin,


attack-drop.sdf is the basic signature file. You need to download 128MB.sdf or 256MB.sdf, which is also in SDM disk.


"ip ips sdf location " command is for 18XX router

use the following command for 28xx


ip ips config location flash://128MB.sdf


H2H

Roshan

ribin.jones Sun, 04/19/2009 - 04:47
User Badges:

Hi,


I did enabled IPS in the router and configured to notify to our log server. Below is the log I received in my log server.


What does IPS does now and what kind of logs I can expect?


Thanks,

Ribin



Apr 19 14:53:38 192.168.11.10 4546: *Apr 19 09:27:41.254: %SYS-5-CONFIG_I: Configured from console by ribin on vty0 (192.168.11.35)

Apr 19 18:04:29 192.168.11.10 4548: *Apr 19 12:38:32.601: %CRYPTO-6-IPSEC_USING_DEFAULT: IPSec is using default transforms

Apr 19 18:12:10 192.168.11.10 4549: *Apr 19 12:46:14.541: %IPS-6-ENGINE_BUILDS_STARTED: 12:46:14 UTC Apr 19 2009

Apr 19 18:12:10 192.168.11.10 4550: *Apr 19 12:46:14.541: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines

Apr 19 18:12:10 192.168.11.10 4551: *Apr 19 12:46:14.557: %IPS-6-ENGINE_READY: atomic-ip - build time 16 ms - packets for this engine will be scanned

Apr 19 18:12:10 192.168.11.10 4552: *Apr 19 12:46:14.557: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 16 ms


ribin.jones Sun, 04/19/2009 - 06:06
User Badges:

hi,


Also I see the following error in my log server:


%IPS-3-IPS_FILE_OPEN_ERROR: flash://128MB.sdf/Router11.10-seap-typedef.xml - Requested operation requires a directory

bstiff Wed, 05/06/2009 - 13:16
User Badges:

The recommendation to use the 128MB.sdf or 256MB.sdf is not correct for the version of software that you're using. IOS 12.4(11)T and later use the v5 signatures, available here:


http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup


There is a video demonstration describing the use of Cisco Configuration Professional for IPS, here:


http://www.cisco.com/cdc_content_elements/flash/ios/configios/index.html


The CLI configuration guide is here:


http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html


Be sure that you configure the IPS to load the 'ios_ips basic' or 'ios_ips advanced' categories. If the router tries to load the default signatures, it will run out of memory and crash.

Actions

This Discussion