How to enable IPS IPS/IDS in cisco 2811

ribin.jones · ‎04-19-2009

Hi all,

I have a Cisco 2811 with IOS Version 12.4(20)T and I need to enable IPS or IDS in this. What is the config for this?

First of all, I need to know whether I can do IPS/IDS in my router as well..

- Ribin

roshan.maskey · ‎04-19-2009

Hi Ribin,

Cisco Router supports IOS IPS 5.x.

The following is the sample configuration:

Step 1: Verify if you have signature file (128MB.sdf or 256MB.sdf)

router# sh flash

Step2: Specify router to use sig-definition file

router(config)# ip ips sdf location flash://128MB.sdf

Step3: create signature_rule

router(config)# ip ips name myips_rule

Step4: Apply IPS rule to interface

router(config)# interface fa0/0

router(config-if)# ip ips myips_rule in

Step5: Enable IPS SDEE notification

router(config)# ip ips notify sdee

You can further tune IPS signature using SDM

H2H

Roshan

ribin.jones · ‎04-19-2009

Hi,

I don't have 128MB.sdf or 256MB.sdf. But I do have a attack-drop.sdf. Any idea what it might be?

ribin.jones · ‎04-19-2009

hi,

Also, I see the below from my config prompt

Router(config)#ip ips ?

auto-update Auto Update

config Location of IPS configuration files

deny-action Specify Deny action

event-action-rules Event Action Rules (SEAP)

fail Specify what to do during any failures

name Specify an IPS rule

notify Specify the notification mechanisms (SDEE or log) for

the alarms

signature-category Signature Category

signature-definition Signature Definition

I don't see

ips sdf command.

roshan.maskey · ‎04-19-2009

Hi Ribin,

attack-drop.sdf is the basic signature file. You need to download 128MB.sdf or 256MB.sdf, which is also in SDM disk.

"ip ips sdf location " command is for 18XX router

use the following command for 28xx

ip ips config location flash://128MB.sdf

H2H

Roshan

ribin.jones · ‎04-19-2009

Hi,

I did enabled IPS in the router and configured to notify to our log server. Below is the log I received in my log server.

What does IPS does now and what kind of logs I can expect?

Thanks,

Ribin

Apr 19 14:53:38 192.168.11.10 4546: *Apr 19 09:27:41.254: %SYS-5-CONFIG_I: Configured from console by ribin on vty0 (192.168.11.35)

Apr 19 18:04:29 192.168.11.10 4548: *Apr 19 12:38:32.601: %CRYPTO-6-IPSEC_USING_DEFAULT: IPSec is using default transforms

Apr 19 18:12:10 192.168.11.10 4549: *Apr 19 12:46:14.541: %IPS-6-ENGINE_BUILDS_STARTED: 12:46:14 UTC Apr 19 2009

Apr 19 18:12:10 192.168.11.10 4550: *Apr 19 12:46:14.541: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines

Apr 19 18:12:10 192.168.11.10 4551: *Apr 19 12:46:14.557: %IPS-6-ENGINE_READY: atomic-ip - build time 16 ms - packets for this engine will be scanned

Apr 19 18:12:10 192.168.11.10 4552: *Apr 19 12:46:14.557: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 16 ms

ribin.jones · ‎04-19-2009

hi,

Also I see the following error in my log server:

%IPS-3-IPS_FILE_OPEN_ERROR: flash://128MB.sdf/Router11.10-seap-typedef.xml - Requested operation requires a directory

bstiff · ‎05-06-2009

The recommendation to use the 128MB.sdf or 256MB.sdf is not correct for the version of software that you're using. IOS 12.4(11)T and later use the v5 signatures, available here:

http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup

There is a video demonstration describing the use of Cisco Configuration Professional for IPS, here:

http://www.cisco.com/cdc_content_elements/flash/ios/configios/index.html

The CLI configuration guide is here:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html

Be sure that you configure the IPS to load the 'ios_ips basic' or 'ios_ips advanced' categories. If the router tries to load the default signatures, it will run out of memory and crash.