Enable Ping Signature on cisco IPS

Answered Question
May 1st, 2012

Hi,

I have enabled signature for ping  2000 and 2004 and i have set them sev to high still i am not get alert.

I also did nmap attack and it give alert

how can i achieve this ?

thanksssssssssss                   

I have this problem too.
0 votes
Correct Answer by sawgupta about 1 year 11 months ago

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

Correct Answer by ruppala about 1 year 11 months ago

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests.  Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

Correct Answer by Todd Pula about 1 year 11 months ago

2000 and 2004 are retired by default now.  You will need to make sure that you both enable and unretire these signatures before testing.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
Todd Pula Wed, 05/02/2012 - 14:23

2000 and 2004 are retired by default now.  You will need to make sure that you both enable and unretire these signatures before testing.

Correct Answer
ruppala Fri, 05/04/2012 - 16:43

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests.  Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

alkabeer80 Sat, 05/05/2012 - 00:51

thx Todd Pula and ruppala,

i enable the signature and unretire it it is working, i want to ask why the signature get retired ????

another question i have alot of signature that is not enabled i want to enable all of them for alerting, can i do it without going to each single one and enable it i.e is there anyway (like script) i can u se to enable all of them in one time ???

thankssssssssssssssssssssssssssssssss

sawgupta Sun, 05/06/2012 - 03:59

Unretiring and enabling many signatures would have a performance impact. Only unretire and enable those signatures which are really important.

Regards,

Sawan Gupta

alkabeer80 Sun, 05/06/2012 - 12:00

thx sawan,

what about enabling more than one signature for alerting (config. from CLI) is this applicable ?

thankssssssssssss

sawgupta Sun, 05/06/2012 - 17:53

Yes, enabling a few signatures is fine.

Regards,

Sawan Gupta

alkabeer80 Sun, 05/06/2012 - 21:11

thx sawan, i think i did not explain what is my problem exactly.

i have 1000 signature in IPS (not enabled), i want to enable all of them, i dont want to pass all of them one by one and enable it.

Is there away i can do it, may be some command i can issue ???

thankssssssssssssssssss

Correct Answer
sawgupta Sun, 05/06/2012 - 21:26

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

andreasentali Mon, 10/21/2013 - 00:48

Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to

alert, and drop.

R1(config)# ip ips signature-definition

R1(config-sigdef)# signature 2004 0

R1(config-sigdef-sig)# status

R1(config-sigdef-sig-status)# retired false

R1(config-sigdef-sig-status)# enabled true

R1(config-sigdef-sig-status)# exit

R1(config-sigdef-sig)# engine

R1(config-sigdef-sig-engine)# event-action produce-alert

R1(config-sigdef-sig-engine)# event-action deny-packet-inline

R1(config-sigdef-sig-engine)# exit

R1(config-sigdef-sig)# exit

R1(config-sigdef)# exit

Do you want to accept these changes? [confirm]

andduart Sun, 10/27/2013 - 21:45

Hi,

Maybe as a personal suggestion you can use the summary option for these type of signatures so you wont see or get all the alerts, you can have a summary of them at a time to have some of them fired

Regards,

Sent from Cisco Technical Support iPhone App

Actions

Login or Register to take actions

This Discussion

Posted May 1, 2012 at 9:01 PM
Stats:
Replies:11 Avg. Rating:5
Views:2089 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 816
2 668
3 603
4 526
5 367
Rank Username Points
5
5
5
5
5