Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Enable Ping Signature on cisco IPS

Hi,

I have enabled signature for ping  2000 and 2004 and i have set them sev to high still i am not get alert.

I also did nmap attack and it give alert

how can i achieve this ?

thanksssssssssss                   

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Enable Ping Signature on cisco IPS

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests.  Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

Bronze

Enable Ping Signature on cisco IPS

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
12 REPLIES

Enable Ping Signature on cisco IPS

2000 and 2004 are retired by default now.  You will need to make sure that you both enable and unretire these signatures before testing.

New Member

which kinds of signatures we

which kinds of signatures we can test with nmap (the id of signature )pleaseeee

New Member

Enable Ping Signature on cisco IPS

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests.  Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

New Member

Enable Ping Signature on cisco IPS

thx Todd Pula and ruppala,

i enable the signature and unretire it it is working, i want to ask why the signature get retired ????

another question i have alot of signature that is not enabled i want to enable all of them for alerting, can i do it without going to each single one and enable it i.e is there anyway (like script) i can u se to enable all of them in one time ???

thankssssssssssssssssssssssssssssssss

Bronze

Enable Ping Signature on cisco IPS

Unretiring and enabling many signatures would have a performance impact. Only unretire and enable those signatures which are really important.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
New Member

Enable Ping Signature on cisco IPS

thx sawan,

what about enabling more than one signature for alerting (config. from CLI) is this applicable ?

thankssssssssssss

Bronze

Enable Ping Signature on cisco IPS

Yes, enabling a few signatures is fine.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
New Member

Enable Ping Signature on cisco IPS

thx sawan, i think i did not explain what is my problem exactly.

i have 1000 signature in IPS (not enabled), i want to enable all of them, i dont want to pass all of them one by one and enable it.

Is there away i can do it, may be some command i can issue ???

thankssssssssssssssssss

Bronze

Enable Ping Signature on cisco IPS

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
New Member

Enable Ping Signature on cisco IPS

thx Sawan, Todd, ruppla

New Member

Enable Ping Signature on cisco IPS

Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to

alert, and drop.

R1(config)# ip ips signature-definition

R1(config-sigdef)# signature 2004 0

R1(config-sigdef-sig)# status

R1(config-sigdef-sig-status)# retired false

R1(config-sigdef-sig-status)# enabled true

R1(config-sigdef-sig-status)# exit

R1(config-sigdef-sig)# engine

R1(config-sigdef-sig-engine)# event-action produce-alert

R1(config-sigdef-sig-engine)# event-action deny-packet-inline

R1(config-sigdef-sig-engine)# exit

R1(config-sigdef-sig)# exit

R1(config-sigdef)# exit

Do you want to accept these changes? [confirm]

New Member

Re: Enable Ping Signature on cisco IPS

Hi,

Maybe as a personal suggestion you can use the summary option for these type of signatures so you wont see or get all the alerts, you can have a summary of them at a time to have some of them fired

Regards,

Sent from Cisco Technical Support iPhone App

3993
Views
0
Helpful
12
Replies