SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel ----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- --- 6250:0 Y Y H INFO 0 3 0 0 0 FA Y 85 S441 sig-name: FTP Authorization Failure sig-string-info: Failed FTP Logins sig-comment: Sig Comment sig-type: Anomaly Engine string-tcp params: min-match-length: 0 regex-string: [\r\n]530[ ] service-ports: 21-21 direction: from-service exact-match-offset: 0 max-match-offset: 0 min-match-offset: 0
ip ips config location flash:ips retries 1 ip ips name ips_proc list ips_scan ! ip ips signature-category category all retired true category ios_ips basic retired false enabled true
interface FastEthernet8 description ISP Link
ip address xx.xx.xx.x ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip verify unicast reverse-path ip flow ingress ip nat outside ip ips ips_proc in ip inspect Ext_In out ip virtual-reassembly duplex auto speed auto !
ip access-list extended ips_scan permit ip any any
After more reading, I see that a license is required. What I read said a subscription was not required to be maintained to use IPS. In essence signatures would not load that were dated after the expiration of the subscription. my lack of license is show below:
IPS License Status: Not Installed Current Date: Oct 12 2010 Expiration Date: Not Available Extension Date: Not Available Signatures Loaded: Sep 9 2010 S512.0 Signature Package: Sep 9 2010 S512.0
Since it is loading the package, I assume it should work.
I installed an evaluation license, same issue, the traffic is not being blocked, any ideas on what I am missing?
It looks like the final answer is, I had it configured correctly. The problem I encountered was my testing of the signature. I assumed I could control the interval that was used to track the failed attempts.
I never found a way to do that and I can't find any documentation that tells me what the interval is. It is fairly small because I couldn't key in 3 failed attempts fast enough to trigger the deny action. A little patience and a scripted attack hit my server and it banned it every hour. All 3 attempts are hitting in < one second.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...