I recently installed an 891 with advanced ip. I decided to implement the IPS mainly to stop the bruteforce attacks on my ftp server.

I read through the documentation and set it up. I think I have it setup correctly except it isn't blocking the ftp failed authorizations.

The signature I enabled is 6250:0. Below is some output that show it is compiled and seeing packets. I also included the relevant lines of the config.

The way I think it is configured is to deny the host after 3 failed attempts. I do not know what time interval it uses to reset that counter. I enabled the signature using CCP.

Signature statistics [process switch:fast switch]
  signature 2157:1: packets checked [0:18] alarmed [0:0] dropped [0:0]
  signature 3106:0: packets checked [0:91] alarmed [0:0] dropped [0:0]
  signature 3109:0: packets checked [0:6] alarmed [0:6] dropped [0:0]
  signature 6250:0: packets checked [21:0] alarmed [0:0] dropped [0:0]
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 3057
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [40:96:3]
Last session created 00:00:10
Last statistic reset never
TCP reassembly statistics
  received 609 packets out-of-order; dropped 12
  peak memory usage 40 KB; current usage: 0 KB
  peak queue length 16

Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits             EC=event-count          AI=alert-interval
GST=global-summary-threshold   SI=summary-interval     SM=summary-mode
SW=swap-attacker-victim        SFR=sig-fidelity-rating Rel=release

SigID:SubID En  Cmp   Action Sev   Trait   EC   AI   GST   SI  SM SW SFR Rel
-----------        --    ----      ------    ---     -----    ----    ----   -----  ---     --    --    ---    ---
  6250:0        Y     Y         H    INFO     0     3      0     0       0    FA  Y   85  S441 
      sig-name: FTP Authorization Failure
      sig-string-info: Failed FTP Logins
      sig-comment: Sig Comment
      sig-type: Anomaly
      Engine string-tcp params:
          min-match-length: 0
          regex-string: [\r\n]530[ ]
          service-ports: 21-21
          direction: from-service
          exact-match-offset: 0
          max-match-offset: 0
          min-match-offset: 0

ip ips config location flash:ips retries 1
ip ips name ips_proc list ips_scan
!
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
   enabled true

interface FastEthernet8
description ISP Link

ip address xx.xx.xx.x
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip ips ips_proc in
ip inspect Ext_In out
ip virtual-reassembly
duplex auto
speed auto
!

ip access-list extended ips_scan
permit ip any any

=================================

After more reading, I see that a license is required. What I read said a subscription was not required to be maintained to use IPS. In essence signatures would not load that were dated after the expiration of the subscription. my lack of license is show below:

IPS License Status:             Not Installed
        Current Date:           Oct 12 2010
        Expiration Date:        Not Available
        Extension Date:         Not Available
        Signatures Loaded:      Sep 9 2010      S512.0
        Signature Package:      Sep 9 2010      S512.0

Since it is loading the package, I assume it should work.

=============================

I installed an evaluation license, same issue, the traffic is not being blocked, any ideas on what I am missing?

signature 6250:0: packets checked [29:0] alarmed [0:0] dropped [0:0]

IPS License Status:             Expiring
        Current Date:           Oct 12 2010
        Expiration Date:        Dec 11 2010
        Signatures Loaded:      Sep 9 2010      S512.0
        Signature Package:      Sep 9 2010      S512.0