Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS Signature action not being taken

I recently installed an 891 with advanced ip. I decided to implement the IPS mainly to stop the bruteforce attacks on my ftp server.

I read through the documentation and set it up. I think I have it setup correctly except it isn't blocking the ftp failed authorizations.

The signature I enabled is 6250:0. Below is some output that show it is compiled and seeing packets. I also included the relevant lines of the config.

The way I think it is configured is to deny the host after 3 failed attempts. I do not know what time interval it uses to reset that counter. I enabled the signature using CCP.

Signature statistics [process switch:fast switch]
  signature 2157:1: packets checked [0:18] alarmed [0:0] dropped [0:0]
  signature 3106:0: packets checked [0:91] alarmed [0:0] dropped [0:0]
  signature 3109:0: packets checked [0:6] alarmed [0:6] dropped [0:0]
  signature 6250:0: packets checked [21:0] alarmed [0:0] dropped [0:0]
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 3057
Current session counts (estab/half-open/terminating) [1:0:0]
Maxever session counts (estab/half-open/terminating) [40:96:3]
Last session created 00:00:10
Last statistic reset never
TCP reassembly statistics
  received 609 packets out-of-order; dropped 12
  peak memory usage 40 KB; current usage: 0 KB
  peak queue length 16

Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits             EC=event-count          AI=alert-interval
GST=global-summary-threshold   SI=summary-interval     SM=summary-mode
SW=swap-attacker-victim        SFR=sig-fidelity-rating Rel=release

SigID:SubID En  Cmp   Action Sev   Trait   EC   AI   GST   SI  SM SW SFR Rel
-----------        --    ----      ------    ---     -----    ----    ----   -----  ---     --    --    ---    ---
  6250:0        Y     Y         H    INFO     0     3      0     0       0    FA  Y   85  S441 
      sig-name: FTP Authorization Failure
      sig-string-info: Failed FTP Logins
      sig-comment: Sig Comment
      sig-type: Anomaly
      Engine string-tcp params:
          min-match-length: 0
          regex-string: [\r\n]530[ ]
          service-ports: 21-21
          direction: from-service
          exact-match-offset: 0
          max-match-offset: 0
          min-match-offset: 0

ip ips config location flash:ips retries 1
ip ips name ips_proc list ips_scan
!
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
   enabled true


interface FastEthernet8
description ISP Link

ip address xx.xx.xx.x
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip ips ips_proc in
ip inspect Ext_In out
ip virtual-reassembly
duplex auto
speed auto
!

ip access-list extended ips_scan
permit ip any any

=================================

After more reading, I see that a license is required. What I read said a subscription was not required to be maintained to use IPS. In essence signatures would not load that were dated after the expiration of the subscription. my lack of license is show below:

IPS License Status:             Not Installed
        Current Date:           Oct 12 2010
        Expiration Date:        Not Available
        Extension Date:         Not Available
        Signatures Loaded:      Sep 9 2010      S512.0
        Signature Package:      Sep 9 2010      S512.0

Since it is loading the package, I assume it should work.

=============================

I installed an evaluation license, same issue, the traffic is not being blocked, any ideas on what I am missing?

signature 6250:0: packets checked [29:0] alarmed [0:0] dropped [0:0]

IPS License Status:             Expiring
        Current Date:           Oct 12 2010
        Expiration Date:        Dec 11 2010
        Signatures Loaded:      Sep 9 2010      S512.0
        Signature Package:      Sep 9 2010      S512.0

1 REPLY
Community Member

Re: IPS Signature action not being taken

It looks like the final answer is, I had it configured correctly. The problem I encountered was my testing of the signature. I assumed I could control the interval that was used to track the failed attempts.

I never found a way to do that and I can't find any documentation that tells me what the interval is. It is fairly small because I couldn't key in 3 failed attempts fast enough to trigger the deny action. A little patience and a scripted attack hit my server and it banned it every hour. All 3 attempts are hitting in < one second.

Signature statistics [process switch:fast switch]
  signature 2157:2: packets checked [0:1] alarmed [0:0] dropped [0:0]
  signature 2157:1: packets checked [0:19] alarmed [0:0] dropped [0:0]
  signature 3106:0: packets checked [0:83] alarmed [0:0] dropped [0:0]
  signature 3109:0: packets checked [0:10] alarmed [0:10] dropped [0:0]
  signature 6250:0: packets checked [31:0] alarmed [10:0] dropped [0:0]
                     deny acl's created 10
  signature 6056:0: packets checked [1:0] alarmed [1:0] dropped [0:0]
Interfaces configured for ips 1

626
Views
4
Helpful
1
Replies
CreatePlease to create content