Cisco Support Community
Community Member

how to detect blaster virus on IOS IDS router??


I installed a c2610 with IOS version:c2600-ik9o3s3-mz.123-1a.bin as my internet access router.Certainlly,I enabled all the signatures this version can support in order to detect all the attak from internal and external .But now there are two workstation got blaster virus and generated plenty of packets .So my router cpu reached 100% and at last stop service.But I checked my log and did not saw any indictions from the IDS sides.I founded the virus workstation by using

ip cache flow.Could anybody tell me how to use IOS IDS to detect the viruses ?is there need any addtionl configration on my router ? Thank you in advance.

Cisco Employee

Re: how to detect blaster virus on IOS IDS router??

IOS IDS has a *very* limited subset of signatures that it looks for, it does not detect the Blaster virus which is usually found with sig 3327 I believe.

A standalone IDS sensor will detect upwards of 900 different signatures nowadays. A router, with its primary function of routing packets, cannot possibly hope to check every packet against that many sigs. In fact, up till 12.2(15)T it only looked for 59 signatures, most of which were ICMP-type packets. It now looks for 101 signatures but it's still very limited in what it will find. If you want to get serious about IDS then IOS IDS is not for you, as nw signatures are rarely added to the code (only once in the last 2 years or so)

Here's a lit of the signatures it will currently look for:

The original 59:

plus another 42 added in 12.2(15)T:

Here's a list of all the signatures a true IDS system will capture:

Community Member

Re: how to detect blaster virus on IOS IDS router??

Becasue my offcie has just less than ten workstatons,I can find the virus workstations easy by using show ip cache flow on my router.But One of my customer has campus LAN with more than 800 workstations ,How can identify the virus workstations on the network? I ever spent half day to identify two effected workstations from the 800 stations.Is there any useful and quick way to solve this problem? Cisco Standard IDS can do it ???

Cisco Employee

Re: how to detect blaster virus on IOS IDS router??

The first thing for you to do is to make sure all these systems are running the appropriate patches and virus software. An IDS system is NOT, repeat NOT, an anti-virus solution, never will be. An IDS sensor is used to detect traffic patterns that may be used by attackers to gain access to hosts, networks, etc.

Having said that, we do release signature updates for our IDS system that will detect some virus behaviour, Blaster was one of these. An IDS sensor will fire off signature 3327 (and 3329 with the latest variant) when it detects a buffer overflow attack similar to Blaster. If you look at the source/destination of this traffic then it will tell you what hosts are infected. IOS IDS will NOT do this for you since as I mentioned previously, it is very limited in the signatures that it looks for. A router simply doesn't have the CPU and architecture to compare every packet to over 900 signatures.

CreatePlease to create content