IOS Based IPS

pitviper

Is it any good? I understand the configuration need @ the CCNA:S level, but I can’t seem to get it actually react to ANYTHING! I tried massive port scans, DOS tools, generating lots of traffic (opened up 1000 simultaneous streams w/iperf) and various other goodies = nothing. I have it setup on all interfaces, have attacked from the LAN, DMZ, and outside – Even opened everything up to one of the DMZ boxes (It’s in a lab, not connected to the internet), NOTHING! Signatures are active, nothing hits. I’m contemplating opening a VMWare image up to the outside world in the DMZ and letting everything in but I don’t have enough faith at this point that the IPS will actually show me anything!

mikej412

Are you sure the signatures compiled correctly?
show ip ips signature count

Did you configure from the command line or SDM?

pitviper

mikej412 wrote: »

Are you sure the signatures compiled correctly?
show ip ips signature count

Did you configure from the command line or SDM?

Appears so – tried via CLI and SDM, current config is SDM:


c2821_SEC#sh ip ips sig count

Cisco SDF release version S409.0
Trend SDF release version V0.0

Signature Micro-Engine: multi-string: Total Signatures 13
multi-string enabled signatures: 9
multi-string retired signatures: 7
multi-string compiled signatures: 6

Signature Micro-Engine: service-http: Total Signatures 712
service-http enabled signatures: 149
service-http retired signatures: 578
service-http compiled signatures: 134
service-http obsoleted signatures: 2

Signature Micro-Engine: string-tcp: Total Signatures 1594
string-tcp enabled signatures: 639
string-tcp retired signatures: 1347
string-tcp compiled signatures: 247
string-tcp obsoleted signatures: 21

Signature Micro-Engine: string-udp: Total Signatures 78
string-udp enabled signatures: 2
string-udp retired signatures: 77
string-udp compiled signatures: 1
string-udp obsoleted signatures: 1

Signature Micro-Engine: state: Total Signatures 33
state enabled signatures: 16
state retired signatures: 20
state compiled signatures: 13

Signature Micro-Engine: atomic-ip: Total Signatures 341
atomic-ip enabled signatures: 94
atomic-ip retired signatures: 275
atomic-ip compiled signatures: 66

Signature Micro-Engine: string-icmp: Total Signatures 3
string-icmp enabled signatures: 0
string-icmp retired signatures: 3

Signature Micro-Engine: service-ftp: Total Signatures 3
service-ftp enabled signatures: 1
service-ftp retired signatures: 2
service-ftp compiled signatures: 1

Signature Micro-Engine: service-rpc: Total Signatures 76
service-rpc enabled signatures: 44
service-rpc retired signatures: 50
service-rpc compiled signatures: 26

Signature Micro-Engine: service-dns: Total Signatures 39
service-dns enabled signatures: 27
service-dns retired signatures: 10
service-dns compiled signatures: 29
service-dns obsoleted signatures: 1

Signature Micro-Engine: normalizer: Total Signatures 9
normalizer enabled signatures: 8
normalizer retired signatures: 1
normalizer compiled signatures: 8

Signature Micro-Engine: service-smb-advanced: Total Signatures 49
service-smb-advanced enabled signatures: 42
service-smb-advanced retired signatures: 29
service-smb-advanced compiled signatures: 20

Signature Micro-Engine: service-msrpc: Total Signatures 31
service-msrpc enabled signatures: 26
service-msrpc retired signatures: 24
service-msrpc compiled signatures: 7
service-msrpc obsoleted signatures: 1

Total Signatures: 2981
Total Enabled Signatures: 1057
Total Retired Signatures: 2423
Total Compiled Signatures: 558
Total Obsoleted Signatures: 26

pitviper

Is it possible that I don't have the correct sigs enabled for the attacks that I'm testing?

pitviper

Disabled all sigs, turned them back on, now everything is working = lots of beautiful “UDP Bomb” messages on the syslog server. Changed the action to “deny attacker inline” and it worked like a charm – Also killed my SDM connection since I was managing from the same PC.

Now it's time to feed an XP VMWare image to the lions