IOS Based IPS

pitviperpitviper Member Posts: 1,376 ■■■■■■■□□□
Is it any good? I understand the configuration need @ the CCNA:S level, but I can’t seem to get it actually react to ANYTHING! I tried massive port scans, DOS tools, generating lots of traffic (opened up 1000 simultaneous streams w/iperf) and various other goodies = nothing. I have it setup on all interfaces, have attacked from the LAN, DMZ, and outside – Even opened everything up to one of the DMZ boxes (It’s in a lab, not connected to the internet), NOTHING! Signatures are active, nothing hits. I’m contemplating opening a VMWare image up to the outside world in the DMZ and letting everything in but I don’t have enough faith at this point that the IPS will actually show me anything!
CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT

Comments

  • mikej412mikej412 Cisco Moderator Member Posts: 10,086 ■■■■■■■■■■
    Are you sure the signatures compiled correctly?
    show ip ips signature count

    Did you configure from the command line or SDM?
    :mike: Cisco Certifications -- Collect the Entire Set!
  • pitviperpitviper Member Posts: 1,376 ■■■■■■■□□□
    mikej412 wrote: »
    Are you sure the signatures compiled correctly?
    show ip ips signature count

    Did you configure from the command line or SDM?

    Appears so – tried via CLI and SDM, current config is SDM:


    c2821_SEC#sh ip ips sig count

    Cisco SDF release version S409.0
    Trend SDF release version V0.0

    Signature Micro-Engine: multi-string: Total Signatures 13
    multi-string enabled signatures: 9
    multi-string retired signatures: 7
    multi-string compiled signatures: 6

    Signature Micro-Engine: service-http: Total Signatures 712
    service-http enabled signatures: 149
    service-http retired signatures: 578
    service-http compiled signatures: 134
    service-http obsoleted signatures: 2

    Signature Micro-Engine: string-tcp: Total Signatures 1594
    string-tcp enabled signatures: 639
    string-tcp retired signatures: 1347
    string-tcp compiled signatures: 247
    string-tcp obsoleted signatures: 21

    Signature Micro-Engine: string-udp: Total Signatures 78
    string-udp enabled signatures: 2
    string-udp retired signatures: 77
    string-udp compiled signatures: 1
    string-udp obsoleted signatures: 1

    Signature Micro-Engine: state: Total Signatures 33
    state enabled signatures: 16
    state retired signatures: 20
    state compiled signatures: 13

    Signature Micro-Engine: atomic-ip: Total Signatures 341
    atomic-ip enabled signatures: 94
    atomic-ip retired signatures: 275
    atomic-ip compiled signatures: 66

    Signature Micro-Engine: string-icmp: Total Signatures 3
    string-icmp enabled signatures: 0
    string-icmp retired signatures: 3

    Signature Micro-Engine: service-ftp: Total Signatures 3
    service-ftp enabled signatures: 1
    service-ftp retired signatures: 2
    service-ftp compiled signatures: 1

    Signature Micro-Engine: service-rpc: Total Signatures 76
    service-rpc enabled signatures: 44
    service-rpc retired signatures: 50
    service-rpc compiled signatures: 26

    Signature Micro-Engine: service-dns: Total Signatures 39
    service-dns enabled signatures: 27
    service-dns retired signatures: 10
    service-dns compiled signatures: 29
    service-dns obsoleted signatures: 1

    Signature Micro-Engine: normalizer: Total Signatures 9
    normalizer enabled signatures: 8
    normalizer retired signatures: 1
    normalizer compiled signatures: 8

    Signature Micro-Engine: service-smb-advanced: Total Signatures 49
    service-smb-advanced enabled signatures: 42
    service-smb-advanced retired signatures: 29
    service-smb-advanced compiled signatures: 20

    Signature Micro-Engine: service-msrpc: Total Signatures 31
    service-msrpc enabled signatures: 26
    service-msrpc retired signatures: 24
    service-msrpc compiled signatures: 7
    service-msrpc obsoleted signatures: 1

    Total Signatures: 2981
    Total Enabled Signatures: 1057
    Total Retired Signatures: 2423
    Total Compiled Signatures: 558
    Total Obsoleted Signatures: 26
    CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT
  • pitviperpitviper Member Posts: 1,376 ■■■■■■■□□□
    Is it possible that I don't have the correct sigs enabled for the attacks that I'm testing?
    CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT
  • pitviperpitviper Member Posts: 1,376 ■■■■■■■□□□
    Disabled all sigs, turned them back on, now everything is working = lots of beautiful “UDP Bomb” messages on the syslog server. Changed the action to “deny attacker inline” and it worked like a charm – Also killed my SDM connection since I was managing from the same PC.

    Now it's time to feed an XP VMWare image to the lions :)
    CCNP:Collaboration, CCNP:R&S, CCNA:S, CCNA:V, CCNA, CCENT
Sign In or Register to comment.