Guest

Cisco IOS Software Releases 12.3 T

Cisco IOS Intrusion Prevention System

Table Of Contents

Cisco IOS Intrusion Prevention System (IPS)

Contents

Prerequisites for Cisco IOS IPS

Restrictions for Cisco IOS IPS

Information About Cisco IOS IPS

Cisco IOS IPS Overview

Benefits

The Signature Definition File

Signature Micro-Engines: Overview and Lists of Supported Engines

Lists of Supported Signature Engines

Supported Cisco IOS IPS Signatures

How to Load IPS-Based Signatures onto a Router

Installing Cisco IOS IPS on a New Router

Upgrading to the Latest Cisco IOS IPS Signature Definition File (SDF)

Prerequisites

Merging Built-In Signatures with the attack-drop.sdf File

Prerequisites

Monitoring Cisco IOS IPS Signatures via Syslog or SDEE

SDEE Overview

Prerequisites

Troubleshooting Tips

Troubleshooting Cisco IOS IPS

Interpreting Cisco IOS IPS System Messages

Conditions of an SME Build Failure

Configuration Examples

Loading the Default Signatures: Example

Loading the attack-drop.sdf: Example

Merging the attack-drop.sdf File with the Default, Built-in Signatures: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

clear ip ips configuration

clear ip ips statistics

clear ip sdee

copy ips-sdf

debug ip ips

debug ip sdee

ip ips

ip ips deny-action ips-interface

ip ips fail closed

ip ips name

ip ips notify

ip ips po local

ip ips po max-events

ip ips po protected

ip ips po remote

ip ips sdf location

ip ips signature

ip sdee events

ip sdee subscriptions

no ip ips sdf builtin

show ip ips

show ip sdee


Cisco IOS Intrusion Prevention System (IPS)


This module describes the Cisco IOS Intrusion Prevention System (IPS) feature, which restructures the existing Cisco IOS Intrusion Detection System (IDS). Cisco IOS IPS helps to protect a customer's network from internal and external attacks and threats.

Cisco IOS IPS allows customers to choose between any of the following options when loading the signatures onto a device:

Loading the default, built-in signatures

Downloading dynamic signature detection files (SDFs), which are dynamically updated to provide customers with the latest available versions to better detect security threats.

Loading a SDF called "attack-drop.sdf" onto their router. The attack-drop.sdf file contains 118 high fidelity IPS signatures, providing customers with the latest available detection of security threats.

Customers can download the SDF to their router from Cisco.com via the VPN and Security Management Solution (VMS) IDS Management Console (MC) 2.3 network management device, enabling IDS MC to immediately begin scanning for new signatures.

Feature History for Cisco IOS IPS

Release
Modification

12.3(8)T

This feature was introduced, which adds support for Cisco IOS IPS and the Security Device Event Exchange (SDEE) Cisco standard.

12.3(14)T

Support for the following functions were added:

Access to more recent virus and attack signatures via the addition of three more signature micro engines (SMEs)—STRING.TCP, STRING.ICMP, and STRING.UDP.

Intelligent and local shunning, which allows Cisco IOS IPS to shun offending traffic on the same router that Cisco IOS IPS is configured.

The ip ips deny-action ips-interface command, which allows users to choose between two available ACL filter settings for detecting offending packets.

Support for the Post Office Protocol was deprecated and the following commands were removed from the Cisco IOS software: ip ips po local, ip ips po max-events, ip ips po protected, and ip ips po remote.


Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for Cisco IOS IPS

Restrictions for Cisco IOS IPS

Information About Cisco IOS IPS

How to Load IPS-Based Signatures onto a Router

Configuration Examples

Additional References

Command Reference

Prerequisites for Cisco IOS IPS

VMS IDS MC 2.3 and Cisco Router SDM Support

VMS IDS MC provides a web-based interface for configuring, managing, and monitoring multiple IDS Sensors. Cisco Router and Security Device Manager (SDM) is a web-based device-management tool that allows users to import and edit SDFs from Cisco.com to the router. VMS IDS MC is for network-wide management while SDM is for single-device management. It is strongly recommended that customers download the SDF to an IDS MC 2.3 network management device or an SDM.

Customers can choose to download the SDF to a device other than IDS MC or SDM (such as a router) via command-line interface (CLI); however, this approach is not recommended because it requires the customer to know which signatures come from which signature engines.

Restrictions for Cisco IOS IPS

Signature Support Deprecation

Effective Cisco IOS Release 12.(8)T, the following signatures are no longer supported by Cisco IOS IPS:

1100 IP Fragment Attack (Attack, Atomic)

Triggers when any IP datagram is received with the "more fragments" flag set to 1 or if there is an offset indicated in the offset field. 1

1105 Broadcast Source Address (Compound/Attack)

Triggers when an IP packet with a source address of 255.255.255.255 is detected. This signature may be an indicator of an IP spoof attack or an attempt to subvert a firewall, proxy, or gateway.

1106 Multicast IP Source Address (Compound/Attack)

Triggers when an IP packet with a source address of 224.x.x.x is detected. This signature may be an indicator of an IP spoof attack or an attempt to subvert a firewall, proxy, or gateway.

8000 FTP Retrieve Password File (Attack, Atomic) SubSig ID: 2101

Triggers on string "passwd" issued during an FTP session. May indicate that someone is attempting to retrieve the password file from a machine to crack it and gain unauthorized access to system resources.

Action Configuration via CLI No Longer Supported

Cisco IOS IPS actions (such as resetting the TCP connection) can no longer be configured via CLI. If you are using the attack-drop.sdf signature file, the signatures are preset with actions to mitigate the attack by dropping the packet and resetting the connection, if applicable. If you are using VMS or SDM to deploy signatures to the router, you will need to tune the signatures to use the desired actions before the deployment.

Any CLI that is issued to configure IPS actions will be silently ignored.

Memory Impact on Low-End to Mid-Range Routers

Intrusion detection configuration on certain routers may not be able to support the complete list of signatures due to lack of sufficient memory. Thus, the network administrator may have to select a smaller subset of signatures or choose to use the standard 100 (builtin) signatures that the routers are shipped with.

Information About Cisco IOS IPS

To help secure your network via a signature-based IPS, you should understand the following concepts:

Cisco IOS IPS Overview

Benefits

The Signature Definition File

Signature Micro-Engines: Overview and Lists of Supported Engines

Supported Cisco IOS IPS Signatures

Cisco IOS IPS Overview

The Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages or Security Device Event Exchange (SDEE). The network administrator can configure Cisco IOS IPS to choose the appropriate response to various threats. When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as appropriate:

Send an alarm to a syslog server or a centralized management interface

Drop the packet

Reset the connection

Deny traffic from the source IP address of the attacker for a specified amount of time

Deny traffic on the connection for which the signature was seen for a specified amount of time

Cisco developed its Cisco IOS software-based Intrusion-Prevention capabilities and Cisco IOS Firewall with flexibility in mind, so that individual signatures could be disabled in case of false positives. Generally, it is preferable to enable both the firewall and Cisco IOS IPS to support network security policies. However, each of these features may be enabled independently and on different router interfaces.

Benefits

Dynamic IPS Signatures

IPS signatures are dynamically updated and posted to Cisco.com on a regular basis. Thus, customers can access signatures that help protect their network from the latest known network attacks.

Parallel Signature Scanning

Cisco IOS IPS uses a Parallel Signature Scanning Engine to scan for multiple patterns within a signature micro-engine (SME) at any given time. IPS signatures are no longer scanned on a serial basis.

Named and Numbered Extended ACL support

Prior to Cisco IOS Release 12.3(8)T, only standard, numbered ACLs were supported. Cisco IOS IPS now supports both named and numbered extended ACLs by using at least one of the following commands— ip ips ips-name list acl or ip ips signature signature-id list acl-list.

The Signature Definition File

A Signature Definition file (SDF) has definitions for each signature it contains. After signatures are loaded and complied onto a router running Cisco IOS IPS, IPS can begin detecting the new signatures immediately. If customers do not use the default, built-in signatures that are shipped with the routers, users can choose to download one of two different types of SDFs: the attack-drop.sdf file (which is a static file) or a dynamic SDF (which is dynamically updated and accessed from Cisco.com).

The attack-drop.sdf file is available in flash on all Cisco access routers that are shipped with Cisco IOS Release 12.3(8)T or later. The attack-drop.sdf file can then be loaded directly from flash into the Cisco IOS IPS system. If flash is erased, the attack-drop.sdf file may also be erased. Thus, if you are copying a Cisco IOS image to flash and are prompted to erase the contents of flash before copying the new image, you might risk erasing the attack-drop.sdf file. If this occurs, the router will refer to the built-in signatures within the Cisco IOS image. The attack-drop.sdf file can also be downloaded onto your router from Cisco.com.

To help detect the latest vulnerabilities, Cisco provides signature updates on Cisco.com on a regular basis. Users can use SDM or VMS to download these signature updates, tune the signature parameters as necessary, and deploy the new SDF to a Cisco IOS IPS router.

Signature Micro-Engines: Overview and Lists of Supported Engines

Cisco IOS IPS uses signature micro-engines (SMEs) to load the SDF and scan signatures.

Signatures contained within the SDF are handled by a variety of SMEs. The SDF typically contains signature definitions for multiple engines. The SME typically corresponds to the protocol in which the signature occurs and looks for malicious activity in that protocol.

A packet is processed by several SMEs. Each SME scans for various conditions that can lead to a signature pattern match. When an SME scans the packets, it extracts certain values, searching for patterns within the packet via the regular expression engine.

For a list of supported signature engines, refer to the section Lists of Supported Signature Engines.

Lists of Supported Signature Engines

Table 1 lists supported signature engines and engine-specific parameter exceptions, if applicable.


Note If the SDF contains a signature that requires an engine that is not supported, the engine will be ignored and an error message will be displayed. If a signature within a supported engine contains a parameter that is not supported, the parameter will be ignored and an error message will be displayed.


Table 1 Supported Signature Engines for Cisco IOS IPS 

Signature Engine
Initial Cisco IOS Release Support
Parameter Exceptions1

ATOMIC.L3.IP

12.3(8)T

ATOMIC.ICMP

12.3(8)T

ATOMIC.IPOPTIONS

12.3(8)T

ATOMIC.TCP

12.3(8)T

ATOMIC.UDP

12.3(8)T

SERVICE.DNS

12.3(8)T

SERVICE.HTTP

12.3(8)T

ServicePorts (applicable only in Cisco IOS Release 12.3(8)T)

SERVICE.FTP

12.3(8)T

ServicePorts

SERVICE.SMTP

12.3(8)T

ServicePorts

SERVICE.RPC

12.3(8)T

ServicePorts, Unique, and isSweep

STRING.ICMP

12.3(14)T

STRING.TCP

12.3(14)T

STRING.UDP

12.3(14)T

1 The following parameters, which are defined in all signature engines, are currently not supported: AlarmThrottle=Summarize (all other values are supported), MaxInspectLength, MaxTTL, Protocol, ResetAfterIdle, StorageKey, and SummaryKey.


Table 2 lists support for the 100 signatures that are available in Cisco IOS IDS prior to Cisco IOS Release 12.3(8)T. These 100 signatures are a part of the Cisco IOS IPS builtin SDF. By default, signatures are loaded from this builtin SDF. Table 2 lists support for these 100 signatures under Cisco IOS IPS.


Note Because Cisco IOS IPS counts signatures on the basis of signature-id and subsignature-id, the 100 signatures under Cisco IOS IDS are counted as 132 signatures under Cisco IOS IPS.


Table 2 Support for Signatures Available in Cisco IOS IDS (prior to 12.3(8)T) 

Signature ID
Count
Signature Engine

1000-1006

7

ATOMIC.IPOPTIONS

1101, 1102

2

ATOMIC.L3.IP

1004, 1007

2

ATOMIC.L3.IP

2000-2012, 2150

14

ATOMIC.ICMP

2151, 2154

2

ATOMIC.L3.IP

3038-3043

6

ATOMIC.TCP

3100-3107

8

SERVICE.SMTP

3153, 3154

2

SERVICE.FTP

4050-4052, 4600

4

ATOMIC.UDP

6100-6103

4

SERVICE.RPC

6150-6155

6

SERVICE.RPC

6175, 6180, 6190

3

SERVICE.RPC

6050-6057

8

SERVICE.DNS

6062-6063

2

SERVICE.DNS

3215, 3229, 3223

3

SERVICE.HTTP

5034-5035

2

SERVICE.HTTP

5041, 5043-5045

4

SERVICE.HTTP

5050, 5055, 5071

3

SERVICE.HTTP

5081, 5090, 5123

3

SERVICE.HTTP

5114, 5116-5118

4

SERVICE.HTTP

1100

1

Not applicable. Signature is replaced by 12xx series.

1105-1106

2

Cisco IOS IPS deprecates these signatures, which do not appear in the SDF.

1201-1208

10

OTHER1 (fragment attack signatures)

3050

2

OTHER1 (SYN attack signatures)

3150-3152

3

STRING.TCP

4100

1

STRING.UDP

8000

1

Cisco IOS IPS deprecates these signatures, which do not appear in the SDF.

1 The OTHER engine contains existing, hard-coded signatures. Although the standard SDF contains an entry for these signatures, the engine is not dynamically updated. If the SDF that is loaded onto the engine does not contain the signature, the signature will be treated as though it has been disabled.


Supported Cisco IOS IPS Signatures

Customers can choose to use Cisco IOS IPS in one of the following ways:

Download new signatures that are posted on Cisco.com. These signatures can be obtained at the Cisco Intrusion Prevention Alert Center web page. (You must have a valid Cisco.com account to access this web page.)

Download the attack-drop.sdf file, which contains the signatures that are identified in Table 3.

Table 3 Cisco IOS IPS Signatures Supported in Cisco IOS Release 12.3(8)T 

Signature ID: SubSig ID
Signature Name
Action1
SME
Signature Description

1006:0

IP options-Strict Source Route

A, D

ATOMIC.IPOPTIONS

Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 2 (Strict Source Routing).

1102:0

Impossible IP Packet

A, D

ATOMIC.L3.IP

Triggers when an IP packet arrives with source equal to destination address. This signature will catch the Land Attack.

1104:0

IP Localhost Source Spoof

A, D

ATOMIC.L3.IP

Triggers when an IP packet with the address of 127.0.0.1, a local host IP address that should never be seen on the network, is detected.

This signature can detect the Blaster attack.

1108:0

IP Packet with Proto 11

A, D

ATOMIC.L3.IP

Alarms upon detecting IP traffic with the protocol set to 11. There have been known "backdoors" running on IP protocol 11.

2154:0

Ping Of Death Attack

A, D

ATOMIC.L3.IP

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set. The IP offset (which represents the starting position of this fragment in the original packet and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

3038:0

Fragmented NULL TCP Packet

A, D

ATOMIC.TCP

Triggers when a single, fragmented TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. A reconnaissance sweep of your network may be in progress.

3039:0

Fragmented Orphaned FIN packet

A, D

ATOMIC.TCP

Triggers when a single, fragmented, orphan TCP FIN packet is sent to a privileged port (having a port number less than 1024) on a specific host. A reconnaissance sweep of your network may be in progress.

3040:0

NULL TCP Packet

A, D

ATOMIC.TCP

Triggers when a single TCP packet with none of the SYN, FIN, ACK, or RST flags set has been sent to a specific host. A reconnaissance sweep of your network may be in progress.

3041:0

SYN/FIN Packet

A, D

ATOMIC.TCP

Triggers when a single TCP packet with the SYN and FIN flags set is sent to a specific host. A reconnaissance sweep of your network may be in progress. The use of this type of packet indicates an attempt to conceal the sweep.

3043:0

Fragmented SYN/FIN Packet

A, D

ATOMIC.TCP

Triggers when a single, fragmented TCP packet with the SYN and FIN flags set is sent to a specific host. A reconnaissance sweep of your network may be in progress. The use of this type of packet indicates an attempt to conceal the sweep.

3129:0

Mimail Virus C Variant File Attachment

A, D, R

SERVICE. SMTP

Fires when an e-mail attachment matching the C Variant of the Mimail virus is detected. The virus sends itself to recipients as the e-mail attachment "photos.zip" that contains the file "photos.jpg.exe" and has "our private photos" in the e-mail subject line. If launched, the virus harvests email addresses and possible mail servers from the infected system.

3140:3

Bagle Virus Activity2

A, D, R

SERVICE.HTTP

Fires when HTTP propagation using .jpeg associated with the .Q variant is detected.

3140:4

Bagle Virus Activity3

A, D, R

SERVICE.HTTP

Fires when HTTP propagation using .php associated with the .Q variant is detected.

3300:0

NetBIOS OOB Data

A, D

ATOMIC.TCP

Triggers when an attempt to send Out Of Band data to port 139 is detected.

5045:0

WWW xterm display attack

A, D, R

SERVICE.HTTP

Triggers when any cgi-bin script attempts to execute the command xterm -display. An attempt to illegally log into your system may be in progress.

5047:0

WWW Server Side Include POST attack

A, D, R

SERVICE.HTTP

Triggers when an attempt is made to embed a server side include (SSI) in an http POST command. An attempt to illegally access system resources may be in progress.

5055:0

HTTP Basic Authentication Overflow

A, D

SERVICE.HTTP

A buffer overflow can occur on vulnerable web servers if a very large username and password combination is used with Basic Authentication.

5071:0

WWW msacds.dll Attack

A, D, R

SERVICE.HTTP

An attempt has been made to execute commands or view secured files, with privileged access. Administrators are highly recommended to check the affected systems to ensure that they have not been illicitly modified.

5081:0

WWW WinNT cmd.exe Access

A, D, R

SERVICE.HTTP

Triggers when the use of the Windows NT cmd.exe is detected in a URL. This signature can catch the NIMDA attack.

5114: 0

5114:1

5114:2

WWW IIS Unicode Attack

A, D, R

SERVICE.HTTP

Triggers when an attempt to exploit the Unicode ../ directory traversal vulnerability is detected. Looks for the commonly exploited combinations that are included in publicly available exploit scripts.

SubSig 2 is know to detect the NIMDA attack.

5126:0

WWW IIS .ida Indexing Service Overflow

A, D, R

SERVICE.HTTP

Alarms if web traffic is detected with the ISAPI extension .ida? and a data size of greater 200 characters.

5159:0

phpMyAdmin Cmd Exec

A, D, R

SERVICE.HTTP

Triggers when access to sql.php with the arguments goto and btnDrop=No is detected.

5184:0

Apache Authentication Module ByPass

A, D, R

SERVICE.HTTP

Fires upon detecting a select statement on the Authorization line of an HTTP header.

5188:0

HTTP Tunneling4

SubSig 0: GotomyPC

A, D, R

SERVICE.HTTP

Triggers when a computer connects to gotomyPC site.

5188:1

HTTP Tunneling

SubSig 1: FireThru

A, D, R

SERVICE.HTTP

Triggers when an attempt to use /cgi-bin/proxy is detected. The /cgi-bin/proxy is used to tunnel connections to other ports using web ports.

5188:2

HTTP Tunneling

SubSig 2: HTTP Port

A, D, R

SERVICE.HTTP

Triggers when a connection is made to exectech-va.com. The site runs a server, which connects to the requested resource and passes the information back to the client on web ports.

5188:3

HTTP Tunneling

SubSig 3: httptunnel

A, D, R

SERVICE.HTTP

Triggers when /index/html? is detected on POST request.

5245:0

HTTP 1.1 Chunked Encoding Transfer

A, D, R

SERVICE.HTTP

Fires when HTTP 1.1 chunked encoding transfer activity is detected.

This signature is known to detect the Scalper Worm.

5326:0

Root.exe access

A, D, R

SERVICE.HTTP

Alarms upon detecting an HTTP request for root.exe.

This signature is known to detect the NIMDA attack.

5329:0

Apache/mod_ssl Worm Probe

A, D, R

SERVICE.HTTP

Fires when a probe by the Apache/mod_ssl worm is detected. If the worm detects a vulnerable web server, a buffer overflow attack is sent to HTTPS port (TCP 443) of the web server. The worm then attempts to propagate itself to the newly infected web server and begins scanning for new hosts to attack.

5364:0

IIS WebDAV Overflow

A, D, R

SERVICE.HTTP

Fires when a long HTTP request (65000+ characters) is detected with an HTTP header option "Translate:". An attack to exploit a weakness in the WebDAV component of the IIS web server may be in progress.

5390:0

Swen Worm HTTP Counter Update Attempt

A, D, R

SERVICE.HTTP

Triggers when an attempt to access the URL "/bin/counter.gif/link=bacillus" is detected. A system may be infected by the Swen worm trying the update a counter on a web page located on the server "ww2.fce.vutbr.cz."

5400:0

Beagle.B (Bagle.B) Web Beacon

A, D, R

SERVICE.HTTP

Fires when a request is made for the script 1.php or 2.php residing on the hosts "www.47df.de" or "www.strato.de," followed by the argument indicating the trojan's listening port number, p=8866.

6055:0

6055:1

6055:2

DNS Inverse Query Buffer Overflow

A, D

R for subsig 1, 2

SERVICE.DNS

Triggers when an IQUERY request arrives with a data section that is greater than 255 characters.

6056:0

6056:1

6056:2

DNS NXT Buffer Overflow

A, D

R for subsig 1, 2

SERVICE.DNS

Triggers when a DNS server response arrives with a long NXT resource where the length of the resource data is greater than 2069 bytes or the length of the TCP stream containing the NXT resource is greater than 3000 bytes.

6057:0

6057:1

6057:2

DNS SIG Buffer Overflow

A, D

R for subsig 1, 2

SERVICE.DNS

Triggers when a DNS server response arrives with a long SIG resource where the length of the resource data is greater than 2069 bytes or the length of the TCP stream that contains the SIG resource is greater than 3000 bytes.

6058:0

6058:1

DNS SRV DoS

A, D

R for subsig 1

SERVICE.DNS

Alarms when a DNS query type SRV and DNS query class IN is detected with more than ten pointer jumps in the SRV resource record.

6059:0

6059:1

6059:2

DNS TSIG Overflow

A, D

R for subsig 2

SERVICE.DNS

Alarms when a DNS query type TSIG is detected and the domain name is greater than 255 characters.

This signature is known to detect the Lion work.

6060:0

6060:1

6060:2

6060:3

DNS Complian Overflow

A, D

R for subsig 2, 3

SERVICE.DNS

Alarms when an NS record is detected with a domain name greater than 255 characters and the IP address is 0.0.0.0, 255.255.255.255 or a multicast address of the form 224.x.x.x.

6100:0

6100:1

RPC Port Registration

A, D

R for subsig 1

SERVICE.RPC

Triggers when attempts are made to register new RPC services on a target host. Port registration is the method used by new services to report their presence to the portmapper and to gain access to a port. Their presence is then advertised by the portmapper.

6101:0

6101:1

RPC Port Unregistration

A, D

R for subsig 1

SERVICE.RPC

Triggers when attempts are made to unregister existing RPC services on a target host. Port unregistration is the method used by services to report their absence to the portmapper and to remove themselves from the active port map.

6104:0

6104:1

RPC Set Spoof

A, D

R for subsig 1

SERVICE.RPC

Triggers when an RPC set request with a source address of 127.x.x.x is detected.

6105:0

6105:1

RPC Unset Spoof

A, D

R for subsig 1

SERVICE.RPC

Triggers when an RPC unset request with a source address of 127.x.x.x is detected.

6188:0

statd dot dot

A, D

SERVICE.RPC

Alarms upon detecting a dot dot slash (../) sequence sent to the statd RPC service.

6189:0

6189:1

statd automount attack

A, D

R for subsig 1

SERVICE.RPC

Alarms upon detecting a statd bounce attack on the automount process. This attack targets a vulnerability in the automount process that could be exploited only via localhost.

6190:0

6190:1

statd Buffer Overflow

A, D

R for subsig 1

SERVICE.RPC

Triggers when a large statd request is sent. This attack could be an attempt to overflow a buffer and gain access to system resources.

6191:0

6191:1

RPC.tooltalk buffer overflow

A, D

R for subsig 1

SERVICE.RPC

Fires when an attempt is made to overflow an internal buffer in the tooltalk rpc program.

6192:0

6192:1

RPC mountd Buffer Overflow

A, D

R for subsig 1

SERVICE.RPC

Triggers on an attempt to overflow a buffer in the RPC mountd application. This attack may result in unauthorized access to system resources.

6193:0

6193:1

RPC CMSD Buffer Overflow

A, D

R for subsig 1

SERVICE.RPC

Fires when an attempt is made to overflow an internal buffer in the Calendar Manager Service Daemon, rpc.cmsd.

6194:0

6194:1

sadmind RPC Buffer Overflow

A, D

R for subsig 1

SERVICE.RPC

Fires when a call to RPC program number 100232 procedure 1 with a UDP packet length greater than 1024 bytes is detected.

6195:0

6195:1

RPC amd Buffer Overflow

A, D

R for subsig 1

SERVICE.RPC

Detects the exploitation of the RPC AMD Buffer Overflow vulnerability. The trigger for this signature is an RPC call to the berkeley automounter daemons rpc program (300019) procedure 7 that has a UDP length greater than 1024 bytes or a TCP stream length greater than 1024 bytes. The TCP stream length is defined by the contents of the two bytes preceding the RPC header in a TCP packet.

6196:0

6196:1

snmpXdmid Buffer Overflow

A, D

R for subsig 1

SERVICE.RPC

Fires when an abnormally long call to the RPC program 100249 (snmpXdmid) and procedure 257 is detected.

6197:0

6197:1

rpc yppaswdd overflow

A, D

R for subsig 0

SERVICE.RPC

Fires when an overflow attempt is detected. This alarm looks for an abnormally large argument in the attempt to access yppaswdd.

6276:0

6276:1

TooltalkDB overflow

A, D

R for subsig 1

SERVICE.RPC

Alarms upon detecting an RPC connection to rpc program number 100083 using procedure 103 with a buffer greater than 1024.

9200:0

Back Door Response (TCP 12345)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 12345, which is a known trojan port for NetBus as others.

9201:0

Back Door Response (TCP 31337)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 31337, which is a known trojan port for BackFire.

9202:0

Back Door Response (TCP 1524)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 1524, which is a common back door placed on machines by worms and hackers.

9203:0

Back Door Response (TCP 2773)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2773, which is a known trojan port for SubSeven.

9204:0

Back Door Response (TCP 2774)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2774, which is a known trojan port for SubSeven.

9205:0

Back Door Response (TCP 20034)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 20034, which is a known trojan port for Netbus Pro.

9206:0

Back Door Response (TCP 27374)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 27374, which is a known trojan port for SubSeven.

9207:0

Back Door Response (TCP 1234)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 1234, which is a known trojan port for SubSeven.

9208:0

Back Door Response (TCP 1999)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 1999, which is a known trojan port for SubSeven.

9209:0

Back Door Response (TCP 6711)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 6711, which is a known trojan port for SubSeven.

9210:0

Back Door Response (TCP 6712)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 6712, which is a known trojan port for SubSeven.

9211:0

Back Door Response (TCP 6713)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 6713, which is a known trojan port for SubSeven.

9212:0

Back Door Response (TCP 6776)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 6776, which is a known trojan port for SubSeven.

9213:0

Back Door Response (TCP 16959)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 16959, which is a known trojan port for SubSeven.

9214:0

Back Door Response (TCP 27573)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 27573, which is a known trojan port for SubSeven.

9215:0

Back Door Response (TCP 23432)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 23432, which is a known trojan port for asylum.

9216:0

Back Door Response (TCP 5400)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 5400, which is a known trojan port for back-construction.

9217:0

Back Door Response (TCP 5401)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 5401, which is a known trojan port for back-construction.

9218:0

Back Door Response (TCP 2115)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2115, which is a known trojan port for bugs.

9223:0

Back Door Response (TCP 36794)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 36794, which is a known trojan port for NetBus as well Bugbear.

9224:0

Back Door Response (TCP 10168)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 10168, which is a known trojan port for lovegate.

9225:0

Back Door Response (TCP 20168)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 20168, which is a known trojan port for lovegate.

9226:0

Back Door Response (TCP 1092)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 1092, which is a known trojan port for lovegate.

9227:0

Back Door Response (TCP 2018)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2018, which is a known trojan port for fizzer.

9228:0

Back Door Response (TCP 2019)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2019, which is a known trojan port for fizzer.

9229:0

Back Door Response (TCP 2020)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2020, which is a known trojan port for fizzer.

9230:0

Back Door Response (TCP 2021)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2021, which is a known trojan port for fizzer.

9231:0

Back Door Response (TCP 6777)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 6777, which is a known trojan port for Beagle (Bagle).

9232:0

Back Door Response (TCP 5190)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 5190, which is a known trojan port for the Anig worm.

9233:0

Back Door Response (TCP 3127)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 3127, which is a known trojan port for the MyDoom.A / Novarg.A virus.

9236:0

Back Door Response (TCP 3128)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 3128, which is a known trojan port for the MyDoom.B / Novarg.B virus.

9237:0

Back Door Response (TCP 8866)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 8866, which is a known trojan port for the Beagle.B (Bagle.B) virus.

9238:0

Back Door Response (TCP 2766)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2766, which is a known trojan port for the DeadHat worm.

9239:0

Back Door Response (TCP 2745)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2745, which is a known trojan port for the Bagle.H-J virus.

9240:0

Back Door Response (TCP 2556)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 2556, which is a known trojan port for the Bagle (.M.N.O.P) virus.

9241:0

Back Door Response (TCP 4751)

A, D

ATOMIC.TCP

Fires upon detecting a TCP SYN/ACK packet from port 4751, which is a known trojan port for the Bagle.U virus.

1 A = alarm, D = drop, R = reset

2 This signature requires port to application mapping (PAM) configuration via the command ip port-map http port 81.

3 This signature requires PAM configuration via the command ip port-map http port 81.

4 This signature requires PAM configuration via the command ip port-map http port 8200.


How to Load IPS-Based Signatures onto a Router

Before configuring Cisco IOS IPS on a router, you should determine which one of the following deployment scenarios best addresses your situation and configure the associated task, as appropriate:

You are installing a new router with the latest version of Cisco IOS IPS.

To perform this task, see the section "Installing Cisco IOS IPS on a New Router."

Your network is transitioning to Cisco IOS IPS in Cisco IOS Release 12.3(8)T or later.

To perform this task, see the section "Upgrading to the Latest Cisco IOS IPS Signature Definition File (SDF)."

You are merging the default (built-in) Cisco IOS IPS signatures with the latest version of the Cisco IOS IPS signature detection file, "attack-drop.sdf."

To perform this task, see the section "Merging Built-In Signatures with the attack-drop.sdf File"

You are loading signatures onto a router via VMS IDS MC or SDM:

To use VMS IDS MC, see the documents on the VMS index.

To use SDM, see the document SDM Intrusion Prevention System (IPS) User's Guide.

After you have configured Cisco IOS IPS on your router, refer to the following optional sections:

Monitoring Cisco IOS IPS Signatures via Syslog or SDEE

Troubleshooting Cisco IOS IPS

Installing Cisco IOS IPS on a New Router

Use this task to install the latest Cisco IOS IPS signatures on a router for the first time.

This task allows you to load the default, built-in signatures or the SDF called "attack-drop.sdf"—but not both. If you want to merge the two signature files, you must load the default, built-in signatures as described in this task. Then, you can merge the default signatures with the attack-drop.sdf file as described in the task "Merging Built-In Signatures with the attack-drop.sdf File."


Note The signatures provided in Flash is the recommended method in Cisco IOS Release 12.3(8)T for IPS attack mitigation.


SUMMARY STEPS

1. enable

2. configure terminal

3. ip ips sdf location url

4. ip ips name ips-name [list acl]

5. ip ips signature signature-id [:sub-signature-id] {delete | disable | list acl-list}

6. ip ips deny-action ips-interface

7. interface type name

8. ip ips ips-name {in | out}

9. exit

10. show ip ips configuration

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip ips sdf location url

Example:

Router(config)# ip ips sdf location disk2:attack-drop.sdf

(Optional) Specifies the location in which the router will load the SDF, "attack-drop.sdf."

Note If this command is not issued, the router will load the default, built-in signatures.

Step 4 

ip ips name ips-name [list acl]

Example:

Router(config)# ip ips name MYIPS

Creates an IPS rule.

Step 5 

ip ips signature signature-id [:sub-signature-id] {delete | disable | list acl-list}

Example:

Router(config)# ip ips signature 1000 disable

(Optional) Attaches a policy to a given signature.

Step 6 

ip ips deny-action ips-interface

Example:

Router(config)# ip ips deny-action ips-interface

(Optional) Creates an ACL filter for the deny actions (denyFlowInline and denyConnectionInline) on the IPS interface rather than ingress interface.

Note You should configure this command only if at least one signature is configured to use the supported deny actions, and if the input interface is configured to for load balancing, and if IPS is configured on the output interface.

Step 7 

interface type number

Example:

Router(config)# interface GigabitEthernet0/1

Configures an interface type and enters interface configuration mode.

Step 8 

ip ips ips-name {in | out}

Example:

Router(config-if)# ip ips MYIPS in

Applies an IPS rule at an interface. This command automatically loads the signatures and builds the signature engines.

Note Whenever signatures are replaced or merged, the router prompt is suspended while the signature engines for the newly added or merged signatures are being built. The router prompt will be available again after the engines are built.

Depending on your platform and how many signatures are being loaded, building the engine can take up to several seconds. It is recommended that you enable logging messages to monitor the engine building status.

Step 9 

exit

Example:

Router(config-if)# exit

Example:

Router(config)# exit

Exits interface and global configuration modes.

Step 10 

show ip ips configuration

Example:

Router# show ip ips configuration

(Optional) Verifies that Cisco IOS IPS is properly configured.

Upgrading to the Latest Cisco IOS IPS Signature Definition File (SDF)

Use this task to replace the existing signatures in your router with the latest IPS signature file, attack-drop.sdf.


Note The latest IPS image will read and convert all commands that begin with the words "ip audit" to "ip ips." For example, the ip audit name command will become the ip ips name command.

Although IPS will accept the audit keyword, it will generate the ips keyword when you show the configuration. Also, if you issue the help character (?), the CLI will display the ips keyword instead of the audit keyword, and the Tab key used for command completion will not recognize the audit keyword.


Prerequisites

To install Cisco IOS IPS, you should load a new Cisco IOS image to your router.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip ips name ips-name

4. ip ips sdf location url

5. no ip ips location in builtin

6. ip ips fail closed

7. interface type name

8. ip ips ips-name {in | out} [list acl]

9. exit

10. show ip ips configuration

11. show ip ips signatures [detailed]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip ips name ips-name

Example:

Router(config)# ip ips name MIPS

Creates an IPS rule.

Step 4 

ip ips sdf location url

Example:

Router(config)# ip ips sdf location disk2:attack-drop.sdf

(Optional) Specifies the location where the router will load the SDF.

If this command is not issued, the router will load the default SDF.

Step 5 

no ip ips location in builtin

Example:

Router(config)# no ip ips location in builtin

(Optional) Instructs the router not load the built-in signatures if it cannot find the specified signature file.

If this command is not issued, the router will load the built-in signatures if the SDF is not found.


Caution If this command is issued and IPS fails to load the SDF, you will receive an error message stating that IPS is completely disabled.

Step 6 

ip ips fail closed

Example:

Router(config)# ip ips fail closed

(Optional) Instructs the router to drop all packets until the signature engine is built and ready to scan traffic.

If this command is issued, one of the following scenarios will occur:

If IPS fails to load the SDF, all packets will be dropped—unless the user specifies an ACL for packets to send to IPS.

If IPS successfully loads the SDF but fails to build a signature engine, all packets that are destined for that engine will be dropped.

If this command is not issued, all packets will be passed without scanning if the signature engine fails to build.

Step 7 

interface type number

Example:

Router(config)# interface GigabitEthernet0/1

Configures an interface type and enters interface configuration mode.

Step 8 

ip ips ips-name {in | out} [list acl]

Example:

Router(config-if)# ip ips MYIPS in

Applies an IPS rule at an interface. This command automatically loads the signatures and builds the signature engines.

list acl—Packets that are permitted via a specified ACL will be scanned by IPS.

Note Whenever signatures are replaced or merged, the router prompt is suspended while the signature engines for the newly added or merged signatures are being built. The router prompt will be available again after the engines are built.

Step 9 

exit

Example:

Router(config)# exit

Exits global configuration mode.

Step 10 

show ip ips configuration

Example:

Router# show ip ips configuration

(Optional) Verifies that Cisco IOS IPS is properly configured.

Step 11 

show ip ips signatures [detailed]

Example:

Router# show ip ips signatures

(Optional) Verifies signature configuration, such as signatures that have been disabled.

Merging Built-In Signatures with the attack-drop.sdf File

You may want to merge the built-in signatures with the attack-drop.sdf file if you find that the built-in signatures are not providing your network with adequate protection from security threats. Use this task to add the SDF and to change default parameters for a specific signature within the SDF or signature engine.

Prerequisites

Before you can merge the attack-drop.sdf file with the built-in signatures, you should already have the built-in signatures loaded onto the router as described in the task "Installing Cisco IOS IPS on a New Router."

SUMMARY STEPS

1. enable

2. configure terminal

3. no ip ips location in builtin

4. ip ips fail closed

5. exit

6. copy [/erase] url ips-sdf

7. copy ips-sdf url

8. configure terminal

9. ip ips signature signature-id[:sub-signature-id] {delete | disable | list acl-list}

10. ip ips sdf location url

11. interface type name

12. ip ips ips-name {in | out}

13. exit

14. exit

15. show ip ips signatures [detailed]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

no ip ips location in builtin

Example:

Router(config)# no ip ips location in builtin

(Optional) Instructs the router not to load the built-in signatures if it cannot find the specified signature file.

If this command is not issued, the router will load the built-in signatures if the SDF is not found.


Caution If this command is issued and IPS fails to load the SDF, you will receive an error message stating that IPS is completely disabled.

Step 4 

ip ips fail closed

Example:

Router(config)# ip ips fail closed

(Optional) Instructs the router to drop all packets until the signature engine is built and ready to scan traffic.

If this command is issued, one of the following scenarios will occur:

If IPS fails to load the SDF, all packets will be dropped—unless the user specifies an ACL for packets to send to IPS.

If IPS successfully loads the SDF but fails to build a signature engine, all packets that are destined for that engine will be dropped.

If this command is not issued, all packets will be passed without scanning if the signature engine fails to build.

Step 5 

exit

Example:

Router(config)# exit

Exits global configuration mode.

Step 6 

copy [/erase] url ips-sdf

Example:

Router# copy disk2:attack-drop.sdf ips-sdf

Loads the SDF in the router. The SDF will merge with the signatures that are already loaded in the router, unless the /erase keyword is issued.

The /erase keyword replaces the built-in signatures with the SDF.

Note The SDF location is not saved in the configuration. The next time the router is reloaded, it will refer to a previously specified SDF location in the configuration or it will load the built-in signatures.

Note Whenever signatures are replaced or merged, the router prompt is suspended while the signature engines for the newly added or merged signatures are being built. The router prompt will be available again after the engines are built.

Depending on your platform and how many signatures are being loaded, building the engine can take up to several seconds. It is recommended that you enable logging messages to monitor the engine building status.

Step 7 

copy ips-sdf url

Example:

Router# copy ips-sdf disk2:my-signatures.sdf

Saves the SDF that was loaded in the previous step to a specified location.

The SDF location will not be saved unless this command is issued.

Step 8 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 9 

ip ips signature signature-id[:sub-signature-id] {delete | disable | list acl-list}

Example:

Router(config)# ip ips signature 1107 disable

(Optional) Instructs the router to scan for the specified signature but not take any action if the signature is detected.

Step 10 

ip ips sdf location url

Example:

Router(config)# ip ips sdf location disk2:my-signatures.sdf

Configures the router to initialize the new SDF.

Step 11 

interface type name

Example:

Router(config)# interface GigabitEthernet0/1

Configures an interface type and enters interface configuration mode.

Step 12 

ip ips ips-name {in | out}

Example:

Router(config-if)# ip ips MYIPS in

Applies an IPS rule at an interface. This command reloads the router and reinitializes Cisco IOS IPS.

list acl—Packets that are permitted via a specified ACL will be scanned by IPS.

Note The router prompt will disappear while the signatures are loading and the signature engines are building. The router prompt will reappear after the signatures have been loaded and the signature engines have been built.

Step 13 

exit

Example:

Router(config-if)# exit

Exits interface configuration mode.

Step 14 

exit

Example:

Router(config)# exit

Exits global configuration mode.

Step 15 

show ip ips signatures [detailed]

Example:

Router# show ip ips signatures

(Optional) Verifies signature configuration, such as signatures that have been disabled or marked for deletion.

Monitoring Cisco IOS IPS Signatures via Syslog or SDEE

Cisco IOS IPS provides two methods to report IPS intrusion alerts—Cisco IOS logging (syslog) and Security Device Event Exchange (SDEE). Use this task to enable SDEE to report IPS intrusion alerts.


Note Effective Cisco IOS Release 12.3(14)T, the Post Office protocol is no longer supported.


SDEE Overview

SDEE is an application-level communication protocol that is used to exchange IPS messages between IPS clients and IPS servers.

SDEE is always running, but it does not receive and process events from IPS unless SDEE notification is enabled. If it is not enabled and a client sends a request, SDEE will respond with a fault response message, indicating that notification is not enabled.

Storing SDEE Events in the Buffer

When SDEE notification is enabled (via the ip ips notify sdee command), 200 hundred events can automatically be stored in the buffer. When SDEE notification is disabled, all stored events are lost. A new buffer is allocated when the notifications are reenabled.

When specifying the size of an events buffer, note the following functionality:

It is circular. When the end of the buffer is reached, the buffer will start overwriting the earliest stored events. (If overwritten events have not yet been reported, you will receive a buffer overflow notice.)

If a new, smaller buffer is requested, all events that are stored in the previous buffer will be lost.

If a new, larger buffer is requested, all existing events will be saved.

Prerequisites

To use SDEE, the HTTP server must be enabled (via the ip http server command). If the HTTP server is not enabled, the router cannot respond to the SDEE clients because it cannot not see the requests.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip ips notify sdee

4. ip sdee events events

5. ip sdee subscriptions subscriptions

6. exit

7. show ip sdee {[alerts] [all] [errors] [events] [configuration] [status] [subscriptions]}

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip ips notify sdee

Example:

Router(config)# ip ids notify sdee

Enables SDEE event notification on a router.

Step 4 

ip sdee events events

Example:

Router(config)# ip sdee events 500

(Optional) Sets the maximum number of SDEE events that can be stored in the event buffer. Maximum value: 1000 events.

Note By default, 200 hundred events be stored in the buffer when SDEE is enabled. When SDEE is disabled, all stored events are lost; a new buffer is allocated when the notifications are reenabled.

Step 5 

ip sdee subscriptions subscriptions

Example:

Router(config)# ip sdee subscriptions 1

(Optional) Sets the maximum number of SDEE subscriptions that can be open simultaneously. Valid value ranges from 1 to 3.

Step 6 

exit

Example:

Router(config)# exit

Exits global configuration mode.

Step 7 

show ip sdee {[alerts] [all] [errors] [events] [configuration] [status] [subscriptions]}

Example:

Router# show ip sdee configuration

(Optional) Verifies SDEE configuration information and notification functionality.

Troubleshooting Tips

To print out new SDEE alerts on the router console, issue the debug ip sdee command.

To clear the event buffer or SDEE subscriptions from the router (which helps with error recovery), issue the clear ip sdee command.

Troubleshooting Cisco IOS IPS

This section contains the following information, which may help you troubleshoot Cisco IOS IPS:

Interpreting Cisco IOS IPS System Messages

Conditions of an SME Build Failure

Interpreting Cisco IOS IPS System Messages

Table 4 lists some of the alarm and error messages that may be shown when using Cisco IOS IPS.

Table 4 Cisco IOS IPS System Messages 

System Message
Description
Alarm Messages
%IPS-4-SIGNATURE:Sig:1107 Subsig:0 Sev:2 
RFC1918 address [192.168.121.1:137 -> 
192.168.121.255:137]

An IPS signature has been triggered.

%IPS-5-SIGNATURE:Sig:1107 Subsig:0 Global 
Summary:50 alarms in this interval

A flood of the specified IPS signature has been seen and summarized. (For example, signature 1107 has been seen 50 times.)

Status Messages
%IPS-6-ENGINE_READY:SERVICE.HTTP - 183136 
ms - packets for this engine will be 
scanned

An IPS signature engine has been built and is ready to scan packets.

%IPS-6-ENGINE_BUILD_SKIPPED:STRING.UDP - 
there are no new signature definitions for 
this engine

There are not any signature definitions or changes to the existing signature definitions of an IPS signature engine, and the engine does not need to be rebuilt.

%IPS-5-PACKET_DROP:SERVICE.DNS - packets 
dropped while engine is building

Packets are being dropped because the specified IPS module is not functioning and the ip ips fail closed command is configured.

The message is rate limited to 1 message per 60 seconds.

%IPS-5-PACKET_UNSCANNED:SERVICE.DNS - 
packets passed unscanned while engine is 
building

Packets are passing through the network but are not being scanned because the specified IPS module is not functioning and the ip ips fail closed command is not configured.

The message is rate limited to 1 message per 60 seconds

%IPS-6-SDF_LOAD_SUCCESS:SDF loaded 
successfully from flash:sdf_8http.xml

An SDF is successfully loaded from a given location.

Error Messages
%IPS-3-BUILTIN_SIGS:Configured to load 
builtin signatures 

%IPS-3-BUILTIN_SIGS:Not Configured to load 
builtin signatures 

%IPS-3-BUILTIN_SIGS:Failed to load builtin 
signatures

One of these three messages can be displayed when IPS loads the built-in signatures.

%IPS-5-ENGINE_UNKNOWN: SERVICE.GENERIC - 
unknown engine encountered while parsing 
SDF

The router has encountered an unknown and unsupported signature engine while parsing the SDF.

Note To prevent this message from being generated again, ensure that the SDF being loaded on the router does not contain any engines that are not supported by IPS.

%IPS-5-UNSUPPORTED_PARAM: SERVICE.RPC 
6275:1 isSweep=False - bad parameter - 
removing parameter

The router has encountered an unsupported parameter while parsing the SDF.

The signature is deleted if the unsupported parameter is required for the signature. The parameter is removed from the signature if it is not required.

To prevent this message from being generated again, ensure that the SDF being loaded on the router does not contain any parameters that are not supported by IPS.

%IPS-3-ENGINE_BUILD_FAILED: SERVICE.HTTP - 
158560 ms - engine build

One of the signature engines fails to build after an SDF is loaded. A message is sent for each engine that fails.

An engine typically fails to build because of low memory, so increasing router memory can alleviate the problem. Also, try to load the SDF immediately after a route reboots, which is when system resources are available.

%IPS-4-SDF_PARSE_FAILED: not well-formed 
(invalid token) at Line 1 Col 0 Byte 0 Len 
1006

An SDF has not parsed correctly. The SDF might have been corrupt.

%IPS-4-SDF_LOAD_FAILED: failed to parse SDF 
from tftp://tftp-server/sdf.xml

An SDF fails to load. The SDF may fail for any of the following reasons:

Fails to load if it resides on a network server that cannot be reached

Does not have the correct read permissions

%IPS-2-DISABLED: IPS removed from all 
interfaces - IPS disabled

IPS has been disabled. This messages will indicate why IPS has been disabled.


Conditions of an SME Build Failure

There are times when a building SME will fail. The SME can fail for reasons such as attempting to load a corrupted SDF file or if the SME exceeds memory limitations of the router. Should a failure occur, Cisco IOS IPS is designed to handle such failure conditions. Possible failures are as follows:

By default, IPS is designed to "fail open," which means that if an SME does not build, all packets that are destined for that particular engine will pass traffic without scanning.

If IPS is not able to load the attack-drop.sdf file onto a router, the router will revert to the previously loaded available signatures. (In most cases, the previously loaded signatures are the Cisco IOS built-in signatures.)

If an engine build fails when you are merging the attack-drop.sdf file with the built-in signatures, IPS will revert, by default, to the previously available engine (or engines).

The default behavior for engine failure allows for packets to be passed unscanned. To prevent traffic from being passed unscanned, issue the ip ips fail closed command, which forces the router to drop all packets if an SME build fails.


Note If a signature or a signature parameter is not supported, Cisco IOS will print a syslog message, indicating that the signature or parameter is not supported.


Configuration Examples

This section contains the following configuration examples:

Loading the Default Signatures: Example

Loading the attack-drop.sdf: Example

Merging the attack-drop.sdf File with the Default, Built-in Signatures: Example

Loading the Default Signatures: Example

The following example shows the Cisco IOS IPS commands required to load the default, built-in signatures. Note that a configuration option for specifying an SDF location is not necessary; built-in signatures reside statically in Cisco IOS.

!
ip ips po max-events 100
ip ips name MYIPS
!
interface GigabitEthernet0/1
 ip address 10.1.1.16 255.255.255.0
 ip ips MYIPS in
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!

Loading the attack-drop.sdf: Example

The following example shows the basic configuration necessary to load the attack-drop.sdf file onto a router running Cisco IOS IPS. Note that the configuration is almost the same as loading the default signatures onto a router, except for the ip ips sdf location command, which specifies the attack-drop.sdf file.

!
ip ips sdf location disk2:attack-drop.sdf
ip ips name MYIPS
!
interface GigabitEthernet0/1
 ip address 10.1.1.16 255.255.255.0
 ip ips MYIPS in
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!

Merging the attack-drop.sdf File with the Default, Built-in Signatures: Example

The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended that you copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to recognize the newly merged file (as shown the following example).

!
ip ips name MYIPS
!
interface GigabitEthernet0/1
 ip address 10.1.1.16 255.255.255.0
 ip ips MYIPS in
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!
!
! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.
Router# copy disk2:attack-drop.sdf ips-sdf
! Save the newly merged signatures to a separate file.
Router# copy ips-sdf disk2:my-signatures.sdf
!
! Configure the router to use the new file, my-signatures.sdf 
Router# configure terminal
Router(config)# ip ips sdf location disk2:my-signatures.sdf
! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.
Router(config-if)# interface gig 0/1
Router(config-if)# no ip ips MYIPS in
!
*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled
!
Router(config-if)# ip ips MYIPS in
!
Router(config-if)# exit

Additional References

The following sections provide references related to Cisco IOS IPS.

Related Documents

Related Topic
Document Title

SDM IPS user's guide

SDM Intrusion Prevention System (IPS)

VMS IDS MC documentation

Management Center for IDS Sensors

IPS and firewall

Cisco IOS Security Configuration Guide, Release 12.3

IPS and firewall commands

Cisco IOS Security Command Reference, Release 12.3 T

Loading images and file systems

The section "File Management" in the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide, Release 12.3

Fragment attack support via VFR

Virtual Fragmentation Reassembly, Cisco IOS Release 12.3(8)T feature module


Standards

Standards
Title

None


MIBs

MIBs
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

None


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents only new, modified, replaced, and obsolete commands.

New Commands in Cisco IOS Release 12.3(8)T

clear ip sdee

copy ips-sdf

debug ip ips

debug ip sdee

ip ips fail closed

ip ips sdf location

ip sdee events

ip sdee subscriptions

no ip ips sdf builtin

show ip sdee

New Command in Cisco IOS Release 12.3(14)T

ip ips deny-action ips-interface

Replaced Commands

Command in Cisco IOS Release 12.3
Replacement Command in Cisco IOS Release 12.3(8)T

clear ip audit configuration

clear ip ips configuration

clear ip audit statistics

clear ip ips statistics

ip audit

ip ips

ip audit name

ip ips name

ip audit notify

ip ips notify

ip audit po local

ip ips po local1

ip audit po max-events

ip ips po max-events1

ip audit po protected

ip ips po protected1

ip audit po remote

ip ips po remote1

ip audit signature

ip ips signature

show ip audit configuration

show ip audit interface

show ip audit statistics

show ip ips

Note This command was also modified to include all show ip ips options in a single command.

1 This command was made obsolete in Cisco IOS Release 12.3(14)T.


Obsolete Commands in Cisco IOS Release 12.3(8)T

ip audit attack

ip audit info

ip audit smtp

Obsolete Commands in Cisco IOS Release 12.3(14)T

ip ips po local

ip ips po max-events

ip ips po protected

ip ips po remote

clear ip ips configuration

To disable Cisco IOS Firewall Intrusion Prevention System (IPS), remove all intrusion detection configuration entries, and release dynamic resources, use the clear ip ips configuration command in EXEC mode.

clear ip ips configuration

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changed from the clear ip audit configuration command to the clear ip ips configuration command.


Examples

The following example clears the existing IPS configuration:

clear ip ips configuration

clear ip ips statistics

To reset statistics on packets analyzed and alarms sent, use the clear ip ips statistics command in EXEC mode.

clear ip ips statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changed from the clear ip audit statistics command to the clear ip ips statistics command.


Examples

The following example clears all Intrusion Prevention System (IPS) statistics:

clear ip ips statistics

clear ip sdee

To clear Security Device Exchange Event (SDEE) events or subscriptions, use the clear ip sdee command in EXEC configuration mode.

clear ip sdee {events | subscriptions}

Syntax Description

events

Clears SDEE events from the event buffer.

subscriptions

Clears SDEE subscriptions.


Command Modes

EXEC

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

Because subscriptions are properly closed by the Cisco IOS Intrusion Prevention System (IPS) client, this command is typically used only to help with error recovery.

Examples

The following example shows how to clear all open SDEE subscriptions on the router:

Router# clear ip sdee subscriptions

Related Commands

Command
Description

ip ips notify

Specifies the method of event notification.

ip sdee events

Sets the maximum number of SDEE events that can be stored in the event buffer.

ip sdee subscriptions

Sets the maximum number of SDEE subscriptions that can be open simultaneously.


copy ips-sdf

To load or save the signature definition file (SDF) in the router, use the copy ips-sdf command in EXEC mode.

Syntax for Loading the SDF

copy [/erase] url ips-sdf

Syntax for Saving the SDF

copy ips-sdf url

Syntax Description

/erase

(Optional) Erases the current SDF in the router before loading the new SDF.

Note This option is typically available only on platforms with limited memory.

url

Description for the url argument is one of the following options:

If you want to load the SDF in the router, the url argument specifies the location in which to search for the SDF.

If you are saving the SDF, the url argument represents the location in which the SDF is saved after it has been generated.

Regardless of what option the URL is used for, available URL locations are as follows:

local flash, such as flash:sig.xml

FTP server, such as ftp://myuser:mypass@ftp_server.sig.xml

rcp, such as rcp://myuser@rcp_server/sig.xml

TFTP server, such as tftp://tftp_server/sig.xml


Command Modes

EXEC

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

Loading Signatures from the SDF

Issue the copy url ips-sdf command to load the SDF in the router from the location specified via the url argument. When the new SDF is loaded, it is merged with the SDF that is already loaded in the router, unless the /erase keyword is issued, which overwrites the current SDF with the new SDF.

Cisco IOS Intrusion Prevention System (IPS) will attempt to retrieve the SDF from each specified location in the order in which they were configured in the startup configuration. If Cisco IOS IPS cannot retrieve the signatures from any of the specified locations, the built-in signatures will be used.

If the no ip ips sdf built-in command is used, Cisco IOS IPS will fail to load. IPS will then rely on the configuration of the ip ips fail command to either fail open or fail closed.


Note For Cisco IOS Release 12.3(8)T, the SDF should be loaded directly from flash.


After the signatures are loaded in the router, the signature engines are built. Only after the signature engines are built can Cisco IOS IPS beginning scanning traffic.


Note Whenever signatures are replaced or merged, the router is suspended while the signature engines for the newly added or merged signatures are being built. The router prompt will be available again after the engines are built.

Depending on your platform and how many signatures are being loaded, building the engine can take up to several minutes. It is recommended that you enable logging messages to monitor the engine building status.


The ip ips sdf location command can also be used to load the SDF. However, unlike the copy ips-sdf command, this command does not force and immediately load the signatures. Signatures are not loaded until the router reboots or IPS is initially applied to an interface (via the ip ips command).

Saving a Generated or Merges SDF

Issue the copy ips-sdf url command to save a newly created SDF file to a specified location. The next time the router is reloaded, IPS can refer to the SDF from the saved location by including the ip ips sdf location command in the configuration.


Tip It is recommended that you save the SDF back out to flash. Also, you should save the file to a different name than the original attack-drop.sdf file; otherwise, you risk loosing the original file.


Examples

The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended that you copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to recognize the newly merged file (as shown the following example).

!
ip ips name MYIPS
!
interface GigabitEthernet0/1
 ip address 10.1.1.16 255.255.255.0
 ip ips MYIPS in
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!
!
! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.
Router# copy disk2:attack-drop.sdf ips-sdf
! Save the newly merged signatures to a separate file.
Router# copy ips-sdf disk2:my-signatures.sdf
!
! Configure the router to use the new file, my-signatures.sdf 
Router# configure terminal
Router(config)# ip ips sdf location disk2:my-signatures.sdf
! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.
Router(config-if)# interface gig 0/1
Router(config-if)# no ip ips MYIPS in
!
*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled
!
Router(config-if)# ip ips MYIPS in
!
Router(config-if)# exit

Related Commands

Command
Description

ip ips sdf location

Specifies the location in which the router should load the SDF.


debug ip ips

To enable debug messages for Cisco IOS Intrusion Prevention System (IPS), use the debug ip ips command in privileged EXEC mode. To disable debugging messages, use the no form of this command.

debug ip ips [engine] [detailed]

no debug ip ips [engine] [detailed]

Syntax Description

engine

(Optional) Displays debug messages only for a specific signature engine.

detailed

(Optional) Displays detailed debug messages for the specified signature engine or for all IPS actions.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)T

This command was introduced.


Examples

The following example shows how to enable debug messages for the Cisco IOS IPS:

Router# debug ip ips

debug ip sdee

To enable debug messages for Security Device Event Exchange (SDEE) notification events, use the debug ip sdee command in privileged EXEC mode. To disable SDEE debugging messages, use the no form of this command.

debug ip sdee {[alerts] [detail] [messages] [requests] [subscriptions]}

no debug ip sdee [alerts] [detail] [messages] [requests] [subscriptions]

Syntax Description

alerts

Displays new alerts that are reported to SDEE from IPS.

detail

Displays detailed SDEE messages.

messages

Displays error and status messaged that are reported to SDEE from IPS.

requests

Displays SDEE client requests.

subscriptions

Displays SDEE client subscription requests.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)T

This command was introduced.


Examples

The following is sample SDEE debug output. In this example, you can see which messages correspond to SDEE alerts, requests, and subscriptions.

Router# debug ip sdee alerts requests subscriptions

5d00h:SDEE:got request from client at 10.0.0.2
5d00h:SDEE:reported 13 events for client at 10.0.0.2
5d00h:SDEE:GET request for client 10.0.0.2 subscription IDS1720:0
5d00h:SDEE:reported 50 events for client 10.0.0.2 subscription IDS1720:0
5d00h: SDEE alert:sigid 2004 name ICMP Echo Req from 10.0.0.2 time 1021174067
5d00h: SDEE alert:sigid 2004 name ICMP Echo Req from 10.0.0.2 time 1021174071
5d00h: SDEE alert:sigid 2004 name ICMP Echo Req from 10.0.0.2 time 1021174072
5d00h: SDEE alert:sigid 2004 name ICMP Echo Req from 10.0.0.2 time 1021175127
5d00h:SDEE:missed events for IDS1720:0

Related Commands

Command
Description

ip ips notify

Specifies the method of event notification.

ip sdee events

Sets the maximum number of SDEE events that can be stored in the event buffer.

ip sdee subscriptions

Sets the maximum number of SDEE subscriptions that can be open simultaneously.


ip ips

To apply an Intrusion Prevention System (IPS) rule to an interface, use the ip ips command in interface configuration mode. To remove an IPS rule from an interface direction, use the no form of this command.

ip ips ips-name {in | out} [list acl]

no ip ips ips-name {in | out} [list acl]

Syntax Description

ips-name

Name of IPS signature definition file (SDF).

in

Applies IPS to inbound traffic.

out

Applies IPS to outbound traffic.

list acl

(Optional) Specifies an extended or standard access control list (ACL) to filter the traffic that will be scanned.


Defaults

By default, IPS signatures are not applied to an interface or direction.

Command Modes

Interface configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changed from the ip audit command to the ip ips command.


Usage Guidelines

The ip ips command loads the SDF onto the router and builds the signature engines when IPS is applied to the first interface.


Note The router prompt disappears while the signatures are loading and the signature engines are building. It will reappear after these tasks are complete.

Depending on your platform and how many signatures are being loaded, building the signature engine can take several of minutes. It is recommended that you enable logging messages so you can monitor the engine building status.


The ip ips command replaces the ip audit command. If the ip audit command is part of an existing configuration, IPS will interpret it as the ip ips command.

Examples

The following example shows the basic configuration necessary to load the attack-drop.sdf file onto a router running Cisco IOS IPS. Note that the configuration is almost the same as loading the default signatures onto a router, except for the ip ips sdf location command, which specifies the attack-drop.sdf file.

!
ip ips sdf location disk2:attack-drop.sdf
ip ips name MYIPS
!
interface GigabitEthernet0/1
 ip address 10.1.1.16 255.255.255.0
 ip ips MYIPS in
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!

The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended that you copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to recognize the newly merged file (as shown the following example)

!
ip ips name MYIPS
!
interface GigabitEthernet0/1
 ip address 10.1.1.16 255.255.255.0
 ip ips MYIPS in
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!
!
! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.
Router# copy disk2:attack-drop.sdf ips-sdf
! Save the newly merged signatures to a separate file.
Router# copy ips-sdf disk2:my-signatures.sdf
!
! Configure the router to use the new file, my-signatures.sdf 
Router# configure terminal
Router(config)# ip ips sdf location disk2:my-signatures.sdf
! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.
Router(config-if)# interface gig 0/1
Router(config-if)# no ip ips MYIPS in
!
*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled
!
Router(config-if)# ip ips MYIPS in
!
Router(config-if)# exit

Related Commands

Command
Description

copy ips-sdf

Loads or saves the SDF in the router.

ip ips sdf location

Specifies the location in which the router should load the SDF.


ip ips deny-action ips-interface

To create an access control list (ACL) filter for the deny actions ("denyFlowInline" and "denyConnectionInline") on the intrusion prevention system (IPS) interface rather than ingress interface, use the ip ips deny-action ips-interface command in global configuration mode. To return to the default, use the no form of this command.

ip ips deny-action ips-interface

no ip ips deny-action ips-interface

Syntax Description

This command has no arguments or keywords.

Defaults

ACLs filter for the deny actions are applied to the ingress interface.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

Use the ip ips deny-action ips-interface command to change the default behavior of the ACL filters that are created for the deny actions.


Note You should configure this command only if at least one signature is configured to use the supported deny actions (denyFlowInline and denyConnectionInline, if the input interface is configured to for load balancing, and if IPS is configured on the output interface.


Default ACL Filter Approach

By default, ACL filters for the deny actions are created on the ingress interfaces of the offending packet. Thus, if Cisco IOS IPS is configured in outbound direction on the egress interface and the "deny" ACLs are created on the ingress interface, Cisco IOS IPS will drop the matching traffic before it goes through much processing. Unfortunately, this approach does not work in load balancing scenarios for which there is more than one ingress interface performing load-balancing.

Alternative ACL Filter Approach

The ip ips deny-action ips-interface command enables ACLs to be created on the same interface and in the same direction as Cisco IOS IPS is configured. This alternative approach supports load-balancing scenarios—assuming that the load-balancing interfaces have the same Cisco IOS IPS configuration. However, all outbound Cisco IOS IPS traffic will go through substantial packet path processing before it is eventually dropped by the ACLs.

Examples

The following example shows how to configure load-balancing between interface e0 and interface e1:

ip ips name test
ip ips deny-action ips-interface
! Enables load balancing with e1
interface e0
 ip address 10.1.1.14 255.255.255.0
 no shut
!
! Enables load balancing with e0
interface e1
 ip address 10.1.1.16 255.255.255.0
 no shut
!
interface e2
 ip address 10.1.1.18 255.255.255.0
 ip ips test in
 no shut

ip ips fail closed

To instruct the router to drop all packets until the signature engine is built and ready to scan traffic, use the ip ips fail closed command in global configuration mode. To return to the default functionality, use the no form of this command.

ip ips fail closed

no ip ips fail closed

Syntax Description

This command has no arguments or keywords.

Defaults

All packets are passed without being scanned while the signature engine is being built or if the signature engine fails to build.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

Cisco IOS IPS Fails to Load the SDF

By default, the router running Intrusion Prevention System (IPS) will load the built-in signatures if it fails to load the signature definition file (SDF). If this command is issued, the router will drop all packets—unless the user specifies an access control list (ACL) for packets to send to IPS.

IPS Loads the SDF but Fails to Build a Signature Engine

If the router running IPS loads the SDF but fails to build a signature engine, the router will mark the engine "not ready." If an available engine is previously loaded, the IPS will keep the available engine and discard the engine that is not ready for use. If no previous engines have been loaded or "not ready," the router will install the engine that is not ready and rely on the configuration of the ip ips fail closed command.

By default, packets destined for an engine marked "not ready" will be passed without being scanned. If this command is issued, the router will drop all packets that are destined for that signature engine.

Examples

The following example shows how to instruct the router to drop all packets if the attack-drop.sdf file fails to load:

Router(config)# ip ips fail closed

ip ips name

To specify an intrusion prevention system (IPS) rule, use the ip ips name command in global configuration mode. To delete an IPS rule, use the no form of this command.

ip ips name ips-name

no ip ips name ips-name

Syntax Description

ips-name

Name for IPS rule.


Defaults

An IPS rule does not exist.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changed from the ip audit name command to the ip ips name command.


Usage Guidelines

The IPS does not load the signatures until the rule is applied to an interface via the ip ips command.


Note This command replaces the ip audit name global configuration command. If the ip audit name command has been issued in an existing configuration and an access control list (ACL) has been defined, IPS will apply the ip ips name command and the ACL parameter on all interfaces that applied the rule.


Examples

The following example shows how to configure a router running Cisco IOS IPS to load the default, built-in signatures. Note that a configuration option for specifying an SDF location is not necessary; built-in signatures reside statically in Cisco IOS.

!
ip ips po max-events 100
ip ips name MYIPS
!
interface GigabitEthernet0/1
 ip address 10.1.1.16 255.255.255.0
 ip ips MYIPS in
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!

Related Commands

Command
Description

ip ips

Applies an IPS rule to an interface.

show ip ips

Displays IPS information such as configured sessions and signatures.


ip ips notify

To specify the method of event notification, use the ip ips notify command in global configuration mode. To disable event notification, use the no form of this command.

ip ips notify [log | sdee]

no ip ips notify [log | sdee]

Syntax Description

log

(Optional) Send messages in syslog format.

Note If an option is not specified, alert messages are sent in syslog format

sdee

(Optional) Send messages in Security Device Event Exchange (SDEE) format.


Defaults

Disabled (alert messages are not sent).

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changed from the ip audit notify command to the ip ips notify command. Also, support for SDEE was introduced, and the sdee keyword was added.

12.3(14)T

The Post Office protocol was deprecated, and the nr-director keyword was removed.


Usage Guidelines

SDEE is always running, but it does not receive and process events from Intrusion Prevention System (IPS) unless SDEE notification is enabled. If it is not enabled and a client sends a request, SDEE will respond with a fault response message, indicating that notification is not enabled.

To use SDEE, the HTTP server must be enabled (via the ip http server command). If the HTTP server is not enabled, the router cannot respond to the SDEE clients because it cannot not see the requests.


Note The ip ips notify command replaces the ip audit notify command. If the ip audit notify command is part of an existing configuration, the IPS will interpret it as the ip ips notify command.


Examples

In the following example, event notifications are specified to be sent in SDEE format:

ip ips notify sdee 

Related Commands

Command
Description

ip http server

Enables the HTTP server on your system.


ip ips po local


Note Effective with Cisco IOS Release 12.3(14)T, the ip ips po local command is no longer available in Cisco IOS software.


To specify the local Post Office parameters used when sending event notifications to the VPN/Security Management Solution (VMS), use the ip ips po local command in global configuration mode. To set the local Post Office parameters to their default settings, use the no form of this command.

ip ips po local hostid id-number orgid id-number

no ip ips po local [hostid id-number orgid id-number]

Syntax Description

hostid

Specifies a VMS host ID.

id-number

Unique integer in the range 1 to 65535 used in VMS communications to identify the local host. The default host ID is 1.

orgid

Specifies a VMS organization ID.

id-number

Unique integer in the range 1 to 65535 used in VMS communications to identify the group to which the local host belongs. The default organization ID is 1.


Defaults

The default organization ID is 1. The default host ID is 1.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changed from the ip audit po local command to the ip ips po local command.

12.3(14)T

This command is no longer available in Cisco IOS software.


Usage Guidelines

Use the ip ips po local global configuration command to specify the local Post Office parameters used when sending event notifications to the VMS.

Examples

In the following example, the local host is assigned a host ID of 10 and an organization ID of 500:

ip audit po local hostid 10 orgid 500

ip ips po max-events


Note Effective with Cisco IOS Release 12.3(14)T, the ip ips po max-events command is no longer available in Cisco IOS software.


To specify the maximum number of event notifications that are placed in the router's event queue, use the ip ips po max-events command in global configuration mode. To set the number of recipients to the default setting, use the no form of this command.

ip ips po max-events number-of-events

no ip ips po max-events

Syntax Description

number-of-events

Integer in the range from 1 to 65535 that designates the maximum number of events allowable in the event queue. The default is 100 events.


Defaults

The default number of events is 100.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command named was changed from the ip audit po max-events command to the ip ips po max-events command.

12.3(14)T

This command is no longer available in Cisco IOS software.


Usage Guidelines

Raising the number of events past 100 may cause memory and performance impacts because each event in the event queue requires 32 KB of memory.

Examples

In the following example, the number of events in the event queue is set to 250:

ip ips po max-events 250

ip ips po protected


Note Effective with Cisco IOS Release 12.3(14)T, the ip ips po protected command is no longer available in Cisco IOS software.


To specify whether an address is on a protected network, use the ip ips po protected command in global configuration mode. To remove network addresses from the protected network list, use the no form of this command.

ip ips po protected ip-addr [to ip-addr]

no ip ips po protected [ip-addr]

Syntax Description

ip-addr

IP address of a network host.

to ip-addr

(Optional) Specifies a range of IP addresses.


Defaults

If no addresses are defined as protected, then all addresses are considered outside the protected network.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changed from the ip audit po protected command to the ip ips po protected command.

12.3(14)T

This command is no longer available in Cisco IOS software.


Usage Guidelines

You can enter a single address at a time or a range of addresses at a time. You can also make as many entries to the protected networks list as you want. When an attack is detected, the corresponding event contains a flag that denotes whether the source or destination of the packet belongs to a protected network or not.

If you specify an IP address for removal, that address is removed from the list. If you do not specify an address, then all IP addresses are removed from the list.

Examples

In the following example, a range of addresses is added to the protected network list:

ip ips po protected 10.1.1.0 to 10.1.1.255

In the following example, three individual addresses are added to the protected network list:

ip ips po protected 10.4.1.1
ip ips po protected 10.4.1.8
ip ips po protected 10.4.1.25

ip ips po remote


Note Effective with Cisco IOS Release 12.3(14)T, the ip ips po remote command is no longer available in Cisco IOS software.


To specify one or more set of Post Office parameters for the VPN/Security Management Solution (VMS) receiving event notifications from the router, use the ip ips po remote command in global configuration mode. To remove a VMS' Post Office parameters as defined by host ID, organization ID, and IP address, use the no form of this command.

ip ips po remote hostid host-id orgid org-id rmtaddress ip-address localaddress ip-address [port port-number] [preference preference-number] [timeout seconds] [application {director | logger}]

no ip ips po remote hostid host-id orgid org-id rmtaddress ip-address

Syntax Description

hostid

Specifies a VMS host ID.

host-id

Unique integer in the range from 1 to 65535 used in VMS communications to identify the local host. The default host ID is 1.

orgid

Specifies a VMS organization ID.

org-id

Unique integer in the range from 1 to 65535 used in VMS communications to identify the group in which the local host belongs. The default organization ID is 1.

rmtaddress

Specifies the IP address of the VMS.

localaddress

Specifies the IP address of the Cisco IOS Firewall Intrusion Prevention System (IPS) router.

ip-address

IP address of the VMS or Cisco IOS Firewall IPS router's interface. Use with the rmtaddress and localaddress keywords.

port

(Optional) Specifies a User Datagram Protocol port through which to send messages.

port-number

(Optional) Integer representing the UDP port on which the VMS is listening for event notifications. The default UDP port number is 45000.

preference

(Optional) Specifies a route preference for communication.

preference-number

(Optional) Integer representing the relative priority of a route to a VMS, if more than one route exists. The default preference is 1.

timeout

(Optional) Specifies a timeout value for Post Office communications.

seconds

(Optional) Integer representing the heartbeat timeout value for Post Office communications. The default timeout is 5 seconds.

application

(Optional) Specifies the type of application that is receiving the Cisco IOS Firewall IPS messages. The default application is director.

director

(Optional) Specifies that the receiving application is the VMS interface.

logger

(Optional) Specifies that the receiving application is a VMS.


Defaults

Parameter values are not set.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changes from the ip audit po remote command to the ip ips po remote command.

12.3(14)T

This command is no longer available in Cisco IOS software.


Usage Guidelines

A router can report to more than one VMS. In this case, use the ip ips po remote command to add each VMS to which the router sends notifications.

More than one route can be established to the same VMS. In this case, you must give each route a preference number that establishes the relative priority of routes. The router always attempts to use the lowest numbered route, switching automatically to the next higher number when a route fails, and then switching back when the route begins functioning again.


Note The ip ips po remote command replaces the ip audit po remote command. If the ip audit po remote command is found in an existing configuration, Cisco IOS IPS will interpret it as the ip ips po remote command.


Examples

In the following example, two communication routes for the same dual-homed VMS are defined:

ip ips po remote hostid 30 orgid 500 rmtaddress 10.1.99.100 localaddress 10.1.99.1 
preference 1 
ip ips po remote hostid 30 orgid 500 rmtaddress 10.1.4.30 localaddress 10.1.4.1 preference 
2 

The router uses the first entry to establish communication with the VMS defined with host ID 30 and organization ID 500. If this route fails, then the router will switch to the secondary communications route. As soon as the first route begins functioning again, the router switches back to the primary route and closes the secondary route.


In the following example, a different VMS is assigned a longer heartbeat timeout value because of network congestion, and is designated as a logger application:

ip ips po remote hostid 70 orgid 500 rmtaddress 10.1.8.1 localaddress 10.1.8.100 timeout 
10 application director

ip ips sdf location

To specify the location in which the router will load the signature definition file (SDF), use the ip ips sdf location command in global configuration mode. To remove an SDF location from the configuration, use the no form of this command.

ip ips sdf location url

no ip ips sdf location url

Syntax Description

url

Location of the SDF. Available URL options:

local flash, such as flash:sig.xml

FTP server, such as ftp://myuser:mypass@ftp_server.sig.xml

rcp, such as rcp://myuser@rcp_server/sig.xml

TFTP server, such as tftp://tftp_server/sig.xml


Defaults

If an SDF location is not specified, the router will load the default, built-in signatures.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

When the ip ips sdf location command is issued, the signatures are not loaded until the router is rebooted or until the Intrusion Prevention System (IPS) is applied to an interface (via the ip ips command). If IPS is already applied to an interface, the signatures will not be loaded. If IPS cannot load the SDF, you will receive an error message and the router will use the built-in IPS signatures.

You can also issue the copy ips-sdf command to load an SDF from a specified location. Unlike the ip ips sdf location command, the signatures are loaded immediately after the copy ips-sdf command is issued.

Examples

The following example shows how to configure the router to load and merge the attack-drop.sdf file with the default signatures. After you have merged the two files, it is recommended that you copy the newly merged signatures to a separate file. The router can then be reloaded (via the reload command) or reinitalized to recognize the newly merged file (as shown the following example).

!
ip ips name MYIPS
!
interface GigabitEthernet0/1
 ip address 10.1.1.16 255.255.255.0
 ip ips MYIPS in
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!
!
! Merge the flash-based SDF (attack-drop.sdf) with the built-in signatures.
Router# copy disk2:attack-drop.sdf ips-sdf
! Save the newly merged signatures to a separate file.
Router# copy ips-sdf disk2:my-signatures.sdf
!
! Configure the router to use the new file, my-signatures.sdf 
Router# configure terminal
Router(config)# ip ips sdf location disk2:my-signatures.sdf
! Reinitialize the IPS by removing the IPS rule set and reapplying the rule set.
Router(config-if)# interface gig 0/1
Router(config-if)# no ip ips MYIPS in
!
*Apr 8 14:05:38.243:%IPS-2-DISABLED:IPS removed from all interfaces - IPS disabled
!
Router(config-if)# ip ips MYIPS in
!
Router(config-if)# exit

Related Commands

Command
Description

copy ips-sdf

Loads or saves the SDF in the router.

ip ips

Applies the IPS rule to an interface.


ip ips signature

To attach a policy to a signature, use the ip ips signature command in global configuration mode. If the policy disabled a signature, use the no form of this command to reenable the signature. If the policy attached an access list to the signature, use the no form of this command to remove the access list.

ip ips signature signature-id[:sub-signature-id] {delete | disable | list acl-list}

no ip ips signature signature-id[:sub-signature-id]

Syntax Description

signature-id

[:sub-signature-id]

Signature within the signature detection file (SDF) that is not reported, if detected.

If a sub-signature is not specified, the default is 0. For example, is signature 1105 is specified without a sub-signature, the router will interpret the signature as 1105:0.

delete

Deletes a specified signature.

disable

Disables a specified signature. Instructs the router to scan for a given signature but not take any action if the signature is detected

list acl-list

(Optional) A named, standard, or extended access control list (ACL) to filter the traffic that will be scanned.

If the packet is permitted by the ACL, the signature will be scanned and reported; if the packet is denied by the ACL, the signature is deemed disabled.


Defaults

No policy is attached to a signature, and all signatures within the signature definition file (SDF) are reported, if detected

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changed from the ip audit signature command to the ip ips signature command to support SDFs.


Usage Guidelines

This command allows you to set three policies: delete a signature, disable the audit of a signature, or qualify the audit of a signature with an access list.

You may want to disable a signature (or set of signatures) if your deployment scenario deems the signatures unnecessary.

If you are attaching an ACL to a signature, then you also need to create an Intrusion Prevention System (IPS) rule with the ip ips name command and apply it to an interface with the ip ips command.


Note The ip ips signature command replaces the ip audit signature command. If the ip audit signature command is found in an existing configuration, Cisco IOS IPS will interpret it as the ip ips signature command.


Examples

In the following example, a signature is disabled, another signature has ACL 99 attached to it, and ACL 99 is defined:

ip ips signature 6150 disable
ip ips signature 1000 list 99

access-list 99 deny 10.1.10.0 0.0.0.255

access-list 99 permit any

Related Commands

Command
Description

ip ips

Applies the IPS rule to an interface.

ip ips name

Specifies an IPS rule.


ip sdee events

To set the maximum number of Security Device Exchange Event (SDEE) events that can be stored in the event buffer, use the ip sdee events command in global configuration mode. To change the buffer size or return to the default buffer size, use the no form of this command.

ip sdee events events

no ip sdee events events

Syntax Description

events

Maximum number of events; maximum number of allowable events: 1000.


Defaults

200 events

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

When SDEE notification is enabled (via the ip ips notify sdee command), 200 hundred events can automatically be stored in the buffer. When SDEE notification is disabled, all stored events are lost. A new buffer is allocated when the notifications are reenabled.

When specifying the size of an events buffer, note the following functionality:

It is circular. When the end of the buffer is reached, the buffer will start overwriting the earliest stored events. (If overwritten events have not yet been reported, you will receive a buffer overflow notice.)

If a new, smaller buffer is requested, all events that are stored in the previous buffer will be lost.

If a new, larger buffer is requested, all existing events will be saved.

Examples

The following example shows how to set the maximum buffer events size to 500:

configure terminal
 ip ips notify sdee
 ip sdee events 500

Related Commands

Command
Description

ip ips notify

Specifies the method of event notification.


ip sdee subscriptions

To set the maximum number of Security Device Event Exchange (SDEE) subscriptions that can be open simultaneously, use the ip sdee subscriptions command in global configuration mode. To change the current selection or return to the default, use the no form of this command.

ip sdee subscriptions subscriptions

no ip sdee subscriptions subscriptions

Syntax Description

subscriptions

Maximum number of subscriptions; valid value ranges from 1 to 3.


Defaults

1 subscription

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

After you have enabled SDEE to receive and process events from Intrusion Prevention System (IPS) unless SDEE, you can issue the ip sdee subscriptions command to modify the number of allowed open SDEE subscriptions.

Examples

The following example shows how to change the number of allowed open subscriptions to 2:

configure terminal
 ip ips notify sdee
 ip sdee events 500
 ip sdee subscriptions 2

Related Commands

Command
Description

ip ips notify

Specifies the method of event notification.


no ip ips sdf builtin

To instruct the router not to load the built-in signatures if it cannot find the specified signature definition files (SDFs), use the no ip ips sdf builtin command in global configuration mode.

no ip ips sdf builtin

Syntax Description

This command has no arguments or keywords.

Defaults

If the router fails to load the SDF, the router will load the default, built-in signatures.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines


Caution If the no ip ips sdf builtin command is issued and the router running Intrusion Prevention System (IPS) fails to load the SDF, you will receive an error message stating that IPS is completely disabled.

Examples

The following example shows how to instruct the router not to revert to the default, built-in signatures if the attack-drop.sdf file fails to load onto the router:

Router(config)# no ip ips sdf builtin

Related Commands

Command
Description

copy ips-sdf

Loads or saves the SDF in the router.

ip ips sdf location

Specifies the location in which the router will load the SDF.


show ip ips

To display Intrusion Prevention System (IPS) information such as configured sessions and signatures, use the show ip ips command in privileged EXEC mode.

show ip ips {[all] [configuration] [interfaces] [name name] [statistics [reset]] [sessions [details]] [signatures [details]]}

Syntax Description

all

Displays all available IPS information.

configuration

Displays additional configuration information, including default values that may not be displayed using the show running-config command.

interfaces

Displays the interface configuration.

name name

Displays information only for the specified IPS rule.

statistics [reset]

Displays information such as the number of packets audited and the number of alarms sent. The optional reset keyword resets sample output to reflect the latest statistics.

sessions [details]

Displays IPS session-related information. The optional details keyword shows detailed session information.

signatures [details]

Displays signature information, such as which signatures are disabled and marked for deletion. The optional details keyword shows detailed signature information.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.3(8)T

The command name was changed from show ip audit to show ip ips. Also, all show ip ips commands were combined into a single command.


Usage Guidelines

Use the show ip ips configuration EXEC command to display additional configuration information, including default values that may not be displayed using the show running-config command.

Examples

Sample Output for the show ip ips configuration Command

The following example displays the output of the show ip ips configuration command:

Event notification through syslog is enabled
Event notification through Net Director is enabled
Default action(s) for info signatures is alarm
Default action(s) for attack signatures is alarm
Default threshold of recipients for spam signature is 25
PostOffice:HostID:5 OrgID:100 Addr:10.2.7.3 Msg dropped:0
HID:1000 OID:100 S:218 A:3 H:14092 HA:7118 DA:0 R:0
    CID:1 IP:172.21.160.20 P:45000 S:ESTAB (Curr Conn)
Audit Rule Configuration
 Audit name AUDIT.1
    info actions alarm

Sample Output for the show ip ips interfaces Command

The following example displays the output of the show ip ips interfaces command:

Interface Configuration
 Interface Ethernet0
  Inbound IPS audit rule is AUDIT.1
    info actions alarm
  Outgoing IPS audit rule is not set
 Interface Ethernet1
  Inbound IPS audit rule is AUDIT.1
    info actions alarm
  Outgoing IPS audit rule is AUDIT.1
    info actions alarm

Sample Output for the show ip ips statistics Command

The following displays the output of the show ip ips statistics command:

Signature audit statistics [process switch:fast switch]
  signature 2000 packets audited: [0:2]
  signature 2001 packets audited: [9:9]
  signature 2004 packets audited: [0:2]
  signature 3151 packets audited: [0:12]
Interfaces configured for audit 2
Session creations since subsystem startup or last reset 11
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:0]
Last session created 19:18:27
Last statistic reset never
HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0

Related Commands

Command
Description

clear ip ips statistics

Resets statistics on packets analyzed and alarms sent.


show ip sdee

To display Security Device Event Exchange (SDEE) notification information, use the show ip sdee command in privileged EXEC mode.

show ip sdee {[alerts] [all] [errors] [events] [configuration] [status] [subscriptions]}

Syntax Description

alerts

Displays the Intrusion Detection System (IDS) alert buffer.

all

Displays all information available for IDS SDEE notifications.

errors

Displays IDS SDEE error messages.

events

Displays IDS SDEE events.

configuration

Displays SDEE configuration parameters.

status

Displays the status events that are currently in the buffer.

subscriptions

Displays IDS SDEE subscription information.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.3(8)T

This command was introduced.


Examples

The following is sample output from the show ip sdee alerts command. In this example, the alerts are numbered from 1 to 100 (because 100 events are currently in the event buffer). Following the alert number are 3 digits, which indicate whether the alert has been reported for the 3 possible subscriptions. In this example, these alerts have been reported for subscription number 1. The event ID is composed of the alert time and an increasing count, separated by a colon.

Router show ip sdee alerts

Event storage:1000 events using 656000 bytes of memory
                                SDEE Alerts

SigID       SrcIP     DstIP       SrcPort  DstPort  Sev     Event ID        SigName
1:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211478597901  ICMP Echo Req
2:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211478887902  ICMP Echo Req
3:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479247903  ICMP Echo Req
4:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479457904  ICMP Echo Req
5:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211479487905  ICMP Echo Req
6:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211480077906  ICMP Echo Req
7:100 2004  10.0.0.2  10.0.0.1    8        0        2       10211480407907  ICMP Echo Req
...........................................................
...........................................................
96:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898596  ICMP Echo Req
97:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898597  ICMP Echo Req
98:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750898598  ICMP Echo Req
99:000 2004 10.0.0.2  10.0.0.1    8        0        2       10211750908599  ICMP Echo Req
100:000 2004 10.0.0.2 10.0.0.1    8        0        2       10211750918600  ICMP Echo Req 

The following is sample output is from the show ip sdee subscriptions command. In this example, SDEE is enabled, the maximum event buffer size has been set to 100, and the maximum number of subscriptions that can be open at the same time is 1.

Router# show ip sdee subscriptions 

SDEE is enabled
Alert buffer size:100 alerts 65600 bytes
Maximum subscriptions:1

SDEE open subscriptions: 1
Subscription ID IDS1720:0:
Client address 10.0.0.2 port 1500
        Subscription opened at 13:21:30 MDT July 18 2003
        Total GET requests:0
        Max number of events:50
        Timeout:30
        Event Start Time:0
        Report alerts:true
        Alert severity level is INFORMATIONAL
        Report errors:false
        Report status:false

Table 5 describes the significant fields shown in the display.

Table 5 show ip sdee subscriptions Field Descriptions 

Field
Description

Alert buffer size:100 alerts 65600 bytes

Maximum number of events that can be stored in the buffer. The maximum number of events to be stored refers to all types of events (alert, status, and error).

(This value can be changed via the ip sdee events command.)

Maximum subscriptions:1

Maximum number of subscriptions that can be open at the same time. (This value can be changed via the ip sdee subscriptions command.)


The following is sample output from the show ip sdee status command. In this example, the buffer is set to store a maximum of 1000 events.

Router# show ip sdee status

Event storage:1000 events using 656000 bytes of memory

                   SDEE Status Messages
Time                            Message              Description
1:000 22:10:58 UTC Apr 18 2003  applicationStarted   STRING.UDP,0 ms
2:000 22:10:58 UTC Apr 18 2003  applicationStarted   STRING.TCP,0 ms
3:000 22:10:58 UTC Apr 18 2003  applicationStarted   OTHER,0 ms
4:000 22:10:58 UTC Apr 18 2003  applicationStarted   SERVICE.FTP,276 ms
5:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.SMTP,8884 ms
6:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.RPC,72 ms
7:000 22:11:07 UTC Apr 18 2003  applicationStarted   SERVICE.DNS,132 ms
8:000 22:11:15 UTC Apr 18 2003  applicationStarted   SERVICE.HTTP,7632 ms
9:000 22:11:15 UTC Apr 18 2003  applicationStarted   ATOMIC.TCP,24 ms
10:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.UDP,12 ms
11:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.ICMP,12 ms
12:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.IPOPTIONS,8 ms
13:000 22:11:15 UTC Apr 18 2003  applicationStarted  ATOMIC.L3.IP,8 ms

Related Commands

Command
Description

ip ips notify

Specifies the method of event notification.

id sdee events

Sets the maximum number of SDEE events that can be stored in the event buffer.

ip sdee subscriptions

Sets the maximum number of SDEE subscriptions that can be open simultaneously.


1 To scan for application layer signatures across fragments, you can enable virtual fragment reassembly.