Table Of Contents
Cisco IOS IPS 5.x Signature Format Support and Usability Enhancements
Contents
Prerequisites for Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Restrictions for Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Information About Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Cisco IOS IPS Overview
Signature Categories
Router Configuration Files and Signature Event Action Processor (SEAP)
Benefits of Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Signature Update Accessibility
How to Use Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Retiring All Signatures and Selecting a Category of Signatures
What to Do Next
Configuring Cisco IOS IPS on Your Router
Examples
Loading a Signature File into Cisco IOS IPS
Prerequisites
Flexible Signatures: Ordered and Incremental
Tuning Signature Parameters
Tuning Signatures Per Signature ID
Tuning Signatures Per Category
Setting the Target Value Rating
Enabling Automatic Signature Updates
Automatic Signature Update Guidelines
Examples
Monitoring Cisco IOS IPS Signatures via Syslog Messages or SDEE
SDEE Overview
Prerequisites
Examples
Troubleshooting Tips
Configuration Examples
Cisco IOS IPS Configuration: Example
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Command Reference
alert-severity
category
copy idconf
enabled (IPS)
engine (IPS)
event-action
fidelity-rating
ip ips auto-update
ip ips config location
ip ips event-action-rules
ip ips signature-category
ip ips signature-definition
occur-at (ips-auto-update)
retired (IPS)
show ip ips auto-update
signature
status
target-value
url (ips-auto-update)
username (ips-autoupdate)
Feature Information for Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Cisco IOS IPS 5.x Signature Format Support and Usability Enhancements
First Published: November 17, 2006
Last Updated: November 17, 2006
This feature introduces support for Cisco IOS Intrusion Prevention System (IPS) version 5.0, which is a version-based signature definition XML format. In Cisco IOS Release 12.4(11)T, Cisco IOS IPS 4.x format signatures are replaced by the 5.x format signatures that are used by all other Cisco IPS devices.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Cisco IOS 5.x Format Signatures with Cisco IOS IPS" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Cisco IOS 5.x Format Signatures with Cisco IOS IPS
•Restrictions for Cisco IOS 5.x Format Signatures with Cisco IOS IPS
•Information About Cisco IOS 5.x Format Signatures with Cisco IOS IPS
•How to Use Cisco IOS 5.x Format Signatures with Cisco IOS IPS
•Configuration Examples
•Additional References
•Command Reference
•Feature Information for Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Prerequisites for Cisco IOS 5.x Format Signatures with Cisco IOS IPS
System and Image Requirements for Cisco IOS IPS 5.x
•Cisco IOS IPS signature categories are available in two formats—Basic and Advanced.
•Cisco IOS IPS system requirements depend on the type of deployment, the bandwidth requirements, and security requirements. The larger the number of signatures, the larger the amount of memory consumed.
•You must generate a RSA crypto key and load the public signature on your router for signature decryption.
This following cisco public key configuration can be cut and pasted directly into your router configuration:
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
Note You can also access the public key configuration at the following URL: http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup
•You must load one of the following images on your router to install Cisco IOS IPS 5.x: adventerprisek9, advsecurityk9, and advipservicesk9.
Note To check the current system version, use the show subsys name ips command.
IPS 4.x uses a version format of 2.xxx.xxx; IPS 5.x uses a version format of 3.xxx.xxx.
Upgrading from Cisco IOS IPS 4.x to Cisco IOS IPS 5.x Signatures
Cisco IOS IPS 5.x format signatures are not backward compatible with Cisco IOS IPS 4.x. You must reconfigure your Cisco IOS IPS features for use with the IPS 5.x signature format command-line interface (CLI) and features.
When reconfiguring Cisco IOS IPS on a router to convert to the 5.x signature format, you must have the following Cisco IOS IPS 4.x information:
•Cisco IOS IPS rule name (which was specified via the ip ips name ips-name command)
•Interfaces for which the Cisco IOS IPS rule has been applied
•User-created and customized signature definition files (SDFs)
To gather this information, issue the show ip ips configuration command, which displays a copy of the existing output.
Router# show ip ips configuration
Configured SDF Locations:
Builtin signatures are enabled but not loaded
Last successful SDF load time: 05:31:54 MST Sep 20 2003
IPS fail closed is disabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is enabled
Total Active Signatures: 13
Total Inactive Signatures: 0
Signature 50000:0 disable
Signature 50000:1 disable
Signature 50000:2 disable
Interface GigabitEthernet0/1
Inbound IPS rule is MYIPS
Outgoing IPS rule is not set
Note Detailed or customized changes to specific signatures may be lost. IPS 4.x SDF files will not load under the Cisco IOS IPS 5.x version.
Restrictions for Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Warning Do not enable all IPS signatures. The router may not be able to able to compile all signatures, resulting in high CPU and memory usage, degraded performance, and a system crash.
Backward Compatibility
Cisco IOS IPS 5.x format signatures are not backward compatible with Cisco IOS IPS 4.x SDFs.
Cisco 870 Series Platform Support
The 870 series platform with Cisco IOS IPS in Cisco IOS Release 12.4(11)T may experience lower performance relative to previous releases (CSCsg57228). The Cisco IOS IPS performance on the 870 series platform will be enhanced in a later 12.4(11)T image rebuild.
On the 870 series platform, Cisco IOS IPS is supported only on the adv-ipservices and the adv-enterprise images. Cisco IOS IPS is the same on both images.
Information About Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Before using Cisco IOS 5.x format signatures with Cisco IOS IPS, you should understand the following concepts:
•Cisco IOS IPS Overview
•Signature Categories
•Benefits of Cisco IOS 5.x Format Signatures with Cisco IOS IPS
•Signature Update Accessibility
Cisco IOS IPS Overview
The Cisco IOS IPS acts as an in-line intrusion prevention sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages or Security Device Event Exchange (SDEE). The network administrator can configure Cisco IOS IPS to choose the appropriate response to various threats. The Signature Event Action Processor (SEAP) can dynamically control actions that are to be taken by a signature event on the basis of parameters such as fidelity, severity, or target value rating. These parameters have default values but can also be configured via CLI. When packets in a session match a signature, Cisco IOS IPS can take any of the following actions, as appropriate:
•Send an alarm to a syslog server or a centralized management interface
•Drop the packet
•Reset the connection
•Deny traffic from the source IP address of the attacker for a specified amount of time
•Deny traffic on the connection for which the signature was seen for a specified amount of time
Cisco developed its Cisco IOS software-based intrusion-prevention capabilities and Cisco IOS Firewall with flexibility in mind, so that individual signatures could be disabled in case of false positives. Generally, it is preferable to enable both the firewall and Cisco IOS IPS to support network security policies. However, each of these features may be enabled independently and on different router interfaces.
Signature Categories
Cisco IPS appliances and Cisco IOS IPS with Cisco 5.x format signatures operate with signature categories. All signatures are pregrouped into categories; the categories are hierarchical. An individual signature can belong to more than one category. Top-level categories help to define general types of signatures. Subcategories exist beneath each top-level signature category. (For a list of supported top-level categories, use your router CLI help (?).)
Router Configuration Files and Signature Event Action Processor (SEAP)
As of Cisco IOS Release 12.4(11)T, SDFs are no longer used by Cisco IOS IPS. Instead, routers access signature definition information via a directory that contains three configuration files—the default configuration, the delta configuration, and the SEAP configuration. Cisco IOS accesses this directory via the ip ips config location command.
Note You must issue the ip ips config location command; otherwise, the configuration files are not saved to any location.
SEAP is the control unit responsible for coordinating the data flow of a signature event. It allows for advanced filtering and signature overrides on the basis of the Event Risk Rating (ERR) feedback. ERR is used to control the level in which a user chooses to take actions in an effort to minimize false positives.
Signatures once stored in NVRAM, will now be stored in the delta configuration file; thus, support for access control lists (ACLs) is no longer necessary.
Additional Risk Rating Algorithims
The ERR characterizes the risk of an attack and allows users to make decisions on the basis of the risk control signature event actions. To help further control signature event actions, the following additional rating categories are now supported:
•Attack Severity Rating (ASR)—Determines the severity of an attack. The attack-severity rating values are hard-coded in Cisco IOS IPS as follows: high, medium, low, and informational. The ASR can be changed via the alert-rating command. To change the ASF, see the section "Tuning Signature Parameters."
•Signature Fidelity Rating (SFR)—Determines the confidence level of detecting a true positive. The SFR can be changed via the fidelity-rating command. To change the SFR, see the section "Tuning Signature Parameters."
•Target Value Rating (TVR)—Allows users to develop security policies that can be more strict for some resources than others. The security policy is applied to a table of hosts that are protected by Cisco IOS IPS. A host can be a single IP address or a range of IP addresses with an associated target value rating. To configure the TVR, see the task "Setting the Target Value Rating."
Benefits of Cisco IOS 5.x Format Signatures with Cisco IOS IPS
Automatic Signature Update
With Cisco IOS IPS 5.0, customers can now configure automatic signature updates from local servers.
Network administrators can either preserve the user's current configuration of signature actions or override the user's current configuration of signature actions with the current IPS configuration.
Auto update can also update the CLI signature package.
If this feature is enabled, signatures are delivered in either a Basic signature file or an Advanced signature file.
Signature Category-Based Configuration
Top-level signature categories help to classify signatures for easy grouping and tuning; that is, group-wide parameters, such as signature event action, can be applied to a group via CLI, so the user does not have to modify each individual signature.
Encrypted Signature Support
Cisco IOS IPS introduces support for encrypted (NDA) signatures.
Signature Update Accessibility
To help detect the latest vulnerabilities, Cisco provides the following signature update options:
•Download the latest signature file package from Cisco.com at the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup
•Configure automatic signature updates via the ip ips autoupdate command. Updates can be configured to run on the basis of a preset time. For more information, see the task "Enabling Automatic Signature Updates."
•Issue the copy url idconf command to instruct the router where to load a signature file. (The file can be saved in a location specified via the ip ips config location command.)
How to Use Cisco IOS 5.x Format Signatures with Cisco IOS IPS
This section contains the following procedures:
•Retiring All Signatures and Selecting a Category of Signatures
•Configuring Cisco IOS IPS on Your Router
•Loading a Signature File into Cisco IOS IPS
•Tuning Signature Parameters
•Setting the Target Value Rating
•Enabling Automatic Signature Updates
•Monitoring Cisco IOS IPS Signatures via Syslog Messages or SDEE
Retiring All Signatures and Selecting a Category of Signatures
Router memory and resource constraints prevent a router from loading all Cisco IOS IPS signatures. Thus, it is recommended that you load only a selected set of signatures that are defined by the categories. Because the categories are applied in a "top-down" order, you should first retire all signatures, followed by "unretiring" specific categories. Retiring signatures enables the router to load information for all signatures, but the router will not build the parallel scanning data structure.
Retired signatures are not scanned by Cisco IOS IPS, so they will not fire alarms. If a signature is irrelevant to your network or if you want to save router memory, you should retire signatures, as appropriate.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ips signature-category
4. category category [sub-category]
5. retired {true | false}
6. exit
7. category category [sub-category]
8. retired {true | false}
9. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip ips signature-category
Example:
Router(config)# ip ips signature-category
|
Enters enters IPS category configuration mode.
|
Step 4
|
category category [sub-category]
Example:
Router(config-ips-category)# category all
|
Specifies that all categories (and all signatures) will be retired in the following step and enters IPS category action configuration mode.
|
Step 5
|
retired {true | false}
Example:
Router(config-ips-category-action)# retired
true
|
Specifies that the router should retire all categories (and all signatures).
•true—Retires all signatures within a given category.
•false —"Unretires" all signatures within a given category.
|
Step 6
|
exit
Example:
Router(config-ips-category-action)# exit
|
Exits IPS category action configuration mode.
|
Step 7
|
category category [sub-category]
Example:
Router(config-ips-category)# category
ios_ips basic
|
Specifies the basic category (and a set of signatures) that are to be "unretired" in the following step.
|
Step 8
|
retired {true | false}
Example:
Router(config-ips-category-action)# retired
false
|
Specifies that all signatures within the basic category are to be unretired; that is, signatures will be enabled for the basic category.
|
Step 9
|
exit
Example:
Router(config-ips-category-action)# exit
Router(config-ips-category)# exit
|
Exits IPS category action and IPS category configuration modes.
|
What to Do Next
After you have configured the basic category, you should enable Cisco IOS IPS on your router as shown in the section "Configuring Cisco IOS IPS on Your Router."
You can customize (or tune) the entire category or individual signatures within a category to addresses the needs of your network. For information on tuning signatures, see the section "Tuning Signature Parameters."
Configuring Cisco IOS IPS on Your Router
After you have set up a "load definition" for the signature package file to be copied to the idconf, you must configure an IPS rule name. Use this task to configure an IPS rule name and start the IPS configuration.
You can also use this task to configure a Cisco IOS IPS signature location, which tells Cisco IOS IPS where to save signature information.
The configuration location is used to restore the IPS configuration in case the router reboots or IPS is disabled or reenabled. Files, such as signature definition, signature-type definitions, and signature category information, are written in XML format, compressed, and saved to the specified IPS signature location.
SUMMARY STEPS
1. enable
2. mkdir flash:/ips5
3. configure terminal
4. ip ips name ips-name
5. ip ips config location url
6. interface type name
7. ip ips ips-name {in | out}
8. exit
9. show ip ips configuration
10. show ip ips signature count
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
mkdir flash:/ips5
Example:
Router# mkdir flash:/ips5
|
Create a directory for which Cisco IOS IPS will save signature information.
Note The directory location will be specified via the ip ips config location command.
|
Step 3
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 4
|
ip ips name ips-name
Example:
Router(config)# ip ips name myips
|
Creates an IPS rule.
|
Step 5
|
ip ips config location url
Example:
Router(config)# ip ips config location
flash:/ips5
|
Specifies the location where Cisco IOS IPS will save the signature information, and, if necessary, access the signature configuration information.
Note You must specify a location; otherwise, the signature package will not be saved.
Note If the specified location is a URL, such as an FTP server, the user must have writer privileges.
|
Step 6
|
interface type name
Example:
Router(config)# interface gigbitEthernet 0/0
|
Identifies the interface in which to enable Cisco IOS IPS and enters interface configuration mode.
|
Step 7
|
ip ips ips-name {in | out}
Example:
Router(config-if)# ip ips MYIPS in
|
Applies an IPS rule at an interface and automatically loads the signatures and builds the signature engines.
Note Whenever signatures are replaced or merged, the router prompt is suspended while the signature engines for the newly added or merged signatures are being built. The router prompt will be available again after the engines are built.
Depending on your platform and how many signatures are being loaded, building the engine can take up to several minutes. It is recommended that you enable logging messages to monitor the engine building status.
|
Step 8
|
exit
Example:
Router(config-if)# exit
Router(config)# exit
|
Exits interface and global configuration modes.
|
Step 9
|
show ip ips configuration
Example:
Router# show ip ips configuration
|
(Optional) Verifies that Cisco IOS IPS is properly configured.
|
Step 10
|
show ip ips signature count
Example:
Router# show ip ips signature
|
(Optional) Verifies the number of signatures that are loaded into each signature micro engine (SME).
|
Examples
The following sample output displays the number of signatures that have been loaded into each SME:
Router# show ip ips signature count
Cisco SDF release version S247.0
Trend SDF release version V1.2
Signature Micro-Engine: multi-string
Signature Micro-Engine: service-http
Signature Micro-Engine: string-tcp
Signature Micro-Engine: string-udp
Signature Micro-Engine: state
Signature Micro-Engine: atomic-ip
Inactive - invalid params: 1
Signature Micro-Engine: string-icmp
Signature Micro-Engine: service-ftp
Signature Micro-Engine: service-rpc (INACTIVE)
Signature Micro-Engine: service-dns
Signature Micro-Engine: normalizer
Total Enabled Signatures: 741
Total Retired Signatures: 831
Total Compiled Signatures: 434
Total Signatures with invalid parameters: 1
Loading a Signature File into Cisco IOS IPS
Use this task to load a signature package into Cisco IOS IPS. You may wish to load a new signature package into Cisco IOS IPS if a signature (or signatures) with the current signature package is not providing your network with adequate protection from security threats.
Prerequisites
You must enable Cisco IOS IPS (as shown in the task "Configuring Cisco IOS IPS on Your Router") before loading a new signature package.
Flexible Signatures: Ordered and Incremental
Each signature is complied incrementally into the scanning tables at the same time. Thus, Cisco IOS IPS can deactivate signatures that fail to compile. (Prior to Cisco IOS Release 12.4(11)T, Cisco IOS IPS deactivated the entire signature microengine (SME) if a single signature failed to compile.)
Signatures are loaded into the scanning table on the basis of importance. Parameters such as signature severity, signature fidelity rating, and time lapsed since signatures were last released allow Cisco IOS IPS to compile the most important signatures first, followed by less important signatures, thereby, creating a load order and prioritizing which signatures are loaded first.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ips config location url
4. interface type name
5. ip ips ips-name {in | out}
6. exit
7. copy url idconf
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip ips config location url
Example:
Router(config)# ip ips config location
flash:/ips5
|
Specifies the location where Cisco IOS IPS will save the signature information, and, if necessary, access the signature configuration information.
|
Step 4
|
interface type name
Example:
Router(config)# interface gigbitEthernet 0/0
|
Identifies the interface in which to enable Cisco IOS IPS.
|
Step 5
|
ip ips ips-name {in | out}
Example:
Router(config-if)# ip ips MYIPS in
|
Applies an IPS rule at an interface and automatically loads the signatures and builds the signature engines.
|
Step 6
|
exit
Example:
Router(config-if)# exit
Router(config)# exit
|
Exits interface and global configuration modes.
|
Step 7
|
copy url idconf
Example:
Router# copy tftp://tftp_server/sig.xml idconf
|
Loads a signature package into Cisco IOS IPS.
After the package is loaded, all signature information is saved to the location specified via the ip ips config location command.
|
Tuning Signature Parameters
You can tune signature parameters on the basis of a signature ID (for an individual signature), or you can tune signature parameters on the basis of a category (that is, all signatures that are within a specified category). To tune signature parameters, use the following tasks, as appropriate:
•Tuning Signatures Per Signature ID
•Tuning Signatures Per Category
Note Some changes to the signature definitions are not shown in the run time config because the changes are recorded in the sigdef-delta.xml file, which can be located via the ip ips config location command.
Tuning Signatures Per Signature ID
Use this task to change default signature parameters for a specified signature ID.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ips signature-definition
4. signature signature-id [subsignature-id]
5. engine
6. event-action action
7. exit
8. alert-severity {high | medium | low | informational}
9. fidelity-rating rating
10. status
11. enabled {true | false}
12. exit
13. show ip ips signature
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip ips signature-definition
Example:
Router(config)# ip ips signature-definition
|
Enters signature-definition-signature configuration mode.
|
Step 4
|
signature signature-id [subsignature-id]
Example:
Router(config-sigdef-sig)# signature 9000:0
|
Specifies a signature for which the CLI user tunings will be changed and enters signature-definition-action configuration mode.
|
Step 5
|
engine
Example:
Router(config-sigdef-action)# engine
|
(Optional) Enters signature-definition-action-engine configuration mode, which allows you to change router actions for a specified signature.
|
Step 6
|
event-action action
Example:
Router(config-sigdef-action-engine)#
event-action deny-attacker-inline
|
Changes router actions for a specified signature.
The action argument can be any of the following options:
•deny-attacker-inline
•deny-connection-inline
•deny-packet-inline
•produce-alert
•reset-tcp-connection
Note Signature event actions must be entered on a single line.
Note You must enter the engine command before issuing this command.
|
Step 7
|
exit
Example:
Router(config-sigdef-action-engine)# exit
|
Exits the signature-definition-action-engine configuration mode.
This step is required only if the engine and event-action commands are issued.
|
Step 8
|
alert-severity {high | medium | low |
informational}
Example:
Router(config-sigdef-action)# alert-severity
medium
|
(Optional) Changes the alert severity rating for a given signature.
|
Step 9
|
fidelity-rating rating
Example:
Router(config-sigdef-action)# fidelity-rating
|
(Optional) Changes the signature fidelity rating for a given signature.
|
Step 10
|
status
Example:
Router(config-sidef-action)# status
|
(Optional) Enters the signature-definition-status configuration mode, which allows you to change the enabled status of a signature.
|
Step 11
|
enabled {true | false}
Example:
Router(config-sigdef-status)# enabled true
|
(Optional) Changes the enabled status of a given signature or signature category.
|
Step 12
|
exit
Example:
Router(config-sigdef-sta)# exit
Router(config-sidef-action)# exit
Router(config-sidef-sig)# exit
Router(config)# exit
|
Returns to EXEC mode, which allows you to later verify the configuration.
|
Step 13
|
show ip ips signature
Example:
Router# show ip ips signature
|
(Optional) Verifies the signature changes that have been made.
|
Tuning Signatures Per Category
Use this task to change default signature parameters for a category of signatures. Categories such as operating systems; Layer 2, Layer 3, or Layer 4 protocols; or service-based categories can be configured to provide wider changes to a group of signatures.
Tip Category configuration information is processed in the order that it is entered. Thus, it is recommended that the process of retiring all signatures (as shown in the task "Retiring All Signatures and Selecting a Category of Signatures") occur before all other category tuning.
If a category is configured more than once, the parameters entered in the second configuration will be added to or will replace the previous configuration.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ips signature-category
4. category category [sub-category]
5. event-action action
6. alert-severity {high | medium | low | informational}
7. fidelity-rating rating
8. enabled {true | false}
9. retired {true | false}
10. exit
11. show ip ips signature
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip ips signature-category
Example:
Router(config)# ip ips signature-category
|
Enters IPS category (config-ips-category) configuration mode.
|
Step 4
|
category category [sub-category]
Example:
Router(config-ips-category)# category attack
adware/spyware
|
Specifies a category that is to be used for multiple signature actions or conditions and enters IPS category action configuration mode.
|
Step 5
|
event-action action
Example:
Router(config-ips-category-action)# event-action
produce-alert
|
Changes router actions for a specified signature category.
The action argument can be any of the following options:
•deny-attacker-inline
•deny-connection-inline
•deny-packet-inline
•produce-alert
•reset-tcp-connection
Note Event actions associated with a category can be entered separately or on a single line.
|
Step 6
|
alert-severity {high | medium | low |
informational}
Example:
Router(config-ips-category-action)#
alert-severity medium
|
(Optional) Changes the alert severity rating for a given signature category.
|
Step 7
|
fidelity-rating rating
Example:
Router(config-ips-category-action)#
fidelity-rating
|
(Optional) Changes the signature fidelity rating for a signature given category.
|
Step 8
|
enabled {true | false}
Example:
Router(config-ips-category-action)# enabled true
|
(Optional) Changes the enabled status of a given signature or signature category.
|
Step 9
|
retired {true | false}
Example:
Router(config-ips-category-action)# retired true
|
(Optional) Specifies whether or not the router should retire a signature category.
|
Step 10
|
exit
Example:
Router(config-ips-category-action)# exit
Router(config-ips-category)# exit
Router(config)# exit
|
Returns to EXEC mode, which allows you to later verify the configuration.
|
Step 11
|
show ip ips signature
Example:
Router# show ip ips signature
|
(Optional) Verifies the signature category changes that have been made.
|
Setting the Target Value Rating
Use this task to set the target value rating, which allows users to develop security policies that can be more strict for some resources than others. The security policy is applied to a table of hosts that are protected by Cisco IOS IPS. A host can be a single IP address or a range of IP addresses with an associated target value rating.
Note Changes to the target value rating is not shown in the run time config because the changes are recorded in the seap-delta.xml file, which can be located via the ip ips config location command.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ips event-action-rules
4. target-value {mission-critical | high | medium | low} target-address ip-address [/nn | to ip-address]
5. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip ips event-action-rules
Example:
Router(config)# ip ips event-action-rules
|
Enters the config-rule configuration mode, which allows users to change the target value rating.
|
Step 4
|
target-value {mission-critical | high |
medium | low} target-address ip-address [/nn
| to ip-address]
Example:
Router(config-rul)# target-value medium
target-address 10.12.100.53
|
Sets the target value rating for a host.
|
Step 5
|
exit
Example:
Router(config-rul)# exit
|
Exits config-rule configuration mode.
|
Enabling Automatic Signature Updates
Automatic signature updates allow users to override the existing configuration and automatically keep signatures up to date on the basis of a preset time, which can be configured to a preferred setting.
Time can be updated via the hardware clock or the configurable software clock (which ever option is available on your system). Although Network Time Protocol (NTP) is typically used for automated time synchronization, Cisco IOS IPS updates use the local clock resources as a reference for update intervals. Thus, NTP should be configured to update the local time server of the router, as appropriate.
Use this task to enable Cisco IOS IPS to automatically update the signature file on the system.
Automatic Signature Update Guidelines
When enabling automatic signature updates, it is recommended that you ensure the following configuration guidelines have been met:
•The router's clock is set up with the proper relative time.
•The frequency for Cisco IOS IPS to obtain updated signature information has been defined.
•The URL in which to retrieve the Cisco IOS IPS signature configuration files has been specified.
•Optionally, the username and password for which to access the files from the server have been specified.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ips auto-update
4. occur-at min:hour date day
5. username name password password
6. url url
7. exit
8. show ip ips auto-update
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip ips auto-update
Example:
Router(config)# ip ips auto-update
|
Enables automatic signature updates for Cisco IOS IPS and enters IPS auto-update configuration mode.
|
Step 4
|
occur-at min:hour date day
Example:
Router(config-ips-auto-update)# occur-at 0 0-23
1-31 1-5
|
(Optional) Defines a preset time for which the Cisco IOS IPS signature files are automatically updated.
|
Step 5
|
username name password password
Example:
Router(config-ips-auto-update)# username myips
password secret
|
(Optional) Defines a username and password for the automatic signature update function.
|
Step 6
|
url url
Example:
Router(config-ips-auto-update)# url
tftp://192.168.0.2/jdoe/ips-auto-update/IOS_req
Seq-dw.xml
|
(Optional) URL in which the router retrieves the Cisco IOS IPS signature configuration files.
|
Step 7
|
exit
Example:
Router(config-ips-auto-update)# exit
Router(config)# exit
|
Exits IPS auto-update and global configuration modes.
|
Step 8
|
show ip ips auto-update
Example:
Router# show ip ips auto-update
|
Verifies the automatic signature update configuration.
|
Examples
The following example shows how to configure automatic signature updates and issue the show ip ips auto-update command to verify the configuration. In this example, the signature package file is pulled from the TFTP server at the start of every hour or every day, Sunday through Thursday. (Note that adjustments are made for months without 31 days and daylight savings time.)
Router# clock set 10:38:00 20 apr 2006
*Apr 20 17:38:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:37:55 MST
Thu Apr 20 2006 to 10:38:00 MST Thu Apr 20 2006, configured from console by cisco on
console.
