The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to deploy the UTD Snort IPS Engine on the Cisco Integrated Services Routers ISR1K, ISR4K, CSRs and ISRv series using the IOx method.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
The VMAN method is now deprecated.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The Unified Threat Defense (UTD) Snort IPS feature enables Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) for branch offices on Cisco Integrated Services Routers ISR1K, ISR4K, CSRs and ISRv series. This feature uses the open-source Snort to enable IPS or IDS capabilities.
Snort is an open-source IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks. It can also perform protocol analysis, content researching or marching, and detect a variety of attacks and probes, such as buffer overflows, stealth port scans, and so on. The UTD Snort engine runs as a virtual container service on Cisco Integrated Services Routers ISR1K, ISR4K, CSRs and ISRv series.
The UTD Snort IPS provides IPS or IDS capabilities for Cisco Integrated Services Routers ISR1K, ISR4K, CSRs and ISRv series.
Based on network requirements. The UTD Snort IPS can be enabled as IPS or IDS:
The UTD Snort IPS runs as a service on the routers ISR1K, ISR4K, CSRs and ISRv series. Service containers use virtualization technology to provide a hosting environment on Cisco devices for applications. Snort traffic inspection is enabled either on a per-interface basis or globally on all supported interfaces.
The UTD snort engine IPS solution consists of the following entities:
Snort sensor — Monitors the traffic to detect anomalies based on the configured security policies (that includes signatures, statistics, protocol analysis, and so on) and sends alert messages to the Alert/Reporting server. The Snort sensor is deployed as a virtual container service on the router.
Signature store — Hosts the Cisco Signature packages that are updated periodically. These signature packages are downloaded to Snort sensors either periodically or on demand. Validated signature packages are posted to Cisco.com. Based on the configuration, signature packages can be downloaded from Cisco.com or a local server.
The following domains are accessed by the router in the process of downloading the signature package from cisco.com:
api.cisco.com
apx.cisco.com
cloudsso.cisco.com
cloudsso-test.cisco.com
cloudsso-test3.cisco.com
cloudsso-test4.cisco.com
cloudsso-test5.cisco.com
cloudsso-test6.cisco.com
cloudsso.cisco.com
download-ssc.cisco.com
dl.cisco.com
resolver1.opendns.com
resolver2.opendns.com
Signature packages must be manually downloaded from Cisco.com to the local server by using Cisco.com credentials before the Snort sensor can retrieve them.
Alert/Reporting server — Receives alert events from the Snort sensor. Alert events generated by the Snort sensor can either be sent to the IOS syslog or an external syslog server or to both IOS syslog and external syslog server. No external log servers are bundled with the Snort IPS solution.
Management — Manages the Snort IPS solution. Management is configured using the IOS CLI. Snort Sensor cannot be accessed directly, and all configuration can only be done using the IOS CLI.
The following are the licensing requirements for the UTD snort engine:
a) Community Signature Package: The community signature package rule set offers limited coverage against threats.
b) Subscriber-based Signature Package: The subscriber-based signature package rule set offers the best protection against threats. It includes coverage in advance of exploits and also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco and the package will be constantly updated on Cisco.com.
The UTD Snort Subscriber Signature Package can be downloaded from software.cisco.com and the snort signature information can be found on snort.org.
Besides that, you can use the following snort.org Rule Documentation Search tool to look for specific snort IPS signature IDs.
The following are the supported platforms for the UTD snort engine:
The following limitations apply to the UTD snort engine:
The following restrictions apply to the UTD snort engine:
When you enable boost license on Cisco 4000 Series ISRs, you cannot configure the virtual-service container for Snort IPS.
Incompatible with the Zone-Based Firewall SYN-cookie feature.
Network Address Translation 64 (NAT64) is not supported.
SnortSnmpPlugin is required for SNMP polling in open source Snort. Snort IPS does not support SNMP polling capabilities or MIBs as the SnortSnmp plugin is not installed on UTD.
The following, are the Cisco links to download the UTD Snort IPS Engine Software image files to use for installing the UTD snort engine on your Cisco router. Besides that, you will find the UTD Snort Subscriber Signature Package files to download the UTD snort IPS signatures, depending on the UTD snort engine version running.
Note: Prerequisites to take into consideration for before installing the UTD snort engine, If it is a physical ISR it must be running IOS-XE version 3.16.1 or above. If it is a CSR it must be running version 16.3.1 or above and if it is an ISRv (ENCS) then it must be running version 16.8.1 or above. For Catalyst 8300 (starting version 17.3.2 and above), 8200 (starting version 17.4.1 and above) and for 8000V (starting version 17.4.1 and above).
Note: If the user downloads the UTD Snort Subscriber Signature Package manually from the download software page, then the user should ensure that the package has the same version as the Snort engine version. For example, if the Snort engine version is 2982, then the user should download the same version of the signature package. If there is a version mismatch, the signature package update will be rejected and it will fail.
Note: When the signature package is updated, the engine will be restarted and the traffic will be interrupted or bypass inspection for a short period depending on their data plane fail-open/fail-close configuration.
Step 1. Configure the VirtualPortGroup interfaces for the UTD snort engine, configure two port groups:
Router#configure terminal
Router(config)#interface VirtualPortGroup0
Router(config-if)#description Management Interface
Router(config-if)#ip address 192.168.1.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface VirtualPortGroup1
Router(config-if)#description Data Interface
Router(config-if)#ip address 192.168.2.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Note: Make sure to configure the NAT and Routing required for the VirtualPortgroup0, for the UTD snort engine to be able to reach the external syslog server as well as the cisco.com to grab the signature update files.
Step 2. Enable the IOx environment in Global Configuration mode.
Router(config)#iox
Step 3. Then, activate the virtual service and configure guest IPs, for this, configure the app-hosting with the vnic configuration.
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.1.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
Router(config-app-hosting)#app-vnic gateway1 virtualportgroup 1 guest-interface 1
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.2.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
Step 4 (Optional). Configure Resource Profile.
Router(config-app-hosting)#app-resource package-profile low [low,medium,high]
Router(config-app-hosting)#end
Note: The UTD snort engine virtual service supports three resource profiles: Low, Medium, and High. These profiles indicate the CPU and memory resources required to run the virtual service. You can configure one of these resource profiles. The resource profile configuration is optional. If you do not configure a profile, the virtual service is activated with its default resource profile. Check the Cisco Virtual Service Resource Profile for ISR4K and CSR1000v for further resource profile details.
Note: This option is not available for the ISR1K series.
Step 5. Copy the UTD Snort IPS engine software file to the routers flash, then Install the app-hosting using the UTD.tar file as follows.
Router#app-hosting install appid UTD package bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar
Note: The UTD engine version is specified on the UTD file name, ensure the UTD engine version to be installed, is compatible with the IOS-XE version running in the Cisco router
Next syslogs should be seen indicating UTD service was properly installed.
Installing package 'bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for 'utd'. Use 'show app-hosting list' for progress.
*Jun 26 19:25:35.975: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: R0/0: vman: Package 'iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for service container 'utd' is 'Cisco signed', signing level cached on original install is 'Cisco signed'
*Jun 26 19:25:50.746: %VIRT_SERVICE-5-INSTALL_STATE: Successfully installed virtual service utd
*Jun 26 19:25:53.176: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install succeeded: utd installed successfully Current state is deployed
Note: Using 'show app-hosting list' the status should be displayed as 'Deployed'
Step 6. Start the app-hosting service.
Router#configure terminal
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#start
Router(config-app-hosting)#end
Note: After starting the app-hosting service, the app-hosting status should be 'Running'. Use 'show app-hosting list' or 'show app-hosting detail' to see more details.
Next syslog messages should be seen indicating UTD service was installed properly.
*Jun 26 19:55:05.362: %VIRT_SERVICE-5-ACTIVATION_STATE: Successfully activated virtual service UTD
*Jun 26 19:55:07.412: %IM-6-START_MSG: R0/0: ioxman: app-hosting: Start succeeded: UTD started successfully Current state is running
After successful installation, the service plane must be configured for the UTD snort engine. The UTD snort engine can be configured as Intrusion Prevention System (IPS) or as Intrusion Detection System (IDS) for traffic inspection.
Warning: Confirm the 'securityk9' license feature is enabled in the Router to proceed with UTD service plane configuration.
Step 1. Configure the Unified Threat Defense (UTD) standard engine (Service Plane)
Router#configure terminal
Router(config)#utd engine standard
Step 2. Enable the logging of the UTD snort engine to a remote server and to the IOSd syslog.
Router(config-utd-eng-std)#logging host 192.168.10.5
Router(config-utd-eng-std)#logging syslog
Note: The UTD Snort IPS monitors the traffic and reports events to an external log server or the IOS syslog. Enabling logging to the IOS syslog may impact performance due to the potential volume of log messages. External third-party monitoring tools, which supports Snort logs, can be used for log collection and analysis.
Step 3. Enable Threat Inspection for Snort Engine.
Router(config-utd-eng-std)#threat-inspection
Step 4. Configure Threat Detection (IDS) or Intrusion Prevention System (IPS) as the operating mode for the snort engine.
Router(config-utd-engstd-insp)#threat [protection,detection]
Note: Use the keyword 'protection' for IPS and 'detection' for the IDS mode. The default mode is 'detection'
Step 5. Configure the Security Policy for the snort engine.
Router(config-utd-engstd-insp)#policy [balanced, connectivity, security]
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
Note: The default Policy is 'balanced', depending on the policy chose, the snort engine will activate or deactivate IPS signatures for the snort engine protection.
Step 6 (Optional). Enable the UTD allowed-list (Whitelist) configuration.
Router#configure terminal
Router(config)#utd threat-inspection whitelist
Step 7 (Optional). Configure the IPS snort signature IDs to be included in the whitelist.
Router(config-utd-whitelist)#generator id 40 signature id 54621 comment FILE-OFFICE traffic
or
Router(config-utd-whitelist)#signature id 13418 comment "whitelisted the IPS signature 13418"
Note: The signature IDs can be copied from the alerts that needs to be suppressed, you can configure multiple signature IDs. Repeat this step for each signature ID that needs to be added to the whitelist.
Note: After the allowed list signature ID is configured (whitelist), the UTD snort engine will allow the flow to pass through the device without any alerts and drops.
Note: The generator identifier (GID) identifies the subsystem that evaluates an intrusion rule and generates events. Standard text intrusion rules have a generator ID of 1, and shared object intrusion rules have a generator ID of 3. There are also several sets of rules for various preprocessors. The following Table 1. Generator IDs explains the GIDs.
Step 8 (Optional). Enable Allowed List on Threat Inspection config.
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#whitelist
Note: After the whitelist signature ID is configured, the snort engine will allow the flow to pass through the device without any alerts and drops
Step 9. Configure the Signature update interval to download Snort Signatures automatically.
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#signature update occur-at [daily, monthly, weekly] 0 0
Note: The first number defines the hour in 24hr format, and the second number indicates minutes.
Warning: UTD Signature updates generate a brief service interruption at the time of update.
Step 10. Configure the UTD snort engine signature update server parameters.
Router(config-utd-engstd-insp)#signature update server [cisco, url] username xxxx password xxxx
Example - Configuring signature updates from a Cisco Server:
Router(config-utd-engstd-insp)#signature update server cisco username xxxx password xxxx
or
Example - Configuring signature updates from a Local server:
Router(config-utd-engstd-insp)#signature update server url http://x.x.x.x/UTD-STD-SIGNATURE-31810-155-S.pkg
Note: Use the keyword 'cisco' to point to the Cisco server for the signature updates or use the keyword 'url' to define a custom http/https path for the update server. For the Cisco server, you must provide your Cisco username and password credentials.
Note: Ensure that a DNS server is configured to download IPS snort signatures from the Cisco server. The Snort container performs a domain-name lookup (on the DNS server(s) configured on the router) to resolve the location for automatic signature updates from Cisco.com or on the local server, if the URL is not specified as the IP address.
Note: The UTD module MGMT IP address assigned to the interface VirtualPortGroup0, should be included in the Router NAT configuration to allow the module to get internet access to reach out the Cisco server for downloading the snort signature packages.
Step 11. Enable the UTD snort engine logging level and the logging of the threat inspection alert statistics:
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#logging level [alert,crit,debug,emerg,info,notice,warning]
Router(config-utd-engstd-insp)#logging statistics enable
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
Note: Starting the Cisco IOS XE Fuji 16.8 release, you can get summarized details for the threat-inspection alerts when running next command 'show utd engine standard logging threat-inspection statisticsdetail'. Just, when the logging of the threat inspection alert statistics is enabled for the UTD snort engine.
Step 12. Enable utd service.
Router#configure terminal
Router(config)#utd
Step 13 (Optional). Redirect data traffic from the VirtualPortGroup interface to the UTD service.
Router#configure terminal
Router(config)#utd
Router(config-utd)#redirect interface virtualPortGroup
Note: If the redirection is not configured, it is auto-detected.
Step 14. Enable the UTD IPS engine to inspect the traffic from all the Layer 3 interfaces on the Router.
Router(config-utd)#all-interfaces
Step 15. Enable the engine standard.
Router(config-utd)#engine standard
Next syslog messages should be seen indicating the UTD snort engine was properly enabled:
*Jun 27 23:41:03.062: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jun 27 23:41:13.039: %IOSXE-2-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008501210250689 %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Down => Red (3) for channel Threat Defense
*Jun 27 23:41:22.457: %IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008510628353985 %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: Red
Step 16 (Optional). Define the action for UTD snort engine during a failure (UTD Data Plane)
Router(config-engine-std)#fail open
Router(config-engine-std)#end
Note: The 'fail close' option drops all the Router traffic when the UTD engine fails and the 'fail open' option, allows the router traffic to continue flowing without IPS/IDS inspection during UTD failures. The default option is 'fail open'.
Step 17. Save the Router configuration.
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#
The UTD snort engine has Port-Scan capabilities. A port scan is a form of network reconnaissance that is often used by attackers as a prelude to an attack. In a port scan, an attacker sends packets designed to probe for network protocols and services on a targeted host. By examining the packets sent in response by a host, the attacker can determine which ports are open on the host and, either directly or by inference, which application protocols are running on these ports.
By itself, a port scan is not evidence of an attack. Legitimate users on your network may employ similar port scanning techniques used by attackers.
The por_scan inspector detects four types of portscan and monitors connection attempts on TCP, UDP, ICMP, and IP protocols. By detecting patterns of activity, the port_scan inspector helps you determine which port scans might be malicious.
Port scans are generally divided into four types based on the number of targeted hosts, the number of scanning hosts, and the number of ports that are scanned.
The Table 3. below display the port scan inspector rules.
The port_scan inspector provides three default scan sensitive levels for the UTD snort engine:
Step 1. Configure the Unified Threat Defense (UTD) standard engine (Service Plane)
Router#configure terminal
Router(config)#utd engine standard
Step 2. Enable Threat Inspection for the UTD snort Engine.
Router(config-utd-eng-std)#threat-inspection
Step 3. Then, enable the port_scan.
Router(config-utd-engstd-insp)#port-scan
Step 4. Set the port_scan sensitive level, the options available are high, medium or low.
Router(config-utd-threat-port-scan)# sense level [high | low | medium]
Example:
Router(config-utd-threat-port-scan)# sense level high
Step 5. Once the port_scan is enabled and configured with a sensitive level for the UTD snort engine, use the 'show utd engine standard config' command to verify port_scan configuration.
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Security Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled
Router#show ip interface brief | i VirtualPortGroup
VirtualPortGroup0 192.168.1.1 YES NVRAM up up
VirtualPortGroup1 192.168.2.1 YES NVRAM up up
Router#show running-config | b interface
interface VirtualPortGroup0
description Management Interface
ip address 192.168.1.1 255.255.255.252
!
interface VirtualPortGroup1
description Data Interface
ip address 192.168.2.1 255.255.255.252
Router#show running-config | b app-hosting
app-hosting appid UTD
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.168.2.2 netmask 255.255.255.252
start
end
Router#show running-config | i iox
iox
Router#show app-hosting list
App id State
---------------------------------------------------------
UTD RUNNING
Issue the 'show app-hosting detail' command to confirm the UTD snort engine state, the software version running, the RAM, CPU and Disk utilization, the network statistics and the DNS configuration in place.
Router#show app-hosting detail
App id : UTD
Owner : ioxm
State : RUNNING
Application
Type : LXC
Name : UTD-Snort-Feature
Version : 1.0.7_SV2.9.18.1_XE17.9
Description : Unified Threat Defense
Author :
Path : /bootflash/secapp-utd.17.09.03a.1.0.7_SV2.9.18.1_XE17.9.x86_64.tar
URL Path :
Multicast : yes
Activated profile name :
Resource reservation
Memory : 1024 MB
Disk : 752 MB
CPU :
CPU-percent : 25 %
VCPU : 0
Platform resource profiles
Profile Name CPU(unit) Memory(MB) Disk(MB)
--------------------------------------------------------------
Attached devices
Type Name Alias
---------------------------------------------
Disk /tmp/xml/UtdLogMappings-IOX
Disk /tmp/xml/UtdIpsAlert-IOX
Disk /tmp/xml/UtdDaqWcapi-IOX
Disk /tmp/xml/UtdUrlf-IOX
Disk /tmp/xml/UtdTls-IOX
Disk /tmp/xml/UtdDaq-IOX
Disk /tmp/xml/UtdAmp-IOX
Watchdog watchdog-503.0
Disk /tmp/binos-IOX
Disk /opt/var/core
Disk /tmp/HTX-IOX
Disk /opt/var
NIC ieobc_1 ieobc
Disk _rootfs
NIC mgmt_1 mgmt
NIC dp_1_1 net3
NIC dp_1_0 net2
Serial/Trace serial3
Network interfaces
---------------------------------------
eth0:
MAC address : 54:0e:00:0b:0c:02
IPv6 address : ::
Network name :
eth:
MAC address : 6c:41:0e:41:6b:08
IPv6 address : ::
Network name :
eth2:
MAC address : 6c:41:0e:41:6b:09
IPv6 address : ::
Network name :
eth1:
MAC address : 6c:41:0e:41:6b:0a
IPv4 address : 192.168.2.2
IPv6 address : ::
Network name :
----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
climgr UP 0Y 0W 0D 21:45:29 2
logger UP 0Y 0W 0D 19:25:56 0
snort_1 UP 0Y 0W 0D 19:25:56 0
Network stats:
eth0: RX packets:162886, TX packets:163855
eth1: RX packets:46, TX packets:65
DNS server:
domain cisco.com
nameserver 192.168.90.92
Coredump file(s): core, lost+found
Interface: eth2
ip address: 192.168.2.2/30
Interface: eth1
ip address: 192.168.1.2/30
Address/Mask Next Hop Intf.
-------------------------------------------------------------------------------
0.0.0.0/0 192.168.2.1 eth2
0.0.0.0/0 192.168.1.1 eth1
Use the 'show utd engine standard version' command to confirm the UTD snort engine compatibility version, againts the IOS-XE router version running.
Router#show utd engine standard version
UTD Virtual-service Name: UTD
IOS-XE Recommended UTD Version: 1.1.11_SV3.1.81.0_XE17.12
IOS-XE Supported UTD Regex: ^1\.1\.([0-9]+)_SV(.*)_XE17.12$
UTD Installed Version: 1.1.11_SV3.1.81.0_XE17.12
Option 1. Issue the 'show utd engine standard status' command, to confirm the status of the UTD snort engine, Status in 'Green', Health in 'Green' and the Overall system status in 'Green', indicate the UTD snort engine is operational.
Router#show utd engine standard status Engine version : 1.1.11_SV3.1.81.0_XE17.12 Profile : Low System memory : Usage : 31.80 % Status : Green Number of engines : 1 Engine Running Health Reason ======================================================= Engine(#1): Yes Green None ======================================================= Overall system status: Green Signature update status: ========================= Current signature package version: 31810.155.s Last update status: Failed Last successful update time: Wed Sep 3 12:51:56 2025 CST Last failed update time: Wed Sep 3 17:55:02 2025 CST Last failed update reason: File not found Next update scheduled at: Thursday Sep 04 17:55 2025 CST Current status: Idle
Note: When the UTD snort engine is oversubscribed, the threat defence channel state changes between green and red. The UTD dataplane either drops all further packets if fail-close is configured or forwards the packets un-inspected if fail-close is not configured (default). When the UTD serviceplane recovers from over-subscription, it responds to the UTD dataplane with the green status.
Option 2. Issue the 'show platform software utd global' command, to get a brief summary of the UTD snort engine operation state.
Router#show platform software utd global
UTD Global state
=========================
Engine : Standard
Global Inspection : Enabled
Operational Mode : Intrusion Prevention
Fail Policy : Fail-open
Container technology : LXC
Redirect interface : VirtualPortGroup1
UTD interfaces
All dataplane interfaces
Option 1. Issue the 'show utd engine standard config' command to display the UTD snort engine configuration details, the operation mode, the policy mode, the signature update configuration, the logging configuration, the whitelist and the port scan status.
Router#show utd engine standard config
UTD Engine Standard Configuration:
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : cisco
User Name : cisco
Password : KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
Occurs-at : daily ; Hour: 0; Minute: 0
Logging:
Server : 192.168.10.5
Level : info
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Enabled
Whitelist Signature IDs:
54621, 40
Port Scan : Enabled
Web-Filter : Disabled
Option 2. Issue the 'show running-config | b engine' command to display the UTD snort engine running configuration in place.
Router#show running-config | b engine
utd engine standard
logging host 192.168.10.5
logging syslog
threat-inspection
threat protection
policy security
signature update server cisco username cisco password KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
signature update occur-at daily 0 0
logging level info
whitelist
logging statistics enable
utd threat-inspection whitelist
generator id 40 signature id 54621 comment FILE-OFFICE traffic
utd
all-interfaces
redirect interface VirtualPortGroup1
engine standard
1. Issue the 'show utd engine standard threat-inspection signature update status' command, to check the IPS snort signature update status.
Router#show utd engine standard threat-inspection signature update status
Current signature package version: 31810.155.s
Current signature package name: UTD-STD-SIGNATURE-31810-155-S.pkg
Previous signature package version: 31810.154.s
---------------------------------------
Last update status: Failed
---------------------------------------
Last successful update time: Wed Sep 3 12:51:56 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.4.219/UTD-STD-SIGNATURE-31810-155-S.pkg
Last successful update speed: 6343108 bytes in 31 secs
---------------------------------------
Last failed update time: Thu Sep 4 17:55:02 2025 CST
Last failed update method: Auto
Last failed update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 17:55:02 2025 CST
Last attempted update method: Auto
Last attempted update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
---------------------------------------
Total num of updates successful: 2
Num of attempts successful: 2
Num of attempts failed: 29
Total num of attempts: 31
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
2. Issue the 'utd threat-inspection signature update' command, to execute a manual IPS snort signature update by using the existing server configuration applied to the UTD snort engine for the signature downloads.
Router#utd threat-inspection signature update
3. Issue the 'utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force' command, to force a manual IPS snort signature update with the server prameters specified.
Router#utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force
Example:
Router#utd threat-inspection signature update server url http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg force
% This operation may cause the UTD service to restart which will briefly interrupt services.
Proceed with signature update? [confirm]
Router#
*Sep 5 02:08:13.845: %IOSXE_UTD-4-SIG_UPDATE_EXEC: UTD signature update has been executed - A brief service interruption is expected
*Sep 5 02:08:35.007: %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Green => Red (3) for channel Threat DefenseQFP:0.0 Thread:001 TS:00000217689533745619
Router#
*Sep 5 02:08:42.671: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: UTD signature update succeeded - previous version: 31810.155.s - current version: 31810.156.s
Router#
*Sep 5 02:09:00.284: %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: RedQFP:0.0 Thread:001 TS:00000217714810090067
Router#show utd engine standard signature update status
Current signature package version: 31810.156.s
Current signature package name: UTD-STD-SIGNATURE-31810-156-S.pkg
Previous signature package version: 31810.155.s
---------------------------------------
Last update status: No New Package found
---------------------------------------
Last successful update time: Thu Sep 4 20:08:41 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
Last successful update speed: 6344395 bytes in 27 secs
---------------------------------------
Last failed update time: Thu Sep 4 20:07:43 2025 CST
Last failed update method: Manual
Last failed update server: http://10.189.35.188/tftpboot/UTD-STD-SIGNATURE-31810-156-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 20:10:29 2025 CST
Last attempted update method: Manual
Last attempted update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
---------------------------------------
Total num of updates successful: 3
Num of attempts successful: 4
Num of attempts failed: 30
Total num of attempts: 34
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
Use the following show commands to monitor the traffic processed by the UTD snort engine and to check the statistics related to the traffic inspection.
Option 1. From the below 'show utd engine standard statistics' output, the 'received' and 'analyzed' counters increment, when traffic is being processed by the UTD snort engine:
Router#show utd engine standard statistics
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62069 <------------
analyzed: 62069 <------------
allow: 60634
block: 38
replace: 1
whitelist: 1396
idle: 763994
rx_bytes: 13778491
--------------------------------------------------
codec
total: 62069 (100.000%)
eth: 62069 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62069 (100.000%)
tcp: 56168 ( 90.493%)
udp: 5667 ( 9.130%)
--------------------------------------------------
Option 2. From the below 'show platform hardware qfp active feature utd stats' output, the 'decaps' and 'Divert' counters increment, when the traffic is re-directed from the Router to the UTD snort engine for traffic inspection and the 'encaps' and 'Reinject' counters increment, when the traffic is re-directed from the UTD snort engine to the Router:
Router#show platform hardware qfp active feature utd stats Summary Statistics: Policy Active Connections 3 TCP Connections Created 83364 UDP Connections Created 532075 ICMP Connections Created 494 Channel Summary Active Connections 3 decaps 1156574 <------------ encaps 1157144 <------------ Expired Connections 615930 Packet stats - Policy Pkts dropped pkt 15802 byt 14111880 Pkts entered policy feature pkt 1306750 byt 363602774 Pkts slow path pkt 615933 byt 25317465 Packet stats - Channel Summary Bypass pkt 25368 byt 4459074 Divert pkt 1157144 <------------ byt 301046050 Reinject pkt 1156574 <------------ byt 301015446 Would Drop Statistics (fail-open): Policy TCP SYN w/data packet 15802 Channel Summary Stats were all zero General Statistics: Non Diverted Pkts to/from divert interface 2725 Inspection skipped - UTD policy not applicable 111161 Pkts Skipped - New pkt from RP 33139 Response Packet Seen 64766 Feature memory allocations 615933 Feature memory free 615930 Feature Object Delete 615930 Skipped - First-in-flow RST packets of a TCP flow 55 Diversion Statistics Summary: SN offloaded flow 3282 Flows Bypassed as SN Unhealthy 25368 Service Node Statistics: SN down 1 SN health green 13 SN health red 12 SN Health: Channel: Threat Defense : Green AppNAV registration 2 AppNAV deregister 1 SN Health: Channel: Service : Down Stats were all zero TLS Decryption policy not enabled Appnav Statistics: No FO Drop pkt 0 byt 0
Option 3. From the below 'show utd engine standard statistics internal' output, the 'received' and 'analyzed' counters increment, when the traffic is re-directed from the Router to the UTD snort engine for traffic inspection. Besides that, this output will display further details and statistics about the traffic inspected by the UTD snort engine:
Router# show utd engine standard statistics internal
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62099 <------------
analyzed: 62099 <------------
allow: 60664
block: 38
replace: 1
whitelist: 1396
idle: 764287
rx_bytes: 13782351
--------------------------------------------------
codec
total: 62099 (100.000%)
eth: 62099 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62099 (100.000%)
tcp: 56198 ( 90.497%)
udp: 5667 ( 9.126%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
appid
packets: 62099
processed_packets: 62087
ignored_packets: 12
total_sessions: 9091
service_cache_adds: 4
bytes_in_use: 608
items_in_use: 4
--------------------------------------------------
binder
raw_packets: 12
new_flows: 9091
service_changes: 4360
inspects: 9103
--------------------------------------------------
detection
analyzed: 62099
hard_evals: 234
raw_searches: 12471
cooked_searches: 5699
pkt_searches: 18170
pdu_searches: 14839
file_searches: 491
alerts: 3
total_alerts: 3
logged: 3
buf_dumps: 3
--------------------------------------------------
dns
packets: 5529
requests: 2780
responses: 2749
--------------------------------------------------
http_inspect
flows: 2449
scans: 10523
reassembles: 10523
inspections: 10317
requests: 2604
responses: 2309
get_requests: 1618
head_requests: 1
post_requests: 1
connect_requests: 984
request_bodies: 1
uri_normalizations: 1339
concurrent_sessions: 15
max_concurrent_sessions: 20
connect_tunnel_cutovers: 984
total_bytes: 1849394
--------------------------------------------------
normalizer
test_tcp_trim_win: 6
tcp_ips_data: 1
tcp_block: 38
--------------------------------------------------
pcre
pcre_rules: 6317
pcre_native: 6317
--------------------------------------------------
port_scan
packets: 62099
trackers: 96
bytes_in_use: 20736
--------------------------------------------------
search_engine
max_queued: 135
total_flushed: 52095
total_inserts: 66077
total_unique: 52095
non_qualified_events: 52326
qualified_events: 3
searched_bytes: 9498731
--------------------------------------------------
ssl
packets: 3281
decoded: 3281
client_hello: 927
server_hello: 927
certificate: 244
server_done: 711
client_key_exchange: 242
server_key_exchange: 242
change_cipher: 1160
client_application: 149
server_application: 1283
unrecognized_records: 19
sessions_ignored: 927
concurrent_sessions: 27
max_concurrent_sessions: 94
--------------------------------------------------
stream
flows: 9091
total_prunes: 7566
idle_prunes_proto_timeout: 7566
tcp_timeout_prunes: 5895
udp_timeout_prunes: 1561
icmp_timeout_prunes: 110
current_flows: 294
uni_flows: 249
--------------------------------------------------
stream_ip
sessions: 110
max: 110
created: 110
released: 110
total_bytes: 60371
--------------------------------------------------
stream_tcp
sessions: 7414
max: 7414
created: 7414
released: 7126
instantiated: 7414
setups: 7414
restarts: 3376
discards: 38
invalid_seq_num: 6
invalid_ack: 1
events: 39
syn_trackers: 7414
segs_queued: 12824
segs_released: 12710
segs_used: 7681
rebuilt_packets: 13601
rebuilt_bytes: 8945365
overlaps: 1
gaps: 1
memory: 208052
initializing: 246
established: 27
closing: 15
syns: 28310
syn_acks: 2449
resets: 358
fins: 2430
max_segs: 13
max_bytes: 15665
--------------------------------------------------
stream_udp
sessions: 1567
max: 1567
created: 1567
released: 1561
total_bytes: 743786
--------------------------------------------------
wizard
tcp_scans: 3376
tcp_hits: 3376
udp_scans: 118
udp_misses: 118
--------------------------------------------------
Appid Statistics
--------------------------------------------------
detected apps and services
Application: Services Clients Users Payloads Misc Referred
chrome: 0 101 0 0 0 0
dns: 1448 1449 0 0 0 0
firefox: 0 139 0 0 0 0
http: 2449 0 0 0 0 0
microsoft_update: 0 0 0 34 0 0
squid: 0 0 0 1144 0 0
unknown: 1 0 0 2416 0 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 2
--------------------------------------------------
memory
start_up_use: 240250880
cur_in_use: 293490688
max_in_use: 294907904
epochs: 2718651
allocated: 198516408
deallocated: 168476672
app_all: 265459456
active: 274247680
resident: 281190400
retained: 12693504
Use the following show commands to monitor the snort IPS signatures triggered, the IPS/IDS events generated and the source and destination IP addresses involved.
Option 1. Use the 'show utd engine standard logging events [threat-inspection]' command, to look for IPS/IDS events:
Router#show utd engine standard logging events [threat-inspection] 2025/09/03-15:03:42.946703 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:1417 -> 172.16.2.2:10 2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184 2025/09/03-16:10:12.705933 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:2184 -> 172.16.2.2:10
Option 2. Use the 'show utd engine standard logging statistics threat-inspection' command, to look for the top IPS snort signatures triggered in the past 24hrs and how many times each signature has been triggered:
Router# show utd engine standard logging statistics threat-inspection Top Signatures Triggered in the past 24 hours --------------------------------------------------------------------- Signature-id Count Description --------------------------------------------------------------------- 122:7:2 137 portscan: TCP Filtered Portsweep 122:1:2 5 portscan: TCP Portscan 122:3:2 1 portscan: TCP Portsweep
Option 3. Use the 'show utd engine standard logging statistics threat-inspection detail' command, to look for the top IPS snort signatures triggered in the past 24hrs, how many times each signature has been triggered and the source and destination IP addresses that triggered the signature:
Router#show utd engine standard logging statistics threat-inspection detail Top Signatures Triggered in the past 24 hours Signature-id:122:7:2 Count: 137 Description:portscan: TCP Filtered Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 x.x.157.3 0 7 172.16.2.2 x.x.157.14 0 6 172.16.2.2 x.x.29.13 0 6 172.16.2.2 x.x.104.78 0 6 172.16.2.2 x.x.29.14 0 5 172.16.2.2 x.x.157.15 0 5 172.16.2.2 x.x.28.23 0 5 172.16.2.2 x.x.135.19 0 5 172.16.2.2 x.x.135.3 0 4 172.16.2.2 x.x.157.11 0 4 Signature-id:122:1:2 Count: 5 Description:portscan: TCP Portscan --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.1.3 172.16.2.2 0 5 Signature-id:122:3:2 Count: 1 Description:portscan: TCP Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 172.16.1.3 0 1
Option 4. The UTD snort engine monitors the traffic and reports events to an external log server or the IOS syslog. Enabling logging to the IOS syslog may impact performance due to the potential volume of log messages. External third-party monitoring tools, which supports Snort logs, can be used for log collection and analysis.
Whenever the UTD snort engine generates an IPS/IDS event, the router would displays a syslog message like the following:
Router# *Sep 3 22:10:18.544: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: 2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184
Note: The UTD snort engine logs will be displayed in the Router IOSd CLI, just when the logging syslog is enabled under the utd engine standard configuration for the UTD snort engine.
When the UTD snort engine is configured to send logs out to an external syslog server, then you should see the UTD snort engine logs in your remote syslog server as follows:
Use the following commands to display the Active, Drop and Alert IPS snort signatures for the UTD snort engine, depending on the policy configuration used (Balanced, Connectivity or Security).
Option 1. Proceed as follows to display the active IPS snort signatures list for the Security policy.
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Security Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled Router#utd threat-inspection signature active-list write-to bootflash:siglist_security Router#more bootflash:siglist_security ================================================================================= Signature Package Version: 31810.156.s Signature Ruleset: Security Total no. of active signatures: 23398 Total no. of drop signatures: 22625 Total no. of alert signatures: 773 For more details of each signature please go to www.snort.org/rule_docs to lookup ================================================================================= List of Active Signatures: -------------------------- sigid: 13418, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt; sigid: 13897, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-MULTIMEDIA Apple QuickTime crgn atom parsing stack buffer overflow attempt; sigid: 14263, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: POLICY-SOCIAL Pidgin MSNP2P message integer overflow attempt; sigid: 15968, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt; sigid: 15975, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt; sigid: 15976, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt; sigid: 16232, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: OS-WINDOWS Microsoft Windows EOT font parsing integer overflow attempt; sigid: 16343, gid:3, log-level:3, action: drop, class-type: misc-activity, Descr: FILE-PDF PDF header obfuscation attempt; sigid: 16394, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt; sigid: 16728, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: NETBIOS Samba SMB1 chain_reply function memory corruption attempt; sigid: 17647, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-FLASH Adobe Flash Player DefineSceneAndFrameLabelData memory corruption attempt; sigid: 17665, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OFFICE OpenOffice Word document table parsing heap buffer overflow attempt; sigid: 17741, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER MIT Kerberos asn1_decode_generaltime uninitialized pointer free attempt;
[omitted output]
Option 2. Proceed as follows to display the active IPS snort signatures list for the Connectivity policy.
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Connectivity Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled Router#utd threat-inspection signature active-list write-to bootflash:siglist_connectivity Router#more bootflash:siglist_connectivity ================================================================================= Signature Package Version: 31810.156.s Signature Ruleset: Connectivity Total no. of active signatures: 597 Total no. of drop signatures: 494 Total no. of alert signatures: 103 For more details of each signature please go to www.snort.org/rule_docs to lookup ================================================================================= List of Active Signatures: -------------------------- sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30942, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt; sigid: 30943, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt; sigid: 35897, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt; sigid: 35898, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt; sigid: 35902, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt; sigid: 35903, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt; sigid: 35926, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-WEBAPP Oracle Identity Management authorization bypass attempt; sigid: 35927, gid:3, log-level:1, action: drop, class-type: policy-violation, Descr: SERVER-WEBAPP Oracle Identity Management remote file execution attempt; sigid: 38671, gid:3, log-level:1, action: drop, class-type: attempted-user,
[omitted output]
Option 3. Proceed as follows to display the active IPS snort signatures list for the Balanced policy.
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Balanced Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled Router#utd threat-inspection signature active-list write-to bootflash:siglist_balanced Router#more bootflash:siglist_balanced ================================================================================= Signature Package Version: 31810.156.s Signature Ruleset: Balanced Total no. of active signatures: 10033 Total no. of drop signatures: 9534 Total no. of alert signatures: 499 For more details of each signature please go to www.snort.org/rule_docs to lookup ================================================================================= List of Active Signatures: -------------------------- sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30887, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER Cisco Tshell command injection attempt; sigid: 30888, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER Cisco Tshell command injection attempt; sigid: 30902, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ; sigid: 30903, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ; sigid: 30912, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt; sigid: 30913, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt; sigid: 30921, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt; sigid: 30922, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt; sigid: 30929, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER Cisco RV180 VPN CSRF attempt;
[omitted output]
Note: To display the active IPS Snort signatures for the Balanced, Connectivity, or Security policy, the UTD Snort engine must be running the corresponding policy mode you want to view.
1. Ensure the Cisco Integrated Services Router (ISR) runs XE 16.10.1a and above (For IOx method).
2. Ensure the Cisco Integrated Services Router (ISR) is licensed with the Securityk9 feature enabled.
3. Verify the ISR hardware model is in compliance with the minimum resource profile.
4. The UTD snort engine is not compatible with the Zone-Based Firewall SYN-cookie and the Network Address Translation 64 (NAT64)
5. Confirm the UTD snort engine service is started after the installation.
6. During the manual Signature package download, ensure the package has the same version as the Snort engine version. The signature package update may fail if there is a version mismatch.
7. In case of performance issues, use the 'show app-hosting resource' and 'show app-hosting utilization appid ''UTD-NAME' for checking the UTD CPU, Memory and Storage space.
Router#show app-hosting resource
CPU:
Quota: 75(Percentage)
Available: 50(Percentage)
VCPU:
Count: 6
Memory:
Quota: 10240(MB)
Available: 9216(MB)
Storage device: bootflash
Quota: 4000(MB)
Available: 4000(MB)
Storage device: harddisk
Quota: 20000(MB)
Available: 19029(MB)
Storage device: volume-group
Quota: 190768(MB)
Available: 169536(MB)
Storage device: CAF persist-disk
Quota: 20159(MB)
Available: 18078(MB)
Router#show app-hosting utilization appid utd
Application: utd
CPU Utilization:
CPU Allocation: 33 %
CPU Used: 3 %
Memory Utilization:
Memory Allocation: 1024 MB
Memory Used: 117632 KB
Disk Utilization:
Disk Allocation: 711 MB
Disk Used: 451746 KB
Warning: Contact Cisco TAC, If you confirm that the UTD Snort engine is experiencing high CPU, memory, or disk utilization.
For troubleshooting purposes, use the debug commands listed below to gather further details from the UTD snort engine.
debug virtual-service all
debug virtual-service virtualPortGroup
debug virtual-service messaging
debug virtual-service timeout
debug utd config level error [error, info, warning]
debug utd engine standard all
Warning: Running debug commands during production hours can significantly increase CPU, memory, or disk utilization on the UTD Snort engine or the router, potentially impacting traffic and system stability. Use debug commands sparingly, preferably during a maintenance window, and disable them immediately after collecting the required data. If elevated resource usage or service impact is observed, stop the debug and contact Cisco TAC.
Additional documentation related to the UTD Snort IPS deployment can be found here:
Cisco Snort IPS Security Configuration Guide
Cisco Virtual Service Resource Profile for ISR4K and CSR1000v
Snort IPS on Routers - Step by Step Configuration
Cisco Guide - Troubleshooting Snort IPS
Snort Port-Scan Inspector Reference Guide
Snort Open Source Intrusion Prevention System (IPS) Webpage
Install UTD Security Virtual Image on cEdge Routers
CSCwf57595 ISR4K Snort IPS is not deployed since HW does not have enough platform resources
Revision | Publish Date | Comments |
---|---|---|
3.0 |
17-Sep-2025
|
Initial Release |
1.0 |
11-Jul-2023
|
Initial Release |