Deploy UTD Snort IPS on Cisco Integrated Services Routers 1000, 4000, CSRs and ISRv Series
Available Languages
Contents
Introduction
This document describes how to deploy the UTD Snort IPS Engine on the Cisco Integrated Services Routers ISR1K, ISR4K, CSRs and ISRv series using the IOx method.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Cisco Integrated Services Routers ISR1K, ISR4K, CSRs and ISRv series with at least 8GB DRAM
- Basic IOS-XE command knowledge
- Basic UTD Snort IPS knowledge
- A signature IPS snort subscription for 1 year or 3 years is required
- IOS-XE 16.10.1a and above
Components Used
The information in this document is based on these software and hardware versions:
- ISR1K, ISR4K, CSRs and ISRv series running version 17.9.3a
- UTD snort engine version 17.9.3a
- Securityk9 license for ISR1K, ISR4K, CSRs and ISRv series
The VMAN method is now deprecated.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
The Unified Threat Defense (UTD) Snort IPS feature enables Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) for branch offices on Cisco Integrated Services Routers ISR1K, ISR4K, CSRs and ISRv series. This feature uses the open-source Snort to enable IPS or IDS capabilities.
Snort is an open-source IPS that performs real-time traffic analysis and generates alerts when threats are detected on IP networks. It can also perform protocol analysis, content researching or marching, and detect a variety of attacks and probes, such as buffer overflows, stealth port scans, and so on. The UTD Snort engine runs as a virtual container service on Cisco Integrated Services Routers ISR1K, ISR4K, CSRs and ISRv series.
The UTD Snort IPS provides IPS or IDS capabilities for Cisco Integrated Services Routers ISR1K, ISR4K, CSRs and ISRv series.
- The UTD monitors network traffic and analyzes it against a defined rule set.
- The UTD performs attach classification.
- The UTD invokes actions against matched rules.
Based on network requirements. The UTD Snort IPS can be enabled as IPS or IDS:
- In IDS mode: The UTD snort engine inspects the traffic and reports alerts, but does not take any action to prevent attacks.
- In IPS mode: The UTD snort engine inspects the traffic and reports alerts as IDS does, but actions are taken to prevent attacks.
The UTD Snort IPS runs as a service on the routers ISR1K, ISR4K, CSRs and ISRv series. Service containers use virtualization technology to provide a hosting environment on Cisco devices for applications. Snort traffic inspection is enabled either on a per-interface basis or globally on all supported interfaces.
UTD Snort Engine IPS Solution
The UTD snort engine IPS solution consists of the following entities:
-
Snort sensor — Monitors the traffic to detect anomalies based on the configured security policies (that includes signatures, statistics, protocol analysis, and so on) and sends alert messages to the Alert/Reporting server. The Snort sensor is deployed as a virtual container service on the router.
-
Signature store — Hosts the Cisco Signature packages that are updated periodically. These signature packages are downloaded to Snort sensors either periodically or on demand. Validated signature packages are posted to Cisco.com. Based on the configuration, signature packages can be downloaded from Cisco.com or a local server.
The following domains are accessed by the router in the process of downloading the signature package from cisco.com:
-
api.cisco.com
-
apx.cisco.com
-
cloudsso.cisco.com
-
cloudsso-test.cisco.com
-
cloudsso-test3.cisco.com
-
cloudsso-test4.cisco.com
-
cloudsso-test5.cisco.com
-
cloudsso-test6.cisco.com
-
cloudsso.cisco.com
-
download-ssc.cisco.com
-
dl.cisco.com
-
resolver1.opendns.com
-
resolver2.opendns.com
Signature packages must be manually downloaded from Cisco.com to the local server by using Cisco.com credentials before the Snort sensor can retrieve them.
-
-
Alert/Reporting server — Receives alert events from the Snort sensor. Alert events generated by the Snort sensor can either be sent to the IOS syslog or an external syslog server or to both IOS syslog and external syslog server. No external log servers are bundled with the Snort IPS solution.
-
Management — Manages the Snort IPS solution. Management is configured using the IOS CLI. Snort Sensor cannot be accessed directly, and all configuration can only be done using the IOS CLI.
License Requirements
The following are the licensing requirements for the UTD snort engine:
- The Security K9 license is required on the ISR1K, ISR4K routers, CSRs and ISRv. In addition to that, a signature subscription 1-year or 3-years is required too, there are two types of subscriptions:
a) Community Signature Package: The community signature package rule set offers limited coverage against threats.
b) Subscriber-based Signature Package: The subscriber-based signature package rule set offers the best protection against threats. It includes coverage in advance of exploits and also provides the fastest access to updated signatures in response to a security incident or the proactive discovery of a new threat. This subscription is fully supported by Cisco and the package will be constantly updated on Cisco.com.
The UTD Snort Subscriber Signature Package can be downloaded from software.cisco.com and the snort signature information can be found on snort.org.
Besides that, you can use the following snort.org Rule Documentation Search tool to look for specific snort IPS signature IDs.
- DNA-Essentials license is required on the Catalyst 8000 Edge routers mentioned in the Supported Platforms section in order to be able to use IPS/Snort.
Supported Platforms
The following are the supported platforms for the UTD snort engine:
- ISR 4461, 4451, 4431, 4351, 4331, 4321, 4221X, 4221, CSR, ISRv and ISR 1K (X PIDs such as 1111X, 1121X, 1161X etc that support 8GB DRAM only, starting 17.2.1r release)
- Catalyst 8500L, 8300, 8200, 8000V.
Limitations
The following limitations apply to the UTD snort engine:
- Only tcp, udp and icmp packets will be diverted to the UTD snort engine for inspection
- Only through the box traffic will be diverted to the UTD snort engine for inspection
Restrictions
The following restrictions apply to the UTD snort engine:
-
When you enable boost license on Cisco 4000 Series ISRs, you cannot configure the virtual-service container for Snort IPS.
-
Incompatible with the Zone-Based Firewall SYN-cookie feature.
-
Network Address Translation 64 (NAT64) is not supported.
-
SnortSnmpPlugin is required for SNMP polling in open source Snort. Snort IPS does not support SNMP polling capabilities or MIBs as the SnortSnmp plugin is not installed on UTD.
-
- The IOS syslog is rate limited and as a result, all alerts generated by Snort may not be visible via the IOS Syslog. However, you can view all Syslog messages if you export them to an external syslog server.
UTD Snort Engine IPS Download Links
The following, are the Cisco links to download the UTD Snort IPS Engine Software image files to use for installing the UTD snort engine on your Cisco router. Besides that, you will find the UTD Snort Subscriber Signature Package files to download the UTD snort IPS signatures, depending on the UTD snort engine version running.
- Catalyst 8500L -https://software.cisco.com/download/home/286324574/type
- Catalyst 8300 -https://software.cisco.com/download/home/286324476/type
- Catalyst 8200 -https://software.cisco.com/download/home/286324472/type
- Catalyst 8000V -https://software.cisco.com/download/home/286327102/type
Network Diagram
Configure
UTD Snort Engine Installation
Step 1. Configure the VirtualPortGroup interfaces for the UTD snort engine, configure two port groups:
- The VirtualPortGroup0 for management traffic: This VirtualPortGroup will be used to source logs to the log collector as well as pulling signature updates from Cisco.com.
- TheVirtualPortGroup1 for data traffic: This VirtualPortGroup will be used to send and receive packets that are marked for inspection that arrive on the data plane for IPS inspection.
Router#configure terminal
Router(config)#interface VirtualPortGroup0
Router(config-if)#description Management Interface
Router(config-if)#ip address 192.168.1.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface VirtualPortGroup1
Router(config-if)#description Data Interface
Router(config-if)#ip address 192.168.2.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Step 2. Enable the IOx environment in Global Configuration mode.
Router(config)#iox
Step 3. Then, activate the virtual service and configure guest IPs, for this, configure the app-hosting with the vnic configuration.
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.1.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
Router(config-app-hosting)#app-vnic gateway1 virtualportgroup 1 guest-interface 1
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.2.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
Step 4 (Optional). Configure Resource Profile.
Router(config-app-hosting)#app-resource package-profile low [low,medium,high]
Router(config-app-hosting)#end
Step 5. Copy the UTD Snort IPS engine software file to the routers flash, then Install the app-hosting using the UTD.tar file as follows.
Router#app-hosting install appid UTD package bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar
Next syslogs should be seen indicating UTD service was properly installed.
Installing package 'bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for 'utd'. Use 'show app-hosting list' for progress.
*Jun 26 19:25:35.975: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: R0/0: vman: Package 'iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for service container 'utd' is 'Cisco signed', signing level cached on original install is 'Cisco signed'
*Jun 26 19:25:50.746: %VIRT_SERVICE-5-INSTALL_STATE: Successfully installed virtual service utd
*Jun 26 19:25:53.176: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install succeeded: utd installed successfully Current state is deployed
Step 6. Start the app-hosting service.
Router#configure terminal
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#start
Router(config-app-hosting)#end
Next syslog messages should be seen indicating UTD service was installed properly.
*Jun 26 19:55:05.362: %VIRT_SERVICE-5-ACTIVATION_STATE: Successfully activated virtual service UTD
*Jun 26 19:55:07.412: %IM-6-START_MSG: R0/0: ioxman: app-hosting: Start succeeded: UTD started successfully Current state is running
Configure the UTD Snort Engine as IPS or IDS
After successful installation, the service plane must be configured for the UTD snort engine. The UTD snort engine can be configured as Intrusion Prevention System (IPS) or as Intrusion Detection System (IDS) for traffic inspection.
Step 1. Configure the Unified Threat Defense (UTD) standard engine (Service Plane)
Router#configure terminal
Router(config)#utd engine standard
Step 2. Enable the logging of the UTD snort engine to a remote server and to the IOSd syslog.
Router(config-utd-eng-std)#logging host 192.168.10.5
Router(config-utd-eng-std)#logging syslog
Note: The UTD Snort IPS monitors the traffic and reports events to an external log server or the IOS syslog. Enabling logging to the IOS syslog may impact performance due to the potential volume of log messages. External third-party monitoring tools, which supports Snort logs, can be used for log collection and analysis.
Step 3. Enable Threat Inspection for Snort Engine.
Router(config-utd-eng-std)#threat-inspection
Step 4. Configure Threat Detection (IDS) or Intrusion Prevention System (IPS) as the operating mode for the snort engine.
Router(config-utd-engstd-insp)#threat [protection,detection]
Step 5. Configure the Security Policy for the snort engine.
Router(config-utd-engstd-insp)#policy [balanced, connectivity, security]
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
Step 6 (Optional). Enable the UTD allowed-list (Whitelist) configuration.
Router#configure terminal
Router(config)#utd threat-inspection whitelist
Step 7 (Optional). Configure the IPS snort signature IDs to be included in the whitelist.
Router(config-utd-whitelist)#generator id 40 signature id 54621 comment FILE-OFFICE traffic
or
Router(config-utd-whitelist)#signature id 13418 comment "whitelisted the IPS signature 13418"
Step 8 (Optional). Enable Allowed List on Threat Inspection config.
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#whitelist
Step 9. Configure the Signature update interval to download Snort Signatures automatically.
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#signature update occur-at [daily, monthly, weekly] 0 0
Step 10. Configure the UTD snort engine signature update server parameters.
Router(config-utd-engstd-insp)#signature update server [cisco, url] username xxxx password xxxx
Example - Configuring signature updates from a Cisco Server:
Router(config-utd-engstd-insp)#signature update server cisco username xxxx password xxxx
or
Example - Configuring signature updates from a Local server:
Router(config-utd-engstd-insp)#signature update server url http://x.x.x.x/UTD-STD-SIGNATURE-31810-155-S.pkg
Step 11. Enable the UTD snort engine logging level and the logging of the threat inspection alert statistics:
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#logging level [alert,crit,debug,emerg,info,notice,warning]
Router(config-utd-engstd-insp)#logging statistics enable
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
Step 12. Enable utd service.
Router#configure terminal
Router(config)#utd
Step 13 (Optional). Redirect data traffic from the VirtualPortGroup interface to the UTD service.
Router#configure terminal
Router(config)#utd
Router(config-utd)#redirect interface virtualPortGroup
Step 14. Enable the UTD IPS engine to inspect the traffic from all the Layer 3 interfaces on the Router.
Router(config-utd)#all-interfaces
Step 15. Enable the engine standard.
Router(config-utd)#engine standard
Next syslog messages should be seen indicating the UTD snort engine was properly enabled:
*Jun 27 23:41:03.062: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jun 27 23:41:13.039: %IOSXE-2-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008501210250689 %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Down => Red (3) for channel Threat Defense
*Jun 27 23:41:22.457: %IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008510628353985 %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: Red
Step 16 (Optional). Define the action for UTD snort engine during a failure (UTD Data Plane)
Router(config-engine-std)#fail open
Router(config-engine-std)#end
Step 17. Save the Router configuration.
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#
Port-Scan Inspector for The UTD Snort Engine
The UTD snort engine has Port-Scan capabilities. A port scan is a form of network reconnaissance that is often used by attackers as a prelude to an attack. In a port scan, an attacker sends packets designed to probe for network protocols and services on a targeted host. By examining the packets sent in response by a host, the attacker can determine which ports are open on the host and, either directly or by inference, which application protocols are running on these ports.
By itself, a port scan is not evidence of an attack. Legitimate users on your network may employ similar port scanning techniques used by attackers.
The por_scan inspector detects four types of portscan and monitors connection attempts on TCP, UDP, ICMP, and IP protocols. By detecting patterns of activity, the port_scan inspector helps you determine which port scans might be malicious.
Port scans are generally divided into four types based on the number of targeted hosts, the number of scanning hosts, and the number of ports that are scanned.
Port Scan Inspector Rules
The Table 3. below display the port scan inspector rules.
Port Scan Sensitive Levels
The port_scan inspector provides three default scan sensitive levels for the UTD snort engine:
- High port_scan
- Low port_scan
- Medium port_scan
Configure the Port-Scan Inspector for The UTD Snort Engine
Step 1. Configure the Unified Threat Defense (UTD) standard engine (Service Plane)
Router#configure terminal
Router(config)#utd engine standard
Step 2. Enable Threat Inspection for the UTD snort Engine.
Router(config-utd-eng-std)#threat-inspection
Step 3. Then, enable the port_scan.
Router(config-utd-engstd-insp)#port-scan
Step 4. Set the port_scan sensitive level, the options available are high, medium or low.
Router(config-utd-threat-port-scan)# sense level [high | low | medium]
Example:
Router(config-utd-threat-port-scan)# sense level high
Step 5. Once the port_scan is enabled and configured with a sensitive level for the UTD snort engine, use the 'show utd engine standard config' command to verify port_scan configuration.
Router#show utd engine standard config
UTD Engine Standard Configuration:
VirtualPortGroup Id: 1
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Occurs-at : daily ; Hour: 17; Minute: 55
Logging:
Server : IOS Syslog; 172.16.2.2
Level : debug
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Disabled
Whitelist Signature IDs:
Port Scan : Enabled
Sense level : High
Web-Filter : Disabled
Verify
Check the VirtualPortGroup IP addresses and interfaces status
Router#show ip interface brief | i VirtualPortGroup
VirtualPortGroup0 192.168.1.1 YES NVRAM up up
VirtualPortGroup1 192.168.2.1 YES NVRAM up up
Check the VirtualPortGroup interfaces configuration
Router#show running-config | b interface
interface VirtualPortGroup0
description Management Interface
ip address 192.168.1.1 255.255.255.252
!
interface VirtualPortGroup1
description Data Interface
ip address 192.168.2.1 255.255.255.252
Check the app-hosting configuration
Router#show running-config | b app-hosting
app-hosting appid UTD
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.168.2.2 netmask 255.255.255.252
start
end
Check the iox activation
Router#show running-config | i iox
iox
Check the app-hosting state
Router#show app-hosting list
App id State
---------------------------------------------------------
UTD RUNNING
Check the app-hosting details
Issue the 'show app-hosting detail' command to confirm the UTD snort engine state, the software version running, the RAM, CPU and Disk utilization, the network statistics and the DNS configuration in place.
Router#show app-hosting detail
App id : UTD
Owner : ioxm
State : RUNNING
Application
Type : LXC
Name : UTD-Snort-Feature
Version : 1.0.7_SV2.9.18.1_XE17.9
Description : Unified Threat Defense
Author :
Path : /bootflash/secapp-utd.17.09.03a.1.0.7_SV2.9.18.1_XE17.9.x86_64.tar
URL Path :
Multicast : yes
Activated profile name :
Resource reservation
Memory : 1024 MB
Disk : 752 MB
CPU :
CPU-percent : 25 %
VCPU : 0
Platform resource profiles
Profile Name CPU(unit) Memory(MB) Disk(MB)
--------------------------------------------------------------
Attached devices
Type Name Alias
---------------------------------------------
Disk /tmp/xml/UtdLogMappings-IOX
Disk /tmp/xml/UtdIpsAlert-IOX
Disk /tmp/xml/UtdDaqWcapi-IOX
Disk /tmp/xml/UtdUrlf-IOX
Disk /tmp/xml/UtdTls-IOX
Disk /tmp/xml/UtdDaq-IOX
Disk /tmp/xml/UtdAmp-IOX
Watchdog watchdog-503.0
Disk /tmp/binos-IOX
Disk /opt/var/core
Disk /tmp/HTX-IOX
Disk /opt/var
NIC ieobc_1 ieobc
Disk _rootfs
NIC mgmt_1 mgmt
NIC dp_1_1 net3
NIC dp_1_0 net2
Serial/Trace serial3
Network interfaces
---------------------------------------
eth0:
MAC address : 54:0e:00:0b:0c:02
IPv6 address : ::
Network name :
eth:
MAC address : 6c:41:0e:41:6b:08
IPv6 address : ::
Network name :
eth2:
MAC address : 6c:41:0e:41:6b:09
IPv6 address : ::
Network name :
eth1:
MAC address : 6c:41:0e:41:6b:0a
IPv4 address : 192.168.2.2
IPv6 address : ::
Network name :
----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
climgr UP 0Y 0W 0D 21:45:29 2
logger UP 0Y 0W 0D 19:25:56 0
snort_1 UP 0Y 0W 0D 19:25:56 0
Network stats:
eth0: RX packets:162886, TX packets:163855
eth1: RX packets:46, TX packets:65
DNS server:
domain cisco.com
nameserver 192.168.90.92
Coredump file(s): core, lost+found
Interface: eth2
ip address: 192.168.2.2/30
Interface: eth1
ip address: 192.168.1.2/30
Address/Mask Next Hop Intf.
-------------------------------------------------------------------------------
0.0.0.0/0 192.168.2.1 eth2
0.0.0.0/0 192.168.1.1 eth1
Check the UTD snort engine compatibility version, againts the Router IOS-XE version running
Use the 'show utd engine standard version' command to confirm the UTD snort engine compatibility version, againts the IOS-XE router version running.
Router#show utd engine standard version
UTD Virtual-service Name: UTD
IOS-XE Recommended UTD Version: 1.1.11_SV3.1.81.0_XE17.12
IOS-XE Supported UTD Regex: ^1\.1\.([0-9]+)_SV(.*)_XE17.12$
UTD Installed Version: 1.1.11_SV3.1.81.0_XE17.12
Check the UTD snort engine status
Option 1. Issue the 'show utd engine standard status' command, to confirm the status of the UTD snort engine, Status in 'Green', Health in 'Green' and the Overall system status in 'Green', indicate the UTD snort engine is operational.
Router#show utd engine standard status
Engine version : 1.1.11_SV3.1.81.0_XE17.12
Profile : Low
System memory :
Usage : 31.80 %
Status : Green
Number of engines : 1
Engine Running Health Reason
=======================================================
Engine(#1): Yes Green None
=======================================================
Overall system status: Green
Signature update status:
=========================
Current signature package version: 31810.155.s
Last update status: Failed
Last successful update time: Wed Sep 3 12:51:56 2025 CST
Last failed update time: Wed Sep 3 17:55:02 2025 CST
Last failed update reason: File not found
Next update scheduled at: Thursday Sep 04 17:55 2025 CST
Current status: IdleOption 2. Issue the 'show platform software utd global' command, to get a brief summary of the UTD snort engine operation state.
Router#show platform software utd global
UTD Global state
=========================
Engine : Standard
Global Inspection : Enabled
Operational Mode : Intrusion Prevention
Fail Policy : Fail-open
Container technology : LXC
Redirect interface : VirtualPortGroup1
UTD interfaces
All dataplane interfaces
Check the UTD snort engine configuration
Option 1. Issue the 'show utd engine standard config' command to display the UTD snort engine configuration details, the operation mode, the policy mode, the signature update configuration, the logging configuration, the whitelist and the port scan status.
Router#show utd engine standard config
UTD Engine Standard Configuration:
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : cisco
User Name : cisco
Password : KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
Occurs-at : daily ; Hour: 0; Minute: 0
Logging:
Server : 192.168.10.5
Level : info
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Enabled
Whitelist Signature IDs:
54621, 40
Port Scan : Enabled
Web-Filter : Disabled
Option 2. Issue the 'show running-config | b engine' command to display the UTD snort engine running configuration in place.
Router#show running-config | b engine
utd engine standard
logging host 192.168.10.5
logging syslog
threat-inspection
threat protection
policy security
signature update server cisco username cisco password KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
signature update occur-at daily 0 0
logging level info
whitelist
logging statistics enable
utd threat-inspection whitelist
generator id 40 signature id 54621 comment FILE-OFFICE traffic
utd
all-interfaces
redirect interface VirtualPortGroup1
engine standard
Check the UTD snort engine IPS snort signature update status
1. Issue the 'show utd engine standard threat-inspection signature update status' command, to check the IPS snort signature update status.
Router#show utd engine standard threat-inspection signature update status
Current signature package version: 31810.155.s
Current signature package name: UTD-STD-SIGNATURE-31810-155-S.pkg
Previous signature package version: 31810.154.s
---------------------------------------
Last update status: Failed
---------------------------------------
Last successful update time: Wed Sep 3 12:51:56 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.4.219/UTD-STD-SIGNATURE-31810-155-S.pkg
Last successful update speed: 6343108 bytes in 31 secs
---------------------------------------
Last failed update time: Thu Sep 4 17:55:02 2025 CST
Last failed update method: Auto
Last failed update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 17:55:02 2025 CST
Last attempted update method: Auto
Last attempted update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
---------------------------------------
Total num of updates successful: 2
Num of attempts successful: 2
Num of attempts failed: 29
Total num of attempts: 31
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
2. Issue the 'utd threat-inspection signature update' command, to execute a manual IPS snort signature update by using the existing server configuration applied to the UTD snort engine for the signature downloads.
Router#utd threat-inspection signature update
3. Issue the 'utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force' command, to force a manual IPS snort signature update with the server prameters specified.
Router#utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force
Example:
Router#utd threat-inspection signature update server url http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg force
% This operation may cause the UTD service to restart which will briefly interrupt services.
Proceed with signature update? [confirm]
Router#
*Sep 5 02:08:13.845: %IOSXE_UTD-4-SIG_UPDATE_EXEC: UTD signature update has been executed - A brief service interruption is expected
*Sep 5 02:08:35.007: %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Green => Red (3) for channel Threat DefenseQFP:0.0 Thread:001 TS:00000217689533745619
Router#
*Sep 5 02:08:42.671: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: UTD signature update succeeded - previous version: 31810.155.s - current version: 31810.156.s
Router#
*Sep 5 02:09:00.284: %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: RedQFP:0.0 Thread:001 TS:00000217714810090067
Router#show utd engine standard signature update status
Current signature package version: 31810.156.s
Current signature package name: UTD-STD-SIGNATURE-31810-156-S.pkg
Previous signature package version: 31810.155.s
---------------------------------------
Last update status: No New Package found
---------------------------------------
Last successful update time: Thu Sep 4 20:08:41 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
Last successful update speed: 6344395 bytes in 27 secs
---------------------------------------
Last failed update time: Thu Sep 4 20:07:43 2025 CST
Last failed update method: Manual
Last failed update server: http://10.189.35.188/tftpboot/UTD-STD-SIGNATURE-31810-156-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 20:10:29 2025 CST
Last attempted update method: Manual
Last attempted update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
---------------------------------------
Total num of updates successful: 3
Num of attempts successful: 4
Num of attempts failed: 30
Total num of attempts: 34
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
How to confirm if the UTD snort engine is inspecting traffic
Use the following show commands to monitor the traffic processed by the UTD snort engine and to check the statistics related to the traffic inspection.
Option 1. From the below 'show utd engine standard statistics' output, the 'received' and 'analyzed' counters increment, when traffic is being processed by the UTD snort engine:
Router#show utd engine standard statistics
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62069 <------------
analyzed: 62069 <------------
allow: 60634
block: 38
replace: 1
whitelist: 1396
idle: 763994
rx_bytes: 13778491
--------------------------------------------------
codec
total: 62069 (100.000%)
eth: 62069 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62069 (100.000%)
tcp: 56168 ( 90.493%)
udp: 5667 ( 9.130%)
--------------------------------------------------
Option 2. From the below 'show platform hardware qfp active feature utd stats' output, the 'decaps' and 'Divert' counters increment, when the traffic is re-directed from the Router to the UTD snort engine for traffic inspection and the 'encaps' and 'Reinject' counters increment, when the traffic is re-directed from the UTD snort engine to the Router:
Router#show platform hardware qfp active feature utd stats
Summary Statistics:
Policy
Active Connections 3
TCP Connections Created 83364
UDP Connections Created 532075
ICMP Connections Created 494
Channel Summary
Active Connections 3
decaps 1156574 <------------
encaps 1157144 <------------
Expired Connections 615930
Packet stats - Policy
Pkts dropped pkt 15802
byt 14111880
Pkts entered policy feature pkt 1306750
byt 363602774
Pkts slow path pkt 615933
byt 25317465
Packet stats - Channel Summary
Bypass pkt 25368
byt 4459074
Divert pkt 1157144 <------------
byt 301046050
Reinject pkt 1156574 <------------
byt 301015446
Would Drop Statistics (fail-open):
Policy
TCP SYN w/data packet 15802
Channel Summary
Stats were all zero
General Statistics:
Non Diverted Pkts to/from divert interface 2725
Inspection skipped - UTD policy not applicable 111161
Pkts Skipped - New pkt from RP 33139
Response Packet Seen 64766
Feature memory allocations 615933
Feature memory free 615930
Feature Object Delete 615930
Skipped - First-in-flow RST packets of a TCP flow 55
Diversion Statistics Summary:
SN offloaded flow 3282
Flows Bypassed as SN Unhealthy 25368
Service Node Statistics:
SN down 1
SN health green 13
SN health red 12
SN Health: Channel: Threat Defense : Green
AppNAV registration 2
AppNAV deregister 1
SN Health: Channel: Service : Down
Stats were all zero
TLS Decryption policy not enabled
Appnav Statistics:
No FO Drop pkt 0
byt 0Option 3. From the below 'show utd engine standard statistics internal' output, the 'received' and 'analyzed' counters increment, when the traffic is re-directed from the Router to the UTD snort engine for traffic inspection. Besides that, this output will display further details and statistics about the traffic inspected by the UTD snort engine:
Router# show utd engine standard statistics internal
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62099 <------------
analyzed: 62099 <------------
allow: 60664
block: 38
replace: 1
whitelist: 1396
idle: 764287
rx_bytes: 13782351
--------------------------------------------------
codec
total: 62099 (100.000%)
eth: 62099 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62099 (100.000%)
tcp: 56198 ( 90.497%)
udp: 5667 ( 9.126%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
appid
packets: 62099
processed_packets: 62087
ignored_packets: 12
total_sessions: 9091
service_cache_adds: 4
bytes_in_use: 608
items_in_use: 4
--------------------------------------------------
binder
raw_packets: 12
new_flows: 9091
service_changes: 4360
inspects: 9103
--------------------------------------------------
detection
analyzed: 62099
hard_evals: 234
raw_searches: 12471
cooked_searches: 5699
pkt_searches: 18170
pdu_searches: 14839
file_searches: 491
alerts: 3
total_alerts: 3
logged: 3
buf_dumps: 3
--------------------------------------------------
dns
packets: 5529
requests: 2780
responses: 2749
--------------------------------------------------
http_inspect
flows: 2449
scans: 10523
reassembles: 10523
inspections: 10317
requests: 2604
responses: 2309
get_requests: 1618
head_requests: 1
post_requests: 1
connect_requests: 984
request_bodies: 1
uri_normalizations: 1339
concurrent_sessions: 15
max_concurrent_sessions: 20
connect_tunnel_cutovers: 984
total_bytes: 1849394
--------------------------------------------------
normalizer
test_tcp_trim_win: 6
tcp_ips_data: 1
tcp_block: 38
--------------------------------------------------
pcre
pcre_rules: 6317
pcre_native: 6317
--------------------------------------------------
port_scan
packets: 62099
trackers: 96
bytes_in_use: 20736
--------------------------------------------------
search_engine
max_queued: 135
total_flushed: 52095
total_inserts: 66077
total_unique: 52095
non_qualified_events: 52326
qualified_events: 3
searched_bytes: 9498731
--------------------------------------------------
ssl
packets: 3281
decoded: 3281
client_hello: 927
server_hello: 927
certificate: 244
server_done: 711
client_key_exchange: 242
server_key_exchange: 242
change_cipher: 1160
client_application: 149
server_application: 1283
unrecognized_records: 19
sessions_ignored: 927
concurrent_sessions: 27
max_concurrent_sessions: 94
--------------------------------------------------
stream
flows: 9091
total_prunes: 7566
idle_prunes_proto_timeout: 7566
tcp_timeout_prunes: 5895
udp_timeout_prunes: 1561
icmp_timeout_prunes: 110
current_flows: 294
uni_flows: 249
--------------------------------------------------
stream_ip
sessions: 110
max: 110
created: 110
released: 110
total_bytes: 60371
--------------------------------------------------
stream_tcp
sessions: 7414
max: 7414
created: 7414
released: 7126
instantiated: 7414
setups: 7414
restarts: 3376
discards: 38
invalid_seq_num: 6
invalid_ack: 1
events: 39
syn_trackers: 7414
segs_queued: 12824
segs_released: 12710
segs_used: 7681
rebuilt_packets: 13601
rebuilt_bytes: 8945365
overlaps: 1
gaps: 1
memory: 208052
initializing: 246
established: 27
closing: 15
syns: 28310
syn_acks: 2449
resets: 358
fins: 2430
max_segs: 13
max_bytes: 15665
--------------------------------------------------
stream_udp
sessions: 1567
max: 1567
created: 1567
released: 1561
total_bytes: 743786
--------------------------------------------------
wizard
tcp_scans: 3376
tcp_hits: 3376
udp_scans: 118
udp_misses: 118
--------------------------------------------------
Appid Statistics
--------------------------------------------------
detected apps and services
Application: Services Clients Users Payloads Misc Referred
chrome: 0 101 0 0 0 0
dns: 1448 1449 0 0 0 0
firefox: 0 139 0 0 0 0
http: 2449 0 0 0 0 0
microsoft_update: 0 0 0 34 0 0
squid: 0 0 0 1144 0 0
unknown: 1 0 0 2416 0 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 2
--------------------------------------------------
memory
start_up_use: 240250880
cur_in_use: 293490688
max_in_use: 294907904
epochs: 2718651
allocated: 198516408
deallocated: 168476672
app_all: 265459456
active: 274247680
resident: 281190400
retained: 12693504
How to confirm if the UTD snort engine has triggered an IPS snort signature
Use the following show commands to monitor the snort IPS signatures triggered, the IPS/IDS events generated and the source and destination IP addresses involved.
Option 1. Use the 'show utd engine standard logging events [threat-inspection]' command, to look for IPS/IDS events:
Router#show utd engine standard logging events [threat-inspection]
2025/09/03-15:03:42.946703 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:1417 -> 172.16.2.2:10
2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184
2025/09/03-16:10:12.705933 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:2184 -> 172.16.2.2:10Option 2. Use the 'show utd engine standard logging statistics threat-inspection' command, to look for the top IPS snort signatures triggered in the past 24hrs and how many times each signature has been triggered:
Router# show utd engine standard logging statistics threat-inspection Top Signatures Triggered in the past 24 hours --------------------------------------------------------------------- Signature-id Count Description --------------------------------------------------------------------- 122:7:2 137 portscan: TCP Filtered Portsweep 122:1:2 5 portscan: TCP Portscan 122:3:2 1 portscan: TCP Portsweep
Option 3. Use the 'show utd engine standard logging statistics threat-inspection detail' command, to look for the top IPS snort signatures triggered in the past 24hrs, how many times each signature has been triggered and the source and destination IP addresses that triggered the signature:
Router#show utd engine standard logging statistics threat-inspection detail Top Signatures Triggered in the past 24 hours Signature-id:122:7:2 Count: 137 Description:portscan: TCP Filtered Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 x.x.157.3 0 7 172.16.2.2 x.x.157.14 0 6 172.16.2.2 x.x.29.13 0 6 172.16.2.2 x.x.104.78 0 6 172.16.2.2 x.x.29.14 0 5 172.16.2.2 x.x.157.15 0 5 172.16.2.2 x.x.28.23 0 5 172.16.2.2 x.x.135.19 0 5 172.16.2.2 x.x.135.3 0 4 172.16.2.2 x.x.157.11 0 4 Signature-id:122:1:2 Count: 5 Description:portscan: TCP Portscan --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.1.3 172.16.2.2 0 5 Signature-id:122:3:2 Count: 1 Description:portscan: TCP Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 172.16.1.3 0 1
Option 4. The UTD snort engine monitors the traffic and reports events to an external log server or the IOS syslog. Enabling logging to the IOS syslog may impact performance due to the potential volume of log messages. External third-party monitoring tools, which supports Snort logs, can be used for log collection and analysis.
Whenever the UTD snort engine generates an IPS/IDS event, the router would displays a syslog message like the following:
Router#
*Sep 3 22:10:18.544: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: 2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184When the UTD snort engine is configured to send logs out to an external syslog server, then you should see the UTD snort engine logs in your remote syslog server as follows:
How to display the active IPS snort signatures
Use the following commands to display the Active, Drop and Alert IPS snort signatures for the UTD snort engine, depending on the policy configuration used (Balanced, Connectivity or Security).
Option 1. Proceed as follows to display the active IPS snort signatures list for the Security policy.
Router#show utd engine standard config
UTD Engine Standard Configuration:
VirtualPortGroup Id: 1
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Occurs-at : daily ; Hour: 17; Minute: 55
Logging:
Server : IOS Syslog; 172.16.2.2
Level : debug
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Disabled
Whitelist Signature IDs:
Port Scan : Enabled
Sense level : High
Web-Filter : Disabled
Router#utd threat-inspection signature active-list write-to bootflash:siglist_security
Router#more bootflash:siglist_security
=================================================================================
Signature Package Version: 31810.156.s
Signature Ruleset: Security
Total no. of active signatures: 23398
Total no. of drop signatures: 22625
Total no. of alert signatures: 773
For more details of each signature please go to www.snort.org/rule_docs to lookup
=================================================================================
List of Active Signatures:
--------------------------
sigid: 13418, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt;
sigid: 13897, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-MULTIMEDIA Apple QuickTime crgn atom parsing stack buffer overflow attempt;
sigid: 14263, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: POLICY-SOCIAL Pidgin MSNP2P message integer overflow attempt;
sigid: 15968, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt;
sigid: 15975, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt;
sigid: 15976, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt;
sigid: 16232, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: OS-WINDOWS Microsoft Windows EOT font parsing integer overflow attempt;
sigid: 16343, gid:3, log-level:3, action: drop, class-type: misc-activity,
Descr: FILE-PDF PDF header obfuscation attempt;
sigid: 16394, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt;
sigid: 16728, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: NETBIOS Samba SMB1 chain_reply function memory corruption attempt;
sigid: 17647, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-FLASH Adobe Flash Player DefineSceneAndFrameLabelData memory corruption attempt;
sigid: 17665, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OFFICE OpenOffice Word document table parsing heap buffer overflow attempt;
sigid: 17741, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER MIT Kerberos asn1_decode_generaltime uninitialized pointer free attempt;
[omitted output]Option 2. Proceed as follows to display the active IPS snort signatures list for the Connectivity policy.
Router#show utd engine standard config
UTD Engine Standard Configuration:
VirtualPortGroup Id: 1
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Connectivity
Signature Update:
Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Occurs-at : daily ; Hour: 17; Minute: 55
Logging:
Server : IOS Syslog; 172.16.2.2
Level : debug
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Disabled
Whitelist Signature IDs:
Port Scan : Enabled
Sense level : High
Web-Filter : Disabled
Router#utd threat-inspection signature active-list write-to bootflash:siglist_connectivity
Router#more bootflash:siglist_connectivity
=================================================================================
Signature Package Version: 31810.156.s
Signature Ruleset: Connectivity
Total no. of active signatures: 597
Total no. of drop signatures: 494
Total no. of alert signatures: 103
For more details of each signature please go to www.snort.org/rule_docs to lookup
=================================================================================
List of Active Signatures:
--------------------------
sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30942, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt;
sigid: 30943, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt;
sigid: 35897, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt;
sigid: 35898, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt;
sigid: 35902, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt;
sigid: 35903, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt;
sigid: 35926, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-WEBAPP Oracle Identity Management authorization bypass attempt;
sigid: 35927, gid:3, log-level:1, action: drop, class-type: policy-violation,
Descr: SERVER-WEBAPP Oracle Identity Management remote file execution attempt;
sigid: 38671, gid:3, log-level:1, action: drop, class-type: attempted-user,
[omitted output]Option 3. Proceed as follows to display the active IPS snort signatures list for the Balanced policy.
Router#show utd engine standard config
UTD Engine Standard Configuration:
VirtualPortGroup Id: 1
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Balanced
Signature Update:
Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Occurs-at : daily ; Hour: 17; Minute: 55
Logging:
Server : IOS Syslog; 172.16.2.2
Level : debug
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Disabled
Whitelist Signature IDs:
Port Scan : Enabled
Sense level : High
Web-Filter : Disabled
Router#utd threat-inspection signature active-list write-to bootflash:siglist_balanced
Router#more bootflash:siglist_balanced
=================================================================================
Signature Package Version: 31810.156.s
Signature Ruleset: Balanced
Total no. of active signatures: 10033
Total no. of drop signatures: 9534
Total no. of alert signatures: 499
For more details of each signature please go to www.snort.org/rule_docs to lookup
=================================================================================
List of Active Signatures:
--------------------------
sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30887, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER Cisco Tshell command injection attempt;
sigid: 30888, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER Cisco Tshell command injection attempt;
sigid: 30902, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ;
sigid: 30903, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ;
sigid: 30912, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt;
sigid: 30913, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt;
sigid: 30921, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt;
sigid: 30922, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt;
sigid: 30929, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER Cisco RV180 VPN CSRF attempt;
[omitted output]Troubleshooting
1. Ensure the Cisco Integrated Services Router (ISR) runs XE 16.10.1a and above (For IOx method).
2. Ensure the Cisco Integrated Services Router (ISR) is licensed with the Securityk9 feature enabled.
3. Verify the ISR hardware model is in compliance with the minimum resource profile.
4. The UTD snort engine is not compatible with the Zone-Based Firewall SYN-cookie and the Network Address Translation 64 (NAT64)
5. Confirm the UTD snort engine service is started after the installation.
6. During the manual Signature package download, ensure the package has the same version as the Snort engine version. The signature package update may fail if there is a version mismatch.
7. In case of performance issues, use the 'show app-hosting resource' and 'show app-hosting utilization appid ''UTD-NAME' for checking the UTD CPU, Memory and Storage space.
Router#show app-hosting resource
CPU:
Quota: 75(Percentage)
Available: 50(Percentage)
VCPU:
Count: 6
Memory:
Quota: 10240(MB)
Available: 9216(MB)
Storage device: bootflash
Quota: 4000(MB)
Available: 4000(MB)
Storage device: harddisk
Quota: 20000(MB)
Available: 19029(MB)
Storage device: volume-group
Quota: 190768(MB)
Available: 169536(MB)
Storage device: CAF persist-disk
Quota: 20159(MB)
Available: 18078(MB)
Router#show app-hosting utilization appid utd
Application: utd
CPU Utilization:
CPU Allocation: 33 %
CPU Used: 3 %
Memory Utilization:
Memory Allocation: 1024 MB
Memory Used: 117632 KB
Disk Utilization:
Disk Allocation: 711 MB
Disk Used: 451746 KB
Debugging
For troubleshooting purposes, use the debug commands listed below to gather further details from the UTD snort engine.
debug virtual-service all
debug virtual-service virtualPortGroup
debug virtual-service messaging
debug virtual-service timeout
debug utd config level error [error, info, warning]
debug utd engine standard all
Warning: Running debug commands during production hours can significantly increase CPU, memory, or disk utilization on the UTD Snort engine or the router, potentially impacting traffic and system stability. Use debug commands sparingly, preferably during a maintenance window, and disable them immediately after collecting the required data. If elevated resource usage or service impact is observed, stop the debug and contact Cisco TAC.
Related Information
Additional documentation related to the UTD Snort IPS deployment can be found here:
Cisco Snort IPS Security Configuration Guide
Cisco Virtual Service Resource Profile for ISR4K and CSR1000v
Snort IPS on Routers - Step by Step Configuration
Cisco Guide - Troubleshooting Snort IPS
Snort Port-Scan Inspector Reference Guide
Snort Open Source Intrusion Prevention System (IPS) Webpage
Install UTD Security Virtual Image on cEdge Routers
CSCwf57595 ISR4K Snort IPS is not deployed since HW does not have enough platform resources
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
3.0 |
17-Sep-2025
|
Initial Release |
1.0 |
11-Jul-2023
|
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)