在思科集成多业务路由器1000、4000、CSR和ISRv系列上部署UTD Snort IPS

简介

本文档介绍如何使用IOx方法在思科集成多业务路由器ISR1K、ISR4K、CSR和ISRv系列上部署UTD Snort IPS引擎。

先决条件

要求

Cisco 建议您了解以下主题：

• 思科集成多业务路由器ISR1K、ISR4K、CSR和ISRv系列，至少带8GB DRAM
• 基本IOS-XE命令知识
• 基本UTD Snort IPS知识
• 需要签名IPS Snort订用1年或3年
• IOS-XE 16.10.1a及更高版本

使用的组件

本文档中的信息基于以下软件和硬件版本：

• 运行版本17.9.3a的ISR1K、ISR4K、CSR和ISRv系列
• UTD Snort引擎版本17.9.3a
• Securityk9许可证，适用于ISR1K、ISR4K、CSR和ISRv系列

VMAN方法现在已弃用。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您的网络处于活动状态，请确保您了解所有命令的潜在影响。

背景信息

统一威胁防御(UTD)Snort IPS功能为思科集成多业务路由器ISR1K、ISR4K、CSR和ISRv系列上的分支机构启用入侵防御系统(IPS)或入侵检测系统(IDS)。此功能使用开源Snort启用IPS或IDS功能。

Snort是一个开源IPS，它会执行实时流量分析，并在IP网络上检测到威胁时生成警报。它还可以执行协议分析、内容研究或行进，并检测各种攻击和探测，例如缓冲区溢出、隐藏端口扫描等。UTD Snort引擎作为虚拟容器服务在思科集成多业务路由器ISR1K、ISR4K、CSR和ISRv系列上运行。

UTD Snort IPS为思科集成多业务路由器ISR1K、ISR4K、CSR和ISRv系列提供IPS或IDS功能。 

• UTD监控网络流量并根据定义的规则集对其进行分析。
• UTD执行连接分类。
• UTD根据匹配的规则调用操作。

根据网络要求。UTD Snort IPS可以作为IPS或IDS启用：

• 在IDS模式下：UTD Snort引擎会检查流量并报告警报，但不会采取任何操作来防止攻击。
• 在IPS模式下：UTD Snort引擎会像IDS一样检查流量并报告警报，但会采取措施防止攻击。

UTD Snort IPS作为服务在路由器ISR1K、ISR4K、CSR和ISRv系列上运行。服务容器使用虚拟化技术在思科设备上为应用提供托管环境。Snort流量检测在每个接口上启用，或者在所有支持的接口上全局启用。

UTD Snort引擎IPS解决方案

UTD Snort引擎IPS解决方案由以下实体组成：

• Snort传感器 — 根据配置的安全策略（包括签名、统计信息、协议分析等）监控流量以检测异常，并将警报消息发送到警报/报告服务器。Snort传感器在路由器上部署为虚拟容器服务。

• 签名存储 — 托管定期更新的思科签名软件包。这些特征码包会定期或按需下载到Snort传感器。经验证的签名软件包发布到Cisco.com。根据配置，签名软件包可以从Cisco.com或本地服务器下载。

  路由器在从cisco.com下载签名软件包的过程中会访问以下域：

  • api.cisco.com

  • apx.cisco.com

  • cloudsso.cisco.com

  • cloudsso-test.cisco.com

  • cloudsso-test3.cisco.com

  • cloudsso-test4.cisco.com

  • cloudsso-test5.cisco.com

  • cloudsso-test6.cisco.com

  • cloudsso.cisco.com

  • download-ssc.cisco.com

  • dl.cisco.com

  • resolver1.opendns.com

  • resolver2.opendns.com

  必须先使用Cisco.com凭证将签名软件包从Cisco.com手动下载到本地服务器，然后Snort传感器才能检索它们。 

• 警报/报告服务器 — 从Snort传感器接收警报事件。Snort传感器生成的警报事件可以发送到IOS系统日志或外部系统日志服务器，或者同时发送到IOS系统日志和外部系统日志服务器。Snort IPS解决方案未捆绑任何外部日志服务器。

• 管理 — 管理Snort IPS解决方案。使用IOS CLI配置管理。无法直接访问Snort传感器，所有配置只能使用IOS CLI完成。

许可证要求

以下是UTD Snort引擎的许可要求：

• ISR1K、ISR4K路由器、CSR和ISRv上需要安全K9许可证。除此之外，签名订用也需要1年或3年，订用类型有两种：

a)社区签名包：社区签名包规则集对威胁提供的覆盖范围有限。

b)基于用户的签名包：基于用户的签名包规则集提供针对威胁的最佳保护。  它包括在攻击发生之前提供保护，并且还提供对更新签名的快速访问，以响应安全事件或主动发现新威胁。思科完全支持此订用，并将在Cisco.com上持续更新该软件包。

UTD Snort订户签名软件包可以从software.cisco.com下载，并且snort签名信息可以在snort.org上找到。

此外，您还可以使用以下snort.org Rule Documentation Search工具查找特定的snort IPS签名ID。

• Catalyst 8000边缘路由器（如支持的平台部分所述）上需要DNA-Essentials许可证才能使用IPS/Snort。

支持的平台 

以下是UTD Snort引擎支持的平台：

• ISR 4461、4451、4431、4351、4331、4321、4221X、4221、CSR、ISRv和ISR 1K（X PID，如1111X、1121X、1161X等，仅支持8GB DRAM，从17.2.1r版本开始）

• Catalyst 8500L、8300、8200、8000V。

限制

以下限制适用于UTD Snort引擎：

• 只有tcp、udp和icmp数据包将被转移到UTD snort引擎进行检查

• 只有通过机箱的流量才会转移到UTD Snort引擎进行检查

限制

以下限制适用于UTD Snort引擎：

• 在Cisco 4000系列ISR上启用boost许可证时，无法为Snort IPS配置虚拟服务容器。

• 与基于区域的防火墙SYN-cookie功能不兼容。

• 不支持网络地址转换64(NAT64)。

• 开源Snort中的SNMP轮询需要SnortSnmpPlugin。Snort IPS不支持SNMP轮询功能或MIB，因为SnortSnmp插件未安装在UTD上。

• IOS系统日志受速率限制，因此Snort生成的所有警报可能无法通过IOS系统日志查看。但是，如果您将所有Syslog消息导出到外部syslog服务器，则可以查看这些消息。

UTD Snort引擎IPS下载链接

以下是用于下载UTD Snort IPS引擎软件映像文件的Cisco链接，该文件用于在Cisco路由器上安装UTD Snort引擎。此外，您还可以找到UTD Snort订户签名软件包文件，下载UTD Snort IPS签名，具体取决于运行的UTD Snort引擎版本。

• ISR1K - https://software.cisco.com/download/home/286315006/type

• ISR4000 -https://software.cisco.com/download/home/284389362/type

• CSR -https://software.cisco.com/download/home/284364978/type

• ISRv -https://software.cisco.com/download/home/286308693/type

• Catalyst 8500L -https://software.cisco.com/download/home/286324574/type

• Catalyst 8300 -https://software.cisco.com/download/home/286324476/type

• Catalyst 8200 -https://software.cisco.com/download/home/286324472/type

• Catalyst 8000V -https://software.cisco.com/download/home/286327102/type

注意：安装UTD Snort引擎之前需要考虑的前提条件。如果是物理ISR，则必须运行IOS-XE 3.16.1版或更高版本。如果是CSR，则必须运行版本16.3.1或更高版本，如果是ISRv(ENCS)，则必须运行版本16.8.1或更高版本。对于Catalyst 8300（起始版本17.3.2及更高版本）、8200（起始版本17.4.1及更高版本）和8000V（起始版本17.4.1及更高版本）。

注意：如果用户从下载软件页面手动下载UTD Snort订户签名软件包，则用户应确保软件包的版本与Snort引擎版本相同。例如，如果Snort引擎版本为2982，则用户应下载相同版本的签名软件包。如果版本不匹配，签名包更新将被拒绝，并且会失败。

注意：更新签名包时，引擎将重新启动，流量将在短期内中断或旁路检查，具体取决于其数据平面失效开放/失效关闭配置。

网络图

配置

UTD Snort引擎安装

步骤1.为UTD Snort引擎配置VirtualPortGroup接口，配置两个端口组：

• 用于管理流量的VirtualPortGroup0:此VirtualPortGroup将用于向日志收集器发送日志以及从Cisco.com提取签名更新。

• 用于数据流量的VirtualPortGroup1:此VirtualPortGroup将用于发送和接收标记为要检查的数据包，这些数据包到达数据平面进行IPS检查。

Router#configure terminal
Router(config)#interface VirtualPortGroup0
Router(config-if)#description Management Interface
Router(config-if)#ip address 192.168.1.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit

Router(config)#interface VirtualPortGroup1
Router(config-if)#description Data Interface
Router(config-if)#ip address 192.168.2.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit

注意:确保配置VirtualPortgroup0所需的NAT和路由，使UTD Snort引擎能够访问外部系统日志服务器以及cisco.com获取签名更新文件。

Step 2.  在全局配置模式下启用IOx环境。

Router(config)#iox

步骤3.然后激活虚拟服务并配置访客IP，为此，请使用vnic配置配置应用托管。

Router(config)#app-hosting appid UTD
Router(config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.1.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit

Router(config-app-hosting)#app-vnic gateway1 virtualportgroup 1 guest-interface 1
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.2.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit

第 4 步（可选）： 配置资源配置文件。

Router(config-app-hosting)#app-resource package-profile low [low,medium,high]
Router(config-app-hosting)#end

注意：UTD Snort引擎虚拟服务支持三种资源配置文件：Low、Medium和High。这些配置文件指示运行虚拟服务所需的CPU和内存资源。您可以配置这些资源配置文件之一。资源配置文件配置是可选的。如果未配置配置文件，虚拟服务将使用其默认资源配置文件激活。有关更多资源配置文件详细信息，请查看ISR4K和CSR1000v的思科虚拟服务资源配置文件。

注意：此选项对ISR1K系列不可用。

步骤5.将UTD Snort IPS引擎软件文件复制到路由器闪存，然后使用UTD.tar文件安装应用托管，如下所示。

Router#app-hosting install appid UTD package bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar

注意：UTD引擎版本在UTD文件名中指定，确保要安装的UTD引擎版本与思科路由器中运行的IOS-XE版本兼容

应看到指示已正确安装UTD服务的下一个系统日志。

Installing package 'bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for 'utd'. Use 'show app-hosting list' for progress.
*Jun 26 19:25:35.975: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: R0/0: vman: Package 'iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for service container 'utd' is 'Cisco signed', signing level cached on original install is 'Cisco signed'
*Jun 26 19:25:50.746: %VIRT_SERVICE-5-INSTALL_STATE: Successfully installed virtual service utd
*Jun 26 19:25:53.176: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install succeeded: utd installed successfully Current state is deployed

注意：使用“show app-hosting list”时，状态应显示为“Deployed”

步骤6.启动应用托管服务。

Router#configure terminal
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#start
Router(config-app-hosting)#end

注意：启动应用托管服务后，应用托管状态应为“Running”。 请使用show app-hosting list或“show app-hosting detail”查看更多详细信息。

应该看到下一条syslog消息，指示UTD服务已正确安装。

*Jun 26 19:55:05.362: %VIRT_SERVICE-5-ACTIVATION_STATE: Successfully activated virtual service UTD
*Jun 26 19:55:07.412: %IM-6-START_MSG: R0/0: ioxman: app-hosting: Start succeeded: UTD started successfully Current state is running

将UTD Snort引擎配置为IPS或IDS

成功安装后，必须为UTD Snort引擎配置服务平面。UTD Snort引擎可配置为入侵防御系统(IPS)或入侵检测系统(IDS)，以进行流量检测。

警告：确认路由器中已启用“securityk9”许可证功能，以继续执行UTD服务平面配置。

步骤1.配置统一威胁防御(UTD)标准引擎（服务平面）

Router#configure terminal
Router(config)#utd engine standard

步骤2.启用UTD Snort引擎到远程服务器和IOSd系统日志的日志记录。

Router(config-utd-eng-std)#logging host 192.168.10.5
Router(config-utd-eng-std)#logging syslog

注意：UTD Snort IPS监控流量并向外部日志服务器或IOS系统日志报告事件。启用日志记录到IOS系统日志可能会由于日志消息的数量而影响性能。支持Snort日志的外部第三方监控工具可用于日志收集和分析。

步骤3.为Snort引擎启用威胁检测。

Router(config-utd-eng-std)#threat-inspection

步骤4.将威胁检测(IDS)或入侵防御系统(IPS)配置为Snort引擎的操作模式。

Router(config-utd-engstd-insp)#threat [protection,detection]

注意：对IPS使用关键字protection，对IDS模式使用关键字detection。默认模式为“detection”

步骤5.配置Snort引擎的安全策略。

Router(config-utd-engstd-insp)#policy [balanced, connectivity, security]
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit

注意：默认策略为'balanced'，根据选择的策略，snort引擎将激活或停用IPS签名以进行snort引擎保护。

第 6 步（可选）： 启用UTD允许列表（白名单）配置。

Router#configure terminal
Router(config)#utd threat-inspection whitelist

第 7 步（可选）： 配置要包括在白名单中的IPS Snort签名ID。

Router(config-utd-whitelist)#generator id 40 signature id 54621 comment FILE-OFFICE traffic

or

Router(config-utd-whitelist)#signature id 13418 comment "whitelisted the IPS signature 13418"

注意：可以从需要抑制的警报中复制签名ID，您可以配置多个签名ID。对需要添加到白名单的每个签名ID重复此步骤。

注意：配置允许的列表签名ID（白名单）后，UTD Snort引擎将允许流通过设备，而不发出任何警报和丢弃。

注意：生成器标识符(GID)标识评估入侵规则并生成事件的子系统。标准文本入侵规则的生成器ID为1，而共享对象入侵规则的生成器ID为3。还有几组规则用于各种预处理器。下表1.生成器ID解释了GID。

第 8 步（可选）： 在威胁检测配置上启用允许列表。

Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#whitelist

注意：配置白名单签名ID后，snort引擎将允许流通过设备，而不发出任何警报和丢弃

步骤9.配置签名更新间隔以自动下载Snort签名。

Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#signature update occur-at [daily, monthly, weekly] 0 0

注意：第一个数字以24hr格式定义小时，第二个数字表示分钟。

警告：UTD签名更新会在更新时产生短暂的服务中断。

步骤10.配置UTD Snort引擎签名更新服务器参数。

Router(config-utd-engstd-insp)#signature update server [cisco, url] username xxxx password xxxx

Example - Configuring signature updates from a Cisco Server:
Router(config-utd-engstd-insp)#signature update server cisco username xxxx password xxxx

or

Example - Configuring signature updates from a Local server:
Router(config-utd-engstd-insp)#signature update server url http://x.x.x.x/UTD-STD-SIGNATURE-31810-155-S.pkg

注意：使用关键字'cisco' 指向用于签名更新的思科服务器，或使用关键字'url'定义更新服务器的自定义http/https路径。对于Cisco服务器，您必须提供您的Cisco用户名和密码凭证。

注意：确保将DNS服务器配置为从Cisco服务器下载IPS Snort签名。如果未将URL指定为IP地址，则Snort容器会执行域名查找（在路由器上配置的DNS服务器上），以解析从Cisco.com或本地服务器上进行自动签名更新的位置。

注意：路由器NAT配置中应包含分配给接口VirtualPortGroup0的UTD模块管理IP地址，以允许模块访问Internet以访问Cisco服务器下载snort签名软件包。

步骤11.启用UTD Snort引擎日志记录级别和威胁检测警报统计信息的日志记录：

Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#logging level [alert,crit,debug,emerg,info,notice,warning]
Router(config-utd-engstd-insp)#logging statistics enable
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit

注意：从Cisco IOS XE Fuji 16.8版本开始，您可以在运行下一命令“show utd engine standard logging threat-inspection statistics detail”时获取威胁检查警报的汇总详细信息。 仅当UTD Snort引擎的威胁检测警报统计信息记录启用时。

步骤12.启用utd服务。

Router#configure terminal
Router(config)#utd

第 13 步（可选）： 将数据流量从VirtualPortGroup接口重定向到UTD服务。

Router#configure terminal
Router(config)#utd
Router(config-utd)#redirect interface virtualPortGroup 

注意：如果未配置重定向，则自动检测重定向。

步骤14.启用UTD IPS引擎以检查来自路由器上所有第3层接口的流量。

Router(config-utd)#all-interfaces

步骤15.启用引擎标准。

Router(config-utd)#engine standard

应看到下一条syslog消息，指示UTD snort引擎已正确启用：

*Jun 27 23:41:03.062: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jun 27 23:41:13.039: %IOSXE-2-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008501210250689 %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Down => Red (3) for channel Threat Defense
*Jun 27 23:41:22.457: %IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008510628353985 %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: Red

第 16 步（可选）： 定义在故障期间用于UTD Snort引擎的操作（UTD数据平面）

Router(config-engine-std)#fail open
Router(config-engine-std)#end

注意：当UTD引擎发生故障时，“fail close”选项会丢弃所有路由器流量，而“fail open”选项则允许路由器流量在UTD故障期间继续流动，而不进行IPS/IDS检测。默认选项为“fail open”。

步骤17.保存路由器配置。

Router#copy running-config startup-config
Destination filename [startup-config]? 
Building configuration...
[OK]
Router#

UTD Snort引擎的端口扫描检查器

UTD Snort引擎具有端口扫描功能。端口扫描是一种网络侦测形式，攻击者通常将其用作攻击的前奏。在端口扫描中，攻击者发送旨在探查目标主机上网络协议和服务的数据包。通过检查主机响应发送的数据包，攻击者可以确定主机上的哪些端口处于打开状态，或者直接或推断出哪些应用协议正在这些端口上运行。

端口扫描本身并不能证明存在攻击。网络上的合法用户可能使用攻击者使用的类似端口扫描技术。

por_scan检查器检测四种类型的端口扫描，并监控TCP、UDP、ICMP和IP协议上的连接尝试。通过检测活动模式，port_scan检查器可帮助您确定哪些端口扫描可能是恶意的。

根据目标主机数量、扫描主机数量和扫描的端口数量，端口扫描通常分为四种类型。

端口扫描检查器规则

下面的表3.显示了端口扫描检查器规则。

端口扫描敏感级别

port_scan检查器为UTD Snort引擎提供三个默认扫描敏感级别：

• High port_scan
• 低port_scan
• Medium port_scan

为UTD Snort引擎配置端口扫描检查器

步骤1.配置统一威胁防御(UTD)标准引擎（服务平面）

Router#configure terminal
Router(config)#utd engine standard

步骤2.为UTD Snort引擎启用威胁检测。

Router(config-utd-eng-std)#threat-inspection

步骤3.然后启用port_scan。

Router(config-utd-engstd-insp)#port-scan 

步骤4.设置port_scan敏感级别，可用选项为high、medium或low。

Router(config-utd-threat-port-scan)# sense level [high | low | medium]

Example:
Router(config-utd-threat-port-scan)# sense level high

步骤5.启用port_scan并为UTD snort引擎配置敏感级别后，请使用“show utd engine standard config”命令验证port_scan配置。

Router#show utd engine standard config 
UTD Engine Standard Configuration:

VirtualPortGroup Id: 1


IPS/IDS         : Enabled

  Operation Mode : Intrusion Prevention
  Policy         : Security

  Signature Update:
    Server    : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
    Occurs-at : daily ; Hour: 17; Minute: 55

  Logging:
    Server    :  IOS Syslog;  172.16.2.2 
    Level     : debug
    Statistics    : Enabled
    Hostname    : router
    System IP   : Not set

  Whitelist : Disabled
  Whitelist Signature IDs:
 
  Port Scan      : Enabled
    Sense level  : High

Web-Filter      : Disabled

验证

检查VirtualPortGroup IP地址和接口状态

Router#show ip interface brief | i VirtualPortGroup
VirtualPortGroup0 192.168.1.1 YES NVRAM up up
VirtualPortGroup1 192.168.2.1 YES NVRAM up up

检查VirtualPortGroup接口配置

Router#show running-config | b interface
interface VirtualPortGroup0
description Management Interface
ip address 192.168.1.1 255.255.255.252
!
interface VirtualPortGroup1
description Data Interface
ip address 192.168.2.1 255.255.255.252

检查应用托管配置

Router#show running-config | b app-hosting
app-hosting appid UTD
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.168.2.2 netmask 255.255.255.252
start
end

检查iox激活

Router#show running-config | i iox
iox

检查应用托管状态

Router#show app-hosting list
App id                                      State
---------------------------------------------------------
UTD                                         RUNNING

检查应用托管详细信息

发出show app-hosting detail命令以确认UTD snort引擎状态、运行的软件版本、RAM、CPU和磁盘利用率、网络统计信息和DNS配置是否到位。

Router#show app-hosting detail
App id : UTD
Owner : ioxm
State : RUNNING
Application
Type : LXC
Name : UTD-Snort-Feature
Version : 1.0.7_SV2.9.18.1_XE17.9
Description : Unified Threat Defense
Author :
Path : /bootflash/secapp-utd.17.09.03a.1.0.7_SV2.9.18.1_XE17.9.x86_64.tar
URL Path :
Multicast : yes
Activated profile name :

Resource reservation
Memory : 1024 MB
Disk : 752 MB
CPU :
CPU-percent : 25 %
VCPU : 0

Platform resource profiles
Profile Name CPU(unit) Memory(MB) Disk(MB)
--------------------------------------------------------------

Attached devices
Type Name Alias
---------------------------------------------
Disk /tmp/xml/UtdLogMappings-IOX
Disk /tmp/xml/UtdIpsAlert-IOX
Disk /tmp/xml/UtdDaqWcapi-IOX
Disk /tmp/xml/UtdUrlf-IOX
Disk /tmp/xml/UtdTls-IOX
Disk /tmp/xml/UtdDaq-IOX
Disk /tmp/xml/UtdAmp-IOX
Watchdog watchdog-503.0
Disk /tmp/binos-IOX
Disk /opt/var/core
Disk /tmp/HTX-IOX
Disk /opt/var
NIC ieobc_1 ieobc
Disk _rootfs
NIC mgmt_1 mgmt
NIC dp_1_1 net3
NIC dp_1_0 net2
Serial/Trace serial3

Network interfaces
---------------------------------------
eth0:
MAC address : 54:0e:00:0b:0c:02
IPv6 address : ::
Network name :
eth:
MAC address : 6c:41:0e:41:6b:08
IPv6 address : ::
Network name :
eth2:
MAC address : 6c:41:0e:41:6b:09
IPv6 address : ::
Network name :
eth1:
MAC address : 6c:41:0e:41:6b:0a
IPv4 address : 192.168.2.2
IPv6 address : ::
Network name :

----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
climgr UP 0Y 0W 0D 21:45:29 2
logger UP 0Y 0W 0D 19:25:56 0
snort_1 UP 0Y 0W 0D 19:25:56 0

Network stats:
eth0: RX packets:162886, TX packets:163855
eth1: RX packets:46, TX packets:65

DNS server:
domain cisco.com
nameserver 192.168.90.92

Coredump file(s): core, lost+found

Interface: eth2
ip address: 192.168.2.2/30
Interface: eth1
ip address: 192.168.1.2/30

Address/Mask Next Hop Intf.
-------------------------------------------------------------------------------
0.0.0.0/0 192.168.2.1 eth2
0.0.0.0/0 192.168.1.1 eth1

检查UTD Snort引擎兼容性版本，与运行的路由器IOS-XE版本进行比较

使用show utd engine standard version命令确认UTD Snort引擎兼容性版本，以阻止正在运行的IOS-XE路由器版本。

Router#show utd engine standard version 
UTD Virtual-service Name: UTD
IOS-XE Recommended UTD Version: 1.1.11_SV3.1.81.0_XE17.12
IOS-XE Supported UTD Regex: ^1\.1\.([0-9]+)_SV(.*)_XE17.12$
UTD Installed Version: 1.1.11_SV3.1.81.0_XE17.12

检查UTD Snort引擎状态

选项1.发出“show utd engine standard status”命令，以确认UTD Snort引擎的状态、“Green”中的Status、“Green”中的Health和Overall system status in “Green”中，表示UTD Snort引擎运行正常。

Router#show utd engine standard status                   
Engine version       : 1.1.11_SV3.1.81.0_XE17.12
Profile              : Low
System memory        :
              Usage  : 31.80 %
              Status : Green         
Number of engines    : 1

Engine        Running    Health     Reason    
=======================================================
Engine(#1):   Yes        Green      None
=======================================================

Overall system status: Green

Signature update status:
=========================
Current signature package version: 31810.155.s
Last update status: Failed
Last successful update time: Wed Sep  3 12:51:56 2025 CST
Last failed update time: Wed Sep  3 17:55:02 2025 CST
Last failed update reason: File not found
Next update scheduled at: Thursday Sep 04 17:55 2025 CST
Current status: Idle

注意：当UTD Snort引擎超订用时，威胁防御通道状态在绿色和红色之间变化。如果配置了fail-close，则UTD数据平面会丢弃所有进一步的数据包；如果未配置fail-close，则转发未检查的数据包（默认）。 当UTD服务平面从超订用中恢复时，它会以绿色状态响应UTD数据平面。

选项2.发出“show platform software utd global”命令，以获取UTD Snort引擎运行状态的简短摘要。 

Router#show platform software utd global
UTD Global state
=========================
Engine : Standard
Global Inspection : Enabled
Operational Mode : Intrusion Prevention
Fail Policy : Fail-open
Container technology : LXC
Redirect interface : VirtualPortGroup1
UTD interfaces
All dataplane interfaces

检查UTD Snort引擎配置

选项1.发出“show utd engine standard config”命令以显示UTD Snort引擎配置详细信息、操作模式、策略模式、签名更新配置、日志记录配置、白名单和端口扫描状态。  

Router#show utd engine standard config
UTD Engine Standard Configuration:

IPS/IDS : Enabled

Operation Mode : Intrusion Prevention
Policy : Security

Signature Update:
Server : cisco
User Name : cisco
Password : KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
Occurs-at : daily ; Hour: 0; Minute: 0

Logging:
Server : 192.168.10.5
Level : info
Statistics : Enabled
Hostname : router
System IP : Not set

Whitelist : Enabled
Whitelist Signature IDs:
54621, 40

 Port Scan : Enabled

Web-Filter : Disabled

选项2.发出“show running-config” | b engine'命令，以显示UTD snort引擎的运行配置。

Router#show running-config | b engine
utd engine standard
 logging host 192.168.10.5
 logging syslog
 threat-inspection
  threat protection
  policy security
  signature update server cisco username cisco password KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
  signature update occur-at daily 0 0
  logging level info
  whitelist
  logging statistics enable
utd threat-inspection whitelist
 generator id 40 signature id 54621 comment FILE-OFFICE traffic
utd
 all-interfaces
 redirect interface VirtualPortGroup1
 engine standard

检查UTD Snort引擎IPS Snort签名更新状态

1.发出show utd engine standard threat-inspection signature update status命令，检查IPS snort签名更新状态。

Router#show utd engine standard threat-inspection signature update status
Current signature package version: 31810.155.s
Current signature package name: UTD-STD-SIGNATURE-31810-155-S.pkg
Previous signature package version: 31810.154.s
---------------------------------------
Last update status: Failed
---------------------------------------
Last successful update time: Wed Sep 3 12:51:56 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.4.219/UTD-STD-SIGNATURE-31810-155-S.pkg
Last successful update speed: 6343108 bytes in 31 secs
---------------------------------------
Last failed update time: Thu Sep 4 17:55:02 2025 CST
Last failed update method: Auto
Last failed update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 17:55:02 2025 CST
Last attempted update method: Auto
Last attempted update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
---------------------------------------
Total num of updates successful: 2
Num of attempts successful: 2
Num of attempts failed: 29
Total num of attempts: 31
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle

2.发出“utd threat-inspection signature update”命令，使用应用于UTD Snort引擎的现有服务器配置执行手动IPS Snort签名更新，以进行签名下载。

Router#utd threat-inspection signature update

3.发出“utd threat-inspection signature update server [cisco， url] username xxxxx password xxxxx force”命令，强制使用指定的服务器参数执行手动IPS snort签名更新。

Router#utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force

Example:
Router#utd threat-inspection signature update server url http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg force
% This operation may cause the UTD service to restart which will briefly interrupt services.
Proceed with signature update? [confirm]
Router#
*Sep 5 02:08:13.845: %IOSXE_UTD-4-SIG_UPDATE_EXEC: UTD signature update has been executed - A brief service interruption is expected
*Sep 5 02:08:35.007: %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Green => Red (3) for channel Threat DefenseQFP:0.0 Thread:001 TS:00000217689533745619
Router#
*Sep 5 02:08:42.671: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: UTD signature update succeeded - previous version: 31810.155.s - current version: 31810.156.s
Router#
*Sep 5 02:09:00.284: %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: RedQFP:0.0 Thread:001 TS:00000217714810090067

Router#show utd engine standard signature update status 
Current signature package version: 31810.156.s
Current signature package name: UTD-STD-SIGNATURE-31810-156-S.pkg
Previous signature package version: 31810.155.s
---------------------------------------
Last update status: No New Package found
---------------------------------------
Last successful update time: Thu Sep 4 20:08:41 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
Last successful update speed: 6344395 bytes in 27 secs
---------------------------------------
Last failed update time: Thu Sep 4 20:07:43 2025 CST
Last failed update method: Manual
Last failed update server: http://10.189.35.188/tftpboot/UTD-STD-SIGNATURE-31810-156-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 20:10:29 2025 CST
Last attempted update method: Manual
Last attempted update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
---------------------------------------
Total num of updates successful: 3
Num of attempts successful: 4
Num of attempts failed: 30
Total num of attempts: 34
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle

如何确认UTD Snort引擎是否正在检查流量

使用以下show命令监控UTD Snort引擎处理的流量并检查与流量检查相关的统计信息。 

选项1.从以下“show utd engine standard statistics”输出中，当UTD snort引擎处理流量时，“received”和“analyzed”计数器增加：

Router#show utd engine standard statistics
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62069    <------------
analyzed: 62069    <------------
allow: 60634
block: 38
replace: 1
whitelist: 1396
idle: 763994
rx_bytes: 13778491
--------------------------------------------------
codec
total: 62069 (100.000%)
eth: 62069 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62069 (100.000%)
tcp: 56168 ( 90.493%)
udp: 5667 ( 9.130%)
--------------------------------------------------

选项2.从下面的“show platform hardware qfp active feature utd stats”输出中，当流量从路由器重定向到UTD snort引擎以进行流量检查时，“decaps”和“Divert”计数器增加，当流量从UTD snort引擎重定向到路由器时，“encaps”和“Reinject”计数器增加：

Router#show platform hardware qfp active feature utd stats
Summary Statistics:

Policy
Active Connections                                                         3
TCP Connections Created                                                83364
UDP Connections Created                                               532075
ICMP Connections Created                                                 494

Channel Summary
Active Connections                                                         3
decaps                                                               1156574    <------------
encaps                                                               1157144    <------------
Expired Connections                                                   615930

Packet stats - Policy
Pkts dropped                                        pkt                15802
                                                    byt             14111880
Pkts entered policy feature                         pkt              1306750
                                                    byt            363602774
Pkts slow path                                      pkt               615933
                                                    byt             25317465

Packet stats - Channel Summary
Bypass                                              pkt                25368
                                                    byt              4459074
Divert                                              pkt              1157144    <------------
                                                    byt            301046050
Reinject                                            pkt              1156574    <------------
                                                    byt            301015446
Would Drop Statistics (fail-open):

Policy
TCP SYN w/data packet                                                  15802

Channel Summary
  Stats were all zero

General Statistics:
Non Diverted Pkts to/from divert interface                              2725
Inspection skipped - UTD policy not applicable                        111161
Pkts Skipped - New pkt from RP                                         33139
Response Packet Seen                                                   64766
Feature memory allocations                                            615933
Feature memory free                                                   615930
Feature Object Delete                                                 615930
Skipped - First-in-flow RST packets of a TCP flow                         55
          
Diversion Statistics Summary:
SN offloaded flow                                                       3282
Flows Bypassed as SN Unhealthy                                         25368

Service Node Statistics:
SN down                                                                    1
SN health green                                                           13
SN health red                                                             12

SN Health: Channel: Threat Defense : Green
AppNAV registration                                                        2
AppNAV deregister                                                          1

SN Health: Channel: Service : Down
  Stats were all zero

TLS Decryption policy not enabled
Appnav Statistics:
  No FO Drop                                          pkt                    0
                                                      byt                    0

选项3.从下面的“show utd engine standard statistics internal”输出中，当流量从路由器重定向到UTD snort引擎以进行流量检测时，将会增加“received”和“analyzed”计数器。此外，此输出将显示有关UTD Snort引擎检查流量的更多详细信息和统计信息：

Router# show utd engine standard statistics internal 
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62099     <------------
analyzed: 62099     <------------
allow: 60664
block: 38
replace: 1
whitelist: 1396
idle: 764287
rx_bytes: 13782351
--------------------------------------------------
codec
total: 62099 (100.000%)
eth: 62099 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62099 (100.000%)
tcp: 56198 ( 90.497%)
udp: 5667 ( 9.126%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
appid
packets: 62099
processed_packets: 62087
ignored_packets: 12
total_sessions: 9091
service_cache_adds: 4
bytes_in_use: 608
items_in_use: 4
--------------------------------------------------
binder
raw_packets: 12
new_flows: 9091
service_changes: 4360
inspects: 9103
--------------------------------------------------
detection
analyzed: 62099
hard_evals: 234
raw_searches: 12471
cooked_searches: 5699
pkt_searches: 18170
pdu_searches: 14839
file_searches: 491
alerts: 3
total_alerts: 3
logged: 3
buf_dumps: 3
--------------------------------------------------
dns
packets: 5529
requests: 2780
responses: 2749
--------------------------------------------------
http_inspect
flows: 2449
scans: 10523
reassembles: 10523
inspections: 10317
requests: 2604
responses: 2309
get_requests: 1618
head_requests: 1
post_requests: 1
connect_requests: 984
request_bodies: 1
uri_normalizations: 1339
concurrent_sessions: 15
max_concurrent_sessions: 20
connect_tunnel_cutovers: 984
total_bytes: 1849394
--------------------------------------------------
normalizer
test_tcp_trim_win: 6
tcp_ips_data: 1
tcp_block: 38
--------------------------------------------------
pcre
pcre_rules: 6317
pcre_native: 6317
--------------------------------------------------
port_scan
packets: 62099
trackers: 96
bytes_in_use: 20736
--------------------------------------------------
search_engine
max_queued: 135
total_flushed: 52095
total_inserts: 66077
total_unique: 52095
non_qualified_events: 52326
qualified_events: 3
searched_bytes: 9498731
--------------------------------------------------
ssl
packets: 3281
decoded: 3281
client_hello: 927
server_hello: 927
certificate: 244
server_done: 711
client_key_exchange: 242
server_key_exchange: 242
change_cipher: 1160
client_application: 149
server_application: 1283
unrecognized_records: 19
sessions_ignored: 927
concurrent_sessions: 27
max_concurrent_sessions: 94
--------------------------------------------------
stream
flows: 9091
total_prunes: 7566
idle_prunes_proto_timeout: 7566
tcp_timeout_prunes: 5895
udp_timeout_prunes: 1561
icmp_timeout_prunes: 110
current_flows: 294
uni_flows: 249
--------------------------------------------------
stream_ip
sessions: 110
max: 110
created: 110
released: 110
total_bytes: 60371
--------------------------------------------------
stream_tcp
sessions: 7414
max: 7414
created: 7414
released: 7126
instantiated: 7414
setups: 7414
restarts: 3376
discards: 38
invalid_seq_num: 6
invalid_ack: 1
events: 39
syn_trackers: 7414
segs_queued: 12824
segs_released: 12710
segs_used: 7681
rebuilt_packets: 13601
rebuilt_bytes: 8945365
overlaps: 1
gaps: 1
memory: 208052
initializing: 246
established: 27
closing: 15
syns: 28310
syn_acks: 2449
resets: 358
fins: 2430
max_segs: 13
max_bytes: 15665
--------------------------------------------------
stream_udp
sessions: 1567
max: 1567
created: 1567
released: 1561
total_bytes: 743786
--------------------------------------------------
wizard
tcp_scans: 3376
tcp_hits: 3376
udp_scans: 118
udp_misses: 118
--------------------------------------------------
Appid Statistics
--------------------------------------------------
detected apps and services
Application: Services Clients Users Payloads Misc Referred 
chrome: 0 101 0 0 0 0 
dns: 1448 1449 0 0 0 0 
firefox: 0 139 0 0 0 0 
http: 2449 0 0 0 0 0 
microsoft_update: 0 0 0 34 0 0 
squid: 0 0 0 1144 0 0 
unknown: 1 0 0 2416 0 0 
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 2
--------------------------------------------------
memory
start_up_use: 240250880
cur_in_use: 293490688
max_in_use: 294907904
epochs: 2718651
allocated: 198516408
deallocated: 168476672
app_all: 265459456
active: 274247680
resident: 281190400
retained: 12693504

如何确认UTD Snort引擎是否已触发IPS Snort签名 

使用以下show命令监控触发的snort IPS签名、生成的IPS/IDS事件以及涉及的源和目标IP地址。 

选项1.使用“show utd engine standard logging events [threat-inspection]”命令查找IPS/IDS事件：

Router#show utd engine standard logging events [threat-inspection]
2025/09/03-15:03:42.946703 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:1417 -> 172.16.2.2:10
2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184
2025/09/03-16:10:12.705933 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:2184 -> 172.16.2.2:10

选项2.使用“show utd engine standard logging statistics threat-inspection”命令，查找在过去24小时内触发的顶级IPS snort签名以及每个签名触发的次数：

Router# show utd engine standard logging statistics threat-inspection
Top Signatures Triggered in the past 24 hours
---------------------------------------------------------------------
Signature-id    Count   Description           
---------------------------------------------------------------------
122:7:2         137    portscan: TCP Filtered Portsweep
122:1:2         5      portscan: TCP Portscan
122:3:2         1      portscan: TCP Portsweep

选项3.使用“show utd engine standard logging statistics threat-inspection detail”命令，查找在过去24小时内触发的顶级IPS snort签名、每个签名触发的次数以及触发签名的源和目标IP地址： 

Router#show utd engine standard logging statistics threat-inspection detail
Top Signatures Triggered in the past 24 hours
 
Signature-id:122:7:2
Count: 137
Description:portscan: TCP Filtered Portsweep
---------------------------------------------------------------------
Source IP            Destination IP       VRF        Count          
---------------------------------------------------------------------
172.16.2.2           x.x.157.3         0          7              
172.16.2.2           x.x.157.14        0          6              
172.16.2.2           x.x.29.13         0          6              
172.16.2.2           x.x.104.78        0          6              
172.16.2.2           x.x.29.14         0          5              
172.16.2.2           x.x.157.15        0          5              
172.16.2.2           x.x.28.23         0          5              
172.16.2.2           x.x.135.19        0          5              
172.16.2.2           x.x.135.3         0          4              
172.16.2.2           x.x.157.11        0          4              
 
Signature-id:122:1:2
Count: 5
Description:portscan: TCP Portscan
---------------------------------------------------------------------
Source IP            Destination IP       VRF        Count          
---------------------------------------------------------------------
172.16.1.3           172.16.2.2           0          5              
 
Signature-id:122:3:2
Count: 1
Description:portscan: TCP Portsweep
---------------------------------------------------------------------
Source IP            Destination IP       VRF        Count          
---------------------------------------------------------------------
172.16.2.2           172.16.1.3           0          1      
 

选项4. UTD Snort引擎监控流量并向外部日志服务器或IOS系统日志报告事件。启用日志记录到IOS系统日志可能会由于日志消息的数量而影响性能。支持Snort日志的外部第三方监控工具可用于日志收集和分析。

每当UTD Snort引擎生成IPS/IDS事件时，路由器都会显示如下所示的系统日志消息：

Router#
*Sep  3 22:10:18.544: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: 2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184

注意：当UTD Snort引擎的utd引擎标准配置下启用logging syslog时，UTD Snort引擎日志将显示在路由器IOSd CLI中。

当UTD Snort引擎配置为将注销发送到外部系统日志服务器时，您应该看到远程系统日志服务器中的UTD Snort引擎日志，如下所示：

如何显示活动的IPS Snort签名

使用以下命令显示UTD Snort引擎的活动、丢弃和警报IPS Snort签名，具体取决于使用的策略配置（平衡、连接或安全）。 

选项1.按照以下步骤继续显示安全策略的活动IPS Snort签名列表。 

Router#show utd engine standard config
UTD Engine Standard Configuration:

VirtualPortGroup Id: 1


IPS/IDS         : Enabled

  Operation Mode : Intrusion Prevention
  Policy         : Security

  Signature Update:
    Server    : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
    Occurs-at : daily ; Hour: 17; Minute: 55

  Logging:
    Server    :  IOS Syslog;  172.16.2.2 
    Level     : debug
    Statistics    : Enabled
    Hostname    : router
    System IP   : Not set

  Whitelist : Disabled
  Whitelist Signature IDs:
 
  Port Scan      : Enabled
    Sense level  : High

Web-Filter      : Disabled

Router#utd threat-inspection signature active-list write-to bootflash:siglist_security           
Router#more bootflash:siglist_security    
=================================================================================
Signature Package Version: 31810.156.s
Signature Ruleset: Security
Total no. of active signatures: 23398
Total no. of drop signatures: 22625
Total no. of alert signatures: 773

For more details of each signature please go to www.snort.org/rule_docs to lookup
=================================================================================
                                                                       
List of Active Signatures: 
--------------------------
sigid: 13418, gid:3, log-level:2, action:  drop, class-type: attempted-dos,
  Descr: SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt;
sigid: 13897, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-MULTIMEDIA Apple QuickTime crgn atom parsing stack buffer overflow attempt;
sigid: 14263, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: POLICY-SOCIAL Pidgin MSNP2P message integer overflow attempt;
sigid: 15968, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt;
sigid: 15975, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt;
sigid: 15976, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt;
sigid: 16232, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: OS-WINDOWS Microsoft Windows EOT font parsing integer overflow attempt;
sigid: 16343, gid:3, log-level:3, action:  drop, class-type: misc-activity,
  Descr: FILE-PDF PDF header obfuscation attempt;
sigid: 16394, gid:3, log-level:2, action:  drop, class-type: attempted-dos,
  Descr: OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt;
sigid: 16728, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: NETBIOS Samba SMB1 chain_reply function memory corruption attempt;
sigid: 17647, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-FLASH Adobe Flash Player DefineSceneAndFrameLabelData memory corruption attempt;
sigid: 17665, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-OFFICE OpenOffice Word document table parsing heap buffer overflow attempt;
sigid: 17741, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-OTHER MIT Kerberos asn1_decode_generaltime uninitialized pointer free attempt;
[omitted output]

选项2.按照以下步骤继续显示连接策略的活动IPS Snort签名列表。 

Router#show utd engine standard config
UTD Engine Standard Configuration:

VirtualPortGroup Id: 1

IPS/IDS         : Enabled

  Operation Mode : Intrusion Prevention
  Policy         : Connectivity

  Signature Update:
    Server    : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
    Occurs-at : daily ; Hour: 17; Minute: 55

  Logging:
    Server    :  IOS Syslog;  172.16.2.2 
    Level     : debug
    Statistics    : Enabled
    Hostname    : router
    System IP   : Not set

  Whitelist : Disabled
  Whitelist Signature IDs:
 
  Port Scan      : Enabled
    Sense level  : High

Web-Filter      : Disabled                                                                    

Router#utd threat-inspection signature active-list write-to bootflash:siglist_connectivity       
Router#more bootflash:siglist_connectivity
=================================================================================
Signature Package Version: 31810.156.s
Signature Ruleset: Connectivity
Total no. of active signatures: 597
Total no. of drop signatures: 494
Total no. of alert signatures: 103

For more details of each signature please go to www.snort.org/rule_docs to lookup
=================================================================================
                                                                           
List of Active Signatures: 
--------------------------
sigid: 30282, gid:3, log-level:2, action:  drop, class-type: attempted-dos,
  Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30283, gid:3, log-level:2, action:  drop, class-type: attempted-dos,
  Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30942, gid:3, log-level:2, action:  drop, class-type: attempted-dos,
  Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt;
sigid: 30943, gid:3, log-level:2, action:  drop, class-type: attempted-dos,
  Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt;
sigid: 35897, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt;
sigid: 35898, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt;
sigid: 35902, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt;
sigid: 35903, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt;
sigid: 35926, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-WEBAPP Oracle Identity Management authorization bypass attempt;
sigid: 35927, gid:3, log-level:1, action:  drop, class-type: policy-violation,
  Descr: SERVER-WEBAPP Oracle Identity Management remote file execution attempt;
sigid: 38671, gid:3, log-level:1, action:  drop, class-type: attempted-user,
[omitted output]

选项3.按照以下步骤继续显示平衡策略的活动IPS Snort签名列表。 

Router#show utd engine standard config
UTD Engine Standard Configuration:

VirtualPortGroup Id: 1


IPS/IDS         : Enabled

  Operation Mode : Intrusion Prevention
  Policy         : Balanced

  Signature Update:
    Server    : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
    Occurs-at : daily ; Hour: 17; Minute: 55

  Logging:
    Server    :  IOS Syslog;  172.16.2.2 
    Level     : debug
    Statistics    : Enabled
    Hostname    : router
    System IP   : Not set

  Whitelist : Disabled
  Whitelist Signature IDs:
 
  Port Scan      : Enabled
    Sense level  : High

Web-Filter      : Disabled

Router#utd threat-inspection signature active-list write-to bootflash:siglist_balanced
Router#more bootflash:siglist_balanced
=================================================================================
Signature Package Version: 31810.156.s
Signature Ruleset: Balanced
Total no. of active signatures: 10033
Total no. of drop signatures: 9534
Total no. of alert signatures: 499

For more details of each signature please go to www.snort.org/rule_docs to lookup
=================================================================================
                                                                        
List of Active Signatures: 
--------------------------
sigid: 30282, gid:3, log-level:2, action:  drop, class-type: attempted-dos,
  Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30283, gid:3, log-level:2, action:  drop, class-type: attempted-dos,
  Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30887, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-OTHER Cisco Tshell command injection attempt;
sigid: 30888, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-OTHER Cisco Tshell command injection attempt;
sigid: 30902, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ;
sigid: 30903, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ;
sigid: 30912, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt;
sigid: 30913, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt;
sigid: 30921, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt;
sigid: 30922, gid:3, log-level:1, action:  drop, class-type: attempted-user,
  Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt;
sigid: 30929, gid:3, log-level:1, action:  drop, class-type: attempted-admin,
  Descr: SERVER-OTHER Cisco RV180 VPN CSRF attempt;
[omitted output]

注意：要显示“平衡”、“连接”或“安全”策略的活动IPS Snort签名，UTD Snort引擎必须运行您要查看的相应策略模式。

故障排除

1.确保思科集成多业务路由器(ISR)运行XE 16.10.1a及更高版本（适用于IOx方法）。

2.确保思科集成多业务路由器(ISR)获得许可，并启用Securityk9功能。

3.验证ISR硬件模式是否符合最低资源配置文件。

4. UTD Snort引擎与基于区域的防火墙SYN-cookie和网络地址转换64(NAT64)不兼容

5.确认安装后已启动UTD Snort引擎服务。

6.在手动下载签名软件包期间，请确保软件包的版本与Snort引擎版本相同。如果版本不匹配，签名包更新可能会失败。

7.如果出现性能问题，请使用show app-hosting resource和show app-hosting utilization appid "UTD-NAME"检查UTD CPU、内存和存储空间。

Router#show app-hosting resource
CPU:
Quota: 75(Percentage)
Available: 50(Percentage)
VCPU:
Count: 6
Memory:
Quota: 10240(MB)
Available: 9216(MB)
Storage device: bootflash
Quota: 4000(MB)
Available: 4000(MB)
Storage device: harddisk
Quota: 20000(MB)
Available: 19029(MB)
Storage device: volume-group
Quota: 190768(MB)
Available: 169536(MB)
Storage device: CAF persist-disk
Quota: 20159(MB)
Available: 18078(MB)

Router#show app-hosting utilization appid utd
Application: utd
CPU Utilization:
CPU Allocation: 33 %
CPU Used: 3 %
Memory Utilization:
Memory Allocation: 1024 MB
Memory Used: 117632 KB
Disk Utilization:
Disk Allocation: 711 MB
Disk Used: 451746 KB

警告：如果您确认UTD Snort引擎的CPU、内存或磁盘使用率较高，请联系思科TAC。

调试

出于故障排除目的，请使用下面列出的debug命令从UTD Snort引擎收集更多详细信息。

debug virtual-service all
debug virtual-service virtualPortGroup
debug virtual-service messaging
debug virtual-service timeout
debug utd config level error [error, info, warning]
debug utd engine standard all

警告：在生产期间运行debug命令会显着增加UTD Snort引擎或路由器上的CPU、内存或磁盘利用率，从而可能影响流量和系统稳定性。最好在维护窗口期间谨慎使用debug命令，并在收集所需数据后立即禁用它们。如果发现资源使用率或服务影响提高，请停止调试并联系思科TAC。

相关信息

有关UTD Snort IPS部署的其他文档，请访问以下网址：

Cisco Snort IPS安全配置指南

适用于ISR4K和CSR1000v的思科虚拟服务资源配置文件

路由器上的Snort IPS — 逐步配置

思科指南 — Snort IPS故障排除

Snort端口扫描检查器参考指南

Snort开源入侵防御系统(IPS)网页

在边缘路由器上安装UTD安全虚拟映像

CSCwf57595 ISR4K Snort IPS未部署，因为硬件没有足够的平台资源