此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。
思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文档介绍如何使用IOx方法在思科集成多业务路由器ISR1K、ISR4K、CSR和ISRv系列上部署UTD Snort IPS引擎。
Cisco 建议您了解以下主题:
本文档中的信息基于以下软件和硬件版本:
VMAN方法现在已弃用。
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
统一威胁防御(UTD)Snort IPS功能为思科集成多业务路由器ISR1K、ISR4K、CSR和ISRv系列上的分支机构启用入侵防御系统(IPS)或入侵检测系统(IDS)。此功能使用开源Snort启用IPS或IDS功能。
Snort是一个开源IPS,它会执行实时流量分析,并在IP网络上检测到威胁时生成警报。它还可以执行协议分析、内容研究或行进,并检测各种攻击和探测,例如缓冲区溢出、隐藏端口扫描等。UTD Snort引擎作为虚拟容器服务在思科集成多业务路由器ISR1K、ISR4K、CSR和ISRv系列上运行。
UTD Snort IPS为思科集成多业务路由器ISR1K、ISR4K、CSR和ISRv系列提供IPS或IDS功能。
根据网络要求。UTD Snort IPS可以作为IPS或IDS启用:
UTD Snort IPS作为服务在路由器ISR1K、ISR4K、CSR和ISRv系列上运行。服务容器使用虚拟化技术在思科设备上为应用提供托管环境。Snort流量检测在每个接口上启用,或者在所有支持的接口上全局启用。
UTD Snort引擎IPS解决方案由以下实体组成:
Snort传感器 — 根据配置的安全策略(包括签名、统计信息、协议分析等)监控流量以检测异常,并将警报消息发送到警报/报告服务器。Snort传感器在路由器上部署为虚拟容器服务。
签名存储 — 托管定期更新的思科签名软件包。这些特征码包会定期或按需下载到Snort传感器。经验证的签名软件包发布到Cisco.com。根据配置,签名软件包可以从Cisco.com或本地服务器下载。
路由器在从cisco.com下载签名软件包的过程中会访问以下域:
api.cisco.com
apx.cisco.com
cloudsso.cisco.com
cloudsso-test.cisco.com
cloudsso-test3.cisco.com
cloudsso-test4.cisco.com
cloudsso-test5.cisco.com
cloudsso-test6.cisco.com
cloudsso.cisco.com
download-ssc.cisco.com
dl.cisco.com
resolver1.opendns.com
resolver2.opendns.com
必须先使用Cisco.com凭证将签名软件包从Cisco.com手动下载到本地服务器,然后Snort传感器才能检索它们。
警报/报告服务器 — 从Snort传感器接收警报事件。Snort传感器生成的警报事件可以发送到IOS系统日志或外部系统日志服务器,或者同时发送到IOS系统日志和外部系统日志服务器。Snort IPS解决方案未捆绑任何外部日志服务器。
管理 — 管理Snort IPS解决方案。使用IOS CLI配置管理。无法直接访问Snort传感器,所有配置只能使用IOS CLI完成。
以下是UTD Snort引擎的许可要求:
a)社区签名包:社区签名包规则集对威胁提供的覆盖范围有限。
b)基于用户的签名包:基于用户的签名包规则集提供针对威胁的最佳保护。 它包括在攻击发生之前提供保护,并且还提供对更新签名的快速访问,以响应安全事件或主动发现新威胁。思科完全支持此订用,并将在Cisco.com上持续更新该软件包。
UTD Snort订户签名软件包可以从software.cisco.com下载,并且snort签名信息可以在snort.org上找到。
此外,您还可以使用以下snort.org Rule Documentation Search工具查找特定的snort IPS签名ID。
以下是UTD Snort引擎支持的平台:
以下限制适用于UTD Snort引擎:
以下限制适用于UTD Snort引擎:
在Cisco 4000系列ISR上启用boost许可证时,无法为Snort IPS配置虚拟服务容器。
与基于区域的防火墙SYN-cookie功能不兼容。
不支持网络地址转换64(NAT64)。
开源Snort中的SNMP轮询需要SnortSnmpPlugin。Snort IPS不支持SNMP轮询功能或MIB,因为SnortSnmp插件未安装在UTD上。
以下是用于下载UTD Snort IPS引擎软件映像文件的Cisco链接,该文件用于在Cisco路由器上安装UTD Snort引擎。此外,您还可以找到UTD Snort订户签名软件包文件,下载UTD Snort IPS签名,具体取决于运行的UTD Snort引擎版本。
注意:安装UTD Snort引擎之前需要考虑的前提条件。如果是物理ISR,则必须运行IOS-XE 3.16.1版或更高版本。如果是CSR,则必须运行版本16.3.1或更高版本,如果是ISRv(ENCS),则必须运行版本16.8.1或更高版本。对于Catalyst 8300(起始版本17.3.2及更高版本)、8200(起始版本17.4.1及更高版本)和8000V(起始版本17.4.1及更高版本)。
注意:如果用户从下载软件页面手动下载UTD Snort订户签名软件包,则用户应确保软件包的版本与Snort引擎版本相同。例如,如果Snort引擎版本为2982,则用户应下载相同版本的签名软件包。如果版本不匹配,签名包更新将被拒绝,并且会失败。
注意:更新签名包时,引擎将重新启动,流量将在短期内中断或旁路检查,具体取决于其数据平面失效开放/失效关闭配置。
步骤1.为UTD Snort引擎配置VirtualPortGroup接口,配置两个端口组:
Router#configure terminal
Router(config)#interface VirtualPortGroup0
Router(config-if)#description Management Interface
Router(config-if)#ip address 192.168.1.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface VirtualPortGroup1
Router(config-if)#description Data Interface
Router(config-if)#ip address 192.168.2.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
注意:确保配置VirtualPortgroup0所需的NAT和路由,使UTD Snort引擎能够访问外部系统日志服务器以及cisco.com获取签名更新文件。
Step 2. 在全局配置模式下启用IOx环境。
Router(config)#iox
步骤3.然后激活虚拟服务并配置访客IP,为此,请使用vnic配置配置应用托管。
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.1.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
Router(config-app-hosting)#app-vnic gateway1 virtualportgroup 1 guest-interface 1
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.2.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
第 4 步(可选): 配置资源配置文件。
Router(config-app-hosting)#app-resource package-profile low [low,medium,high]
Router(config-app-hosting)#end
注意:UTD Snort引擎虚拟服务支持三种资源配置文件:Low、Medium和High。这些配置文件指示运行虚拟服务所需的CPU和内存资源。您可以配置这些资源配置文件之一。资源配置文件配置是可选的。如果未配置配置文件,虚拟服务将使用其默认资源配置文件激活。有关更多资源配置文件详细信息,请查看ISR4K和CSR1000v的思科虚拟服务资源配置文件。
注意:此选项对ISR1K系列不可用。
步骤5.将UTD Snort IPS引擎软件文件复制到路由器闪存,然后使用UTD.tar文件安装应用托管,如下所示。
Router#app-hosting install appid UTD package bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar
注意:UTD引擎版本在UTD文件名中指定,确保要安装的UTD引擎版本与思科路由器中运行的IOS-XE版本兼容
应看到指示已正确安装UTD服务的下一个系统日志。
Installing package 'bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for 'utd'. Use 'show app-hosting list' for progress.
*Jun 26 19:25:35.975: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: R0/0: vman: Package 'iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for service container 'utd' is 'Cisco signed', signing level cached on original install is 'Cisco signed'
*Jun 26 19:25:50.746: %VIRT_SERVICE-5-INSTALL_STATE: Successfully installed virtual service utd
*Jun 26 19:25:53.176: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install succeeded: utd installed successfully Current state is deployed
注意:使用“show app-hosting list”时,状态应显示为“Deployed”
步骤6.启动应用托管服务。
Router#configure terminal
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#start
Router(config-app-hosting)#end
注意:启动应用托管服务后,应用托管状态应为“Running”。 请使用show app-hosting list或“show app-hosting detail”查看更多详细信息。
应该看到下一条syslog消息,指示UTD服务已正确安装。
*Jun 26 19:55:05.362: %VIRT_SERVICE-5-ACTIVATION_STATE: Successfully activated virtual service UTD
*Jun 26 19:55:07.412: %IM-6-START_MSG: R0/0: ioxman: app-hosting: Start succeeded: UTD started successfully Current state is running
成功安装后,必须为UTD Snort引擎配置服务平面。UTD Snort引擎可配置为入侵防御系统(IPS)或入侵检测系统(IDS),以进行流量检测。
警告:确认路由器中已启用“securityk9”许可证功能,以继续执行UTD服务平面配置。
步骤1.配置统一威胁防御(UTD)标准引擎(服务平面)
Router#configure terminal
Router(config)#utd engine standard
步骤2.启用UTD Snort引擎到远程服务器和IOSd系统日志的日志记录。
Router(config-utd-eng-std)#logging host 192.168.10.5
Router(config-utd-eng-std)#logging syslog
注意:UTD Snort IPS监控流量并向外部日志服务器或IOS系统日志报告事件。启用日志记录到IOS系统日志可能会由于日志消息的数量而影响性能。支持Snort日志的外部第三方监控工具可用于日志收集和分析。
步骤3.为Snort引擎启用威胁检测。
Router(config-utd-eng-std)#threat-inspection
步骤4.将威胁检测(IDS)或入侵防御系统(IPS)配置为Snort引擎的操作模式。
Router(config-utd-engstd-insp)#threat [protection,detection]
注意:对IPS使用关键字protection,对IDS模式使用关键字detection。默认模式为“detection”
步骤5.配置Snort引擎的安全策略。
Router(config-utd-engstd-insp)#policy [balanced, connectivity, security]
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
注意:默认策略为'balanced',根据选择的策略,snort引擎将激活或停用IPS签名以进行snort引擎保护。
第 6 步(可选): 启用UTD允许列表(白名单)配置。
Router#configure terminal
Router(config)#utd threat-inspection whitelist
第 7 步(可选): 配置要包括在白名单中的IPS Snort签名ID。
Router(config-utd-whitelist)#generator id 40 signature id 54621 comment FILE-OFFICE traffic
or
Router(config-utd-whitelist)#signature id 13418 comment "whitelisted the IPS signature 13418"
注意:可以从需要抑制的警报中复制签名ID,您可以配置多个签名ID。对需要添加到白名单的每个签名ID重复此步骤。
注意:配置允许的列表签名ID(白名单)后,UTD Snort引擎将允许流通过设备,而不发出任何警报和丢弃。
注意:生成器标识符(GID)标识评估入侵规则并生成事件的子系统。标准文本入侵规则的生成器ID为1,而共享对象入侵规则的生成器ID为3。还有几组规则用于各种预处理器。下表1.生成器ID解释了GID。
第 8 步(可选): 在威胁检测配置上启用允许列表。
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#whitelist
注意:配置白名单签名ID后,snort引擎将允许流通过设备,而不发出任何警报和丢弃
步骤9.配置签名更新间隔以自动下载Snort签名。
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#signature update occur-at [daily, monthly, weekly] 0 0
注意:第一个数字以24hr格式定义小时,第二个数字表示分钟。
警告:UTD签名更新会在更新时产生短暂的服务中断。
步骤10.配置UTD Snort引擎签名更新服务器参数。
Router(config-utd-engstd-insp)#signature update server [cisco, url] username xxxx password xxxx
Example - Configuring signature updates from a Cisco Server:
Router(config-utd-engstd-insp)#signature update server cisco username xxxx password xxxx
or
Example - Configuring signature updates from a Local server:
Router(config-utd-engstd-insp)#signature update server url http://x.x.x.x/UTD-STD-SIGNATURE-31810-155-S.pkg
注意:使用关键字'cisco' 指向用于签名更新的思科服务器,或使用关键字'url'定义更新服务器的自定义http/https路径。对于Cisco服务器,您必须提供您的Cisco用户名和密码凭证。
注意:确保将DNS服务器配置为从Cisco服务器下载IPS Snort签名。如果未将URL指定为IP地址,则Snort容器会执行域名查找(在路由器上配置的DNS服务器上),以解析从Cisco.com或本地服务器上进行自动签名更新的位置。
注意:路由器NAT配置中应包含分配给接口VirtualPortGroup0的UTD模块管理IP地址,以允许模块访问Internet以访问Cisco服务器下载snort签名软件包。
步骤11.启用UTD Snort引擎日志记录级别和威胁检测警报统计信息的日志记录:
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#logging level [alert,crit,debug,emerg,info,notice,warning]
Router(config-utd-engstd-insp)#logging statistics enable
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
注意:从Cisco IOS XE Fuji 16.8版本开始,您可以在运行下一命令“show utd engine standard logging threat-inspection statistics detail”时获取威胁检查警报的汇总详细信息。 仅当UTD Snort引擎的威胁检测警报统计信息记录启用时。
步骤12.启用utd服务。
Router#configure terminal
Router(config)#utd
第 13 步(可选): 将数据流量从VirtualPortGroup接口重定向到UTD服务。
Router#configure terminal
Router(config)#utd
Router(config-utd)#redirect interface virtualPortGroup
注意:如果未配置重定向,则自动检测重定向。
步骤14.启用UTD IPS引擎以检查来自路由器上所有第3层接口的流量。
Router(config-utd)#all-interfaces
步骤15.启用引擎标准。
Router(config-utd)#engine standard
应看到下一条syslog消息,指示UTD snort引擎已正确启用:
*Jun 27 23:41:03.062: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jun 27 23:41:13.039: %IOSXE-2-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008501210250689 %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Down => Red (3) for channel Threat Defense
*Jun 27 23:41:22.457: %IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008510628353985 %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: Red
第 16 步(可选): 定义在故障期间用于UTD Snort引擎的操作(UTD数据平面)
Router(config-engine-std)#fail open
Router(config-engine-std)#end
注意:当UTD引擎发生故障时,“fail close”选项会丢弃所有路由器流量,而“fail open”选项则允许路由器流量在UTD故障期间继续流动,而不进行IPS/IDS检测。默认选项为“fail open”。
步骤17.保存路由器配置。
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#
UTD Snort引擎具有端口扫描功能。端口扫描是一种网络侦测形式,攻击者通常将其用作攻击的前奏。在端口扫描中,攻击者发送旨在探查目标主机上网络协议和服务的数据包。通过检查主机响应发送的数据包,攻击者可以确定主机上的哪些端口处于打开状态,或者直接或推断出哪些应用协议正在这些端口上运行。
端口扫描本身并不能证明存在攻击。网络上的合法用户可能使用攻击者使用的类似端口扫描技术。
por_scan检查器检测四种类型的端口扫描,并监控TCP、UDP、ICMP和IP协议上的连接尝试。通过检测活动模式,port_scan检查器可帮助您确定哪些端口扫描可能是恶意的。
根据目标主机数量、扫描主机数量和扫描的端口数量,端口扫描通常分为四种类型。
下面的表3.显示了端口扫描检查器规则。
port_scan检查器为UTD Snort引擎提供三个默认扫描敏感级别:
步骤1.配置统一威胁防御(UTD)标准引擎(服务平面)
Router#configure terminal
Router(config)#utd engine standard
步骤2.为UTD Snort引擎启用威胁检测。
Router(config-utd-eng-std)#threat-inspection
步骤3.然后启用port_scan。
Router(config-utd-engstd-insp)#port-scan
步骤4.设置port_scan敏感级别,可用选项为high、medium或low。
Router(config-utd-threat-port-scan)# sense level [high | low | medium]
Example:
Router(config-utd-threat-port-scan)# sense level high
步骤5.启用port_scan并为UTD snort引擎配置敏感级别后,请使用“show utd engine standard config”命令验证port_scan配置。
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Security Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled
Router#show ip interface brief | i VirtualPortGroup
VirtualPortGroup0 192.168.1.1 YES NVRAM up up
VirtualPortGroup1 192.168.2.1 YES NVRAM up up
Router#show running-config | b interface
interface VirtualPortGroup0
description Management Interface
ip address 192.168.1.1 255.255.255.252
!
interface VirtualPortGroup1
description Data Interface
ip address 192.168.2.1 255.255.255.252
Router#show running-config | b app-hosting
app-hosting appid UTD
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.168.2.2 netmask 255.255.255.252
start
end
Router#show running-config | i iox
iox
Router#show app-hosting list
App id State
---------------------------------------------------------
UTD RUNNING
发出show app-hosting detail命令以确认UTD snort引擎状态、运行的软件版本、RAM、CPU和磁盘利用率、网络统计信息和DNS配置是否到位。
Router#show app-hosting detail
App id : UTD
Owner : ioxm
State : RUNNING
Application
Type : LXC
Name : UTD-Snort-Feature
Version : 1.0.7_SV2.9.18.1_XE17.9
Description : Unified Threat Defense
Author :
Path : /bootflash/secapp-utd.17.09.03a.1.0.7_SV2.9.18.1_XE17.9.x86_64.tar
URL Path :
Multicast : yes
Activated profile name :
Resource reservation
Memory : 1024 MB
Disk : 752 MB
CPU :
CPU-percent : 25 %
VCPU : 0
Platform resource profiles
Profile Name CPU(unit) Memory(MB) Disk(MB)
--------------------------------------------------------------
Attached devices
Type Name Alias
---------------------------------------------
Disk /tmp/xml/UtdLogMappings-IOX
Disk /tmp/xml/UtdIpsAlert-IOX
Disk /tmp/xml/UtdDaqWcapi-IOX
Disk /tmp/xml/UtdUrlf-IOX
Disk /tmp/xml/UtdTls-IOX
Disk /tmp/xml/UtdDaq-IOX
Disk /tmp/xml/UtdAmp-IOX
Watchdog watchdog-503.0
Disk /tmp/binos-IOX
Disk /opt/var/core
Disk /tmp/HTX-IOX
Disk /opt/var
NIC ieobc_1 ieobc
Disk _rootfs
NIC mgmt_1 mgmt
NIC dp_1_1 net3
NIC dp_1_0 net2
Serial/Trace serial3
Network interfaces
---------------------------------------
eth0:
MAC address : 54:0e:00:0b:0c:02
IPv6 address : ::
Network name :
eth:
MAC address : 6c:41:0e:41:6b:08
IPv6 address : ::
Network name :
eth2:
MAC address : 6c:41:0e:41:6b:09
IPv6 address : ::
Network name :
eth1:
MAC address : 6c:41:0e:41:6b:0a
IPv4 address : 192.168.2.2
IPv6 address : ::
Network name :
----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
climgr UP 0Y 0W 0D 21:45:29 2
logger UP 0Y 0W 0D 19:25:56 0
snort_1 UP 0Y 0W 0D 19:25:56 0
Network stats:
eth0: RX packets:162886, TX packets:163855
eth1: RX packets:46, TX packets:65
DNS server:
domain cisco.com
nameserver 192.168.90.92
Coredump file(s): core, lost+found
Interface: eth2
ip address: 192.168.2.2/30
Interface: eth1
ip address: 192.168.1.2/30
Address/Mask Next Hop Intf.
-------------------------------------------------------------------------------
0.0.0.0/0 192.168.2.1 eth2
0.0.0.0/0 192.168.1.1 eth1
使用show utd engine standard version命令确认UTD Snort引擎兼容性版本,以阻止正在运行的IOS-XE路由器版本。
Router#show utd engine standard version
UTD Virtual-service Name: UTD
IOS-XE Recommended UTD Version: 1.1.11_SV3.1.81.0_XE17.12
IOS-XE Supported UTD Regex: ^1\.1\.([0-9]+)_SV(.*)_XE17.12$
UTD Installed Version: 1.1.11_SV3.1.81.0_XE17.12
选项1.发出“show utd engine standard status”命令,以确认UTD Snort引擎的状态、“Green”中的Status、“Green”中的Health和Overall system status in “Green”中,表示UTD Snort引擎运行正常。
Router#show utd engine standard status Engine version : 1.1.11_SV3.1.81.0_XE17.12 Profile : Low System memory : Usage : 31.80 % Status : Green Number of engines : 1 Engine Running Health Reason ======================================================= Engine(#1): Yes Green None ======================================================= Overall system status: Green Signature update status: ========================= Current signature package version: 31810.155.s Last update status: Failed Last successful update time: Wed Sep 3 12:51:56 2025 CST Last failed update time: Wed Sep 3 17:55:02 2025 CST Last failed update reason: File not found Next update scheduled at: Thursday Sep 04 17:55 2025 CST Current status: Idle
注意:当UTD Snort引擎超订用时,威胁防御通道状态在绿色和红色之间变化。如果配置了fail-close,则UTD数据平面会丢弃所有进一步的数据包;如果未配置fail-close,则转发未检查的数据包(默认)。 当UTD服务平面从超订用中恢复时,它会以绿色状态响应UTD数据平面。
选项2.发出“show platform software utd global”命令,以获取UTD Snort引擎运行状态的简短摘要。
Router#show platform software utd global
UTD Global state
=========================
Engine : Standard
Global Inspection : Enabled
Operational Mode : Intrusion Prevention
Fail Policy : Fail-open
Container technology : LXC
Redirect interface : VirtualPortGroup1
UTD interfaces
All dataplane interfaces
选项1.发出“show utd engine standard config”命令以显示UTD Snort引擎配置详细信息、操作模式、策略模式、签名更新配置、日志记录配置、白名单和端口扫描状态。
Router#show utd engine standard config
UTD Engine Standard Configuration:
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : cisco
User Name : cisco
Password : KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
Occurs-at : daily ; Hour: 0; Minute: 0
Logging:
Server : 192.168.10.5
Level : info
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Enabled
Whitelist Signature IDs:
54621, 40
Port Scan : Enabled
Web-Filter : Disabled
选项2.发出“show running-config” | b engine'命令,以显示UTD snort引擎的运行配置。
Router#show running-config | b engine
utd engine standard
logging host 192.168.10.5
logging syslog
threat-inspection
threat protection
policy security
signature update server cisco username cisco password KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
signature update occur-at daily 0 0
logging level info
whitelist
logging statistics enable
utd threat-inspection whitelist
generator id 40 signature id 54621 comment FILE-OFFICE traffic
utd
all-interfaces
redirect interface VirtualPortGroup1
engine standard
1.发出show utd engine standard threat-inspection signature update status命令,检查IPS snort签名更新状态。
Router#show utd engine standard threat-inspection signature update status
Current signature package version: 31810.155.s
Current signature package name: UTD-STD-SIGNATURE-31810-155-S.pkg
Previous signature package version: 31810.154.s
---------------------------------------
Last update status: Failed
---------------------------------------
Last successful update time: Wed Sep 3 12:51:56 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.4.219/UTD-STD-SIGNATURE-31810-155-S.pkg
Last successful update speed: 6343108 bytes in 31 secs
---------------------------------------
Last failed update time: Thu Sep 4 17:55:02 2025 CST
Last failed update method: Auto
Last failed update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 17:55:02 2025 CST
Last attempted update method: Auto
Last attempted update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
---------------------------------------
Total num of updates successful: 2
Num of attempts successful: 2
Num of attempts failed: 29
Total num of attempts: 31
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
2.发出“utd threat-inspection signature update”命令,使用应用于UTD Snort引擎的现有服务器配置执行手动IPS Snort签名更新,以进行签名下载。
Router#utd threat-inspection signature update
3.发出“utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force”命令,强制使用指定的服务器参数执行手动IPS snort签名更新。
Router#utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force
Example:
Router#utd threat-inspection signature update server url http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg force
% This operation may cause the UTD service to restart which will briefly interrupt services.
Proceed with signature update? [confirm]
Router#
*Sep 5 02:08:13.845: %IOSXE_UTD-4-SIG_UPDATE_EXEC: UTD signature update has been executed - A brief service interruption is expected
*Sep 5 02:08:35.007: %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Green => Red (3) for channel Threat DefenseQFP:0.0 Thread:001 TS:00000217689533745619
Router#
*Sep 5 02:08:42.671: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: UTD signature update succeeded - previous version: 31810.155.s - current version: 31810.156.s
Router#
*Sep 5 02:09:00.284: %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: RedQFP:0.0 Thread:001 TS:00000217714810090067
Router#show utd engine standard signature update status
Current signature package version: 31810.156.s
Current signature package name: UTD-STD-SIGNATURE-31810-156-S.pkg
Previous signature package version: 31810.155.s
---------------------------------------
Last update status: No New Package found
---------------------------------------
Last successful update time: Thu Sep 4 20:08:41 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
Last successful update speed: 6344395 bytes in 27 secs
---------------------------------------
Last failed update time: Thu Sep 4 20:07:43 2025 CST
Last failed update method: Manual
Last failed update server: http://10.189.35.188/tftpboot/UTD-STD-SIGNATURE-31810-156-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 20:10:29 2025 CST
Last attempted update method: Manual
Last attempted update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
---------------------------------------
Total num of updates successful: 3
Num of attempts successful: 4
Num of attempts failed: 30
Total num of attempts: 34
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
使用以下show命令监控UTD Snort引擎处理的流量并检查与流量检查相关的统计信息。
选项1.从以下“show utd engine standard statistics”输出中,当UTD snort引擎处理流量时,“received”和“analyzed”计数器增加:
Router#show utd engine standard statistics
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62069 <------------
analyzed: 62069 <------------
allow: 60634
block: 38
replace: 1
whitelist: 1396
idle: 763994
rx_bytes: 13778491
--------------------------------------------------
codec
total: 62069 (100.000%)
eth: 62069 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62069 (100.000%)
tcp: 56168 ( 90.493%)
udp: 5667 ( 9.130%)
--------------------------------------------------
选项2.从下面的“show platform hardware qfp active feature utd stats”输出中,当流量从路由器重定向到UTD snort引擎以进行流量检查时,“decaps”和“Divert”计数器增加,当流量从UTD snort引擎重定向到路由器时,“encaps”和“Reinject”计数器增加:
Router#show platform hardware qfp active feature utd stats Summary Statistics: Policy Active Connections 3 TCP Connections Created 83364 UDP Connections Created 532075 ICMP Connections Created 494 Channel Summary Active Connections 3 decaps 1156574 <------------ encaps 1157144 <------------ Expired Connections 615930 Packet stats - Policy Pkts dropped pkt 15802 byt 14111880 Pkts entered policy feature pkt 1306750 byt 363602774 Pkts slow path pkt 615933 byt 25317465 Packet stats - Channel Summary Bypass pkt 25368 byt 4459074 Divert pkt 1157144 <------------ byt 301046050 Reinject pkt 1156574 <------------ byt 301015446 Would Drop Statistics (fail-open): Policy TCP SYN w/data packet 15802 Channel Summary Stats were all zero General Statistics: Non Diverted Pkts to/from divert interface 2725 Inspection skipped - UTD policy not applicable 111161 Pkts Skipped - New pkt from RP 33139 Response Packet Seen 64766 Feature memory allocations 615933 Feature memory free 615930 Feature Object Delete 615930 Skipped - First-in-flow RST packets of a TCP flow 55 Diversion Statistics Summary: SN offloaded flow 3282 Flows Bypassed as SN Unhealthy 25368 Service Node Statistics: SN down 1 SN health green 13 SN health red 12 SN Health: Channel: Threat Defense : Green AppNAV registration 2 AppNAV deregister 1 SN Health: Channel: Service : Down Stats were all zero TLS Decryption policy not enabled Appnav Statistics: No FO Drop pkt 0 byt 0
选项3.从下面的“show utd engine standard statistics internal”输出中,当流量从路由器重定向到UTD snort引擎以进行流量检测时,将会增加“received”和“analyzed”计数器。此外,此输出将显示有关UTD Snort引擎检查流量的更多详细信息和统计信息:
Router# show utd engine standard statistics internal
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62099 <------------
analyzed: 62099 <------------
allow: 60664
block: 38
replace: 1
whitelist: 1396
idle: 764287
rx_bytes: 13782351
--------------------------------------------------
codec
total: 62099 (100.000%)
eth: 62099 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62099 (100.000%)
tcp: 56198 ( 90.497%)
udp: 5667 ( 9.126%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
appid
packets: 62099
processed_packets: 62087
ignored_packets: 12
total_sessions: 9091
service_cache_adds: 4
bytes_in_use: 608
items_in_use: 4
--------------------------------------------------
binder
raw_packets: 12
new_flows: 9091
service_changes: 4360
inspects: 9103
--------------------------------------------------
detection
analyzed: 62099
hard_evals: 234
raw_searches: 12471
cooked_searches: 5699
pkt_searches: 18170
pdu_searches: 14839
file_searches: 491
alerts: 3
total_alerts: 3
logged: 3
buf_dumps: 3
--------------------------------------------------
dns
packets: 5529
requests: 2780
responses: 2749
--------------------------------------------------
http_inspect
flows: 2449
scans: 10523
reassembles: 10523
inspections: 10317
requests: 2604
responses: 2309
get_requests: 1618
head_requests: 1
post_requests: 1
connect_requests: 984
request_bodies: 1
uri_normalizations: 1339
concurrent_sessions: 15
max_concurrent_sessions: 20
connect_tunnel_cutovers: 984
total_bytes: 1849394
--------------------------------------------------
normalizer
test_tcp_trim_win: 6
tcp_ips_data: 1
tcp_block: 38
--------------------------------------------------
pcre
pcre_rules: 6317
pcre_native: 6317
--------------------------------------------------
port_scan
packets: 62099
trackers: 96
bytes_in_use: 20736
--------------------------------------------------
search_engine
max_queued: 135
total_flushed: 52095
total_inserts: 66077
total_unique: 52095
non_qualified_events: 52326
qualified_events: 3
searched_bytes: 9498731
--------------------------------------------------
ssl
packets: 3281
decoded: 3281
client_hello: 927
server_hello: 927
certificate: 244
server_done: 711
client_key_exchange: 242
server_key_exchange: 242
change_cipher: 1160
client_application: 149
server_application: 1283
unrecognized_records: 19
sessions_ignored: 927
concurrent_sessions: 27
max_concurrent_sessions: 94
--------------------------------------------------
stream
flows: 9091
total_prunes: 7566
idle_prunes_proto_timeout: 7566
tcp_timeout_prunes: 5895
udp_timeout_prunes: 1561
icmp_timeout_prunes: 110
current_flows: 294
uni_flows: 249
--------------------------------------------------
stream_ip
sessions: 110
max: 110
created: 110
released: 110
total_bytes: 60371
--------------------------------------------------
stream_tcp
sessions: 7414
max: 7414
created: 7414
released: 7126
instantiated: 7414
setups: 7414
restarts: 3376
discards: 38
invalid_seq_num: 6
invalid_ack: 1
events: 39
syn_trackers: 7414
segs_queued: 12824
segs_released: 12710
segs_used: 7681
rebuilt_packets: 13601
rebuilt_bytes: 8945365
overlaps: 1
gaps: 1
memory: 208052
initializing: 246
established: 27
closing: 15
syns: 28310
syn_acks: 2449
resets: 358
fins: 2430
max_segs: 13
max_bytes: 15665
--------------------------------------------------
stream_udp
sessions: 1567
max: 1567
created: 1567
released: 1561
total_bytes: 743786
--------------------------------------------------
wizard
tcp_scans: 3376
tcp_hits: 3376
udp_scans: 118
udp_misses: 118
--------------------------------------------------
Appid Statistics
--------------------------------------------------
detected apps and services
Application: Services Clients Users Payloads Misc Referred
chrome: 0 101 0 0 0 0
dns: 1448 1449 0 0 0 0
firefox: 0 139 0 0 0 0
http: 2449 0 0 0 0 0
microsoft_update: 0 0 0 34 0 0
squid: 0 0 0 1144 0 0
unknown: 1 0 0 2416 0 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 2
--------------------------------------------------
memory
start_up_use: 240250880
cur_in_use: 293490688
max_in_use: 294907904
epochs: 2718651
allocated: 198516408
deallocated: 168476672
app_all: 265459456
active: 274247680
resident: 281190400
retained: 12693504
使用以下show命令监控触发的snort IPS签名、生成的IPS/IDS事件以及涉及的源和目标IP地址。
选项1.使用“show utd engine standard logging events [threat-inspection]”命令查找IPS/IDS事件:
Router#show utd engine standard logging events [threat-inspection] 2025/09/03-15:03:42.946703 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:1417 -> 172.16.2.2:10 2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184 2025/09/03-16:10:12.705933 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:2184 -> 172.16.2.2:10
选项2.使用“show utd engine standard logging statistics threat-inspection”命令,查找在过去24小时内触发的顶级IPS snort签名以及每个签名触发的次数:
Router# show utd engine standard logging statistics threat-inspection Top Signatures Triggered in the past 24 hours --------------------------------------------------------------------- Signature-id Count Description --------------------------------------------------------------------- 122:7:2 137 portscan: TCP Filtered Portsweep 122:1:2 5 portscan: TCP Portscan 122:3:2 1 portscan: TCP Portsweep
选项3.使用“show utd engine standard logging statistics threat-inspection detail”命令,查找在过去24小时内触发的顶级IPS snort签名、每个签名触发的次数以及触发签名的源和目标IP地址:
Router#show utd engine standard logging statistics threat-inspection detail Top Signatures Triggered in the past 24 hours Signature-id:122:7:2 Count: 137 Description:portscan: TCP Filtered Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 x.x.157.3 0 7 172.16.2.2 x.x.157.14 0 6 172.16.2.2 x.x.29.13 0 6 172.16.2.2 x.x.104.78 0 6 172.16.2.2 x.x.29.14 0 5 172.16.2.2 x.x.157.15 0 5 172.16.2.2 x.x.28.23 0 5 172.16.2.2 x.x.135.19 0 5 172.16.2.2 x.x.135.3 0 4 172.16.2.2 x.x.157.11 0 4 Signature-id:122:1:2 Count: 5 Description:portscan: TCP Portscan --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.1.3 172.16.2.2 0 5 Signature-id:122:3:2 Count: 1 Description:portscan: TCP Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 172.16.1.3 0 1
选项4. UTD Snort引擎监控流量并向外部日志服务器或IOS系统日志报告事件。启用日志记录到IOS系统日志可能会由于日志消息的数量而影响性能。支持Snort日志的外部第三方监控工具可用于日志收集和分析。
每当UTD Snort引擎生成IPS/IDS事件时,路由器都会显示如下所示的系统日志消息:
Router# *Sep 3 22:10:18.544: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: 2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184
注意:当UTD Snort引擎的utd引擎标准配置下启用logging syslog时,UTD Snort引擎日志将显示在路由器IOSd CLI中。
当UTD Snort引擎配置为将注销发送到外部系统日志服务器时,您应该看到远程系统日志服务器中的UTD Snort引擎日志,如下所示:
使用以下命令显示UTD Snort引擎的活动、丢弃和警报IPS Snort签名,具体取决于使用的策略配置(平衡、连接或安全)。
选项1.按照以下步骤继续显示安全策略的活动IPS Snort签名列表。
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Security Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled Router#utd threat-inspection signature active-list write-to bootflash:siglist_security Router#more bootflash:siglist_security ================================================================================= Signature Package Version: 31810.156.s Signature Ruleset: Security Total no. of active signatures: 23398 Total no. of drop signatures: 22625 Total no. of alert signatures: 773 For more details of each signature please go to www.snort.org/rule_docs to lookup ================================================================================= List of Active Signatures: -------------------------- sigid: 13418, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt; sigid: 13897, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-MULTIMEDIA Apple QuickTime crgn atom parsing stack buffer overflow attempt; sigid: 14263, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: POLICY-SOCIAL Pidgin MSNP2P message integer overflow attempt; sigid: 15968, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt; sigid: 15975, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt; sigid: 15976, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt; sigid: 16232, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: OS-WINDOWS Microsoft Windows EOT font parsing integer overflow attempt; sigid: 16343, gid:3, log-level:3, action: drop, class-type: misc-activity, Descr: FILE-PDF PDF header obfuscation attempt; sigid: 16394, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt; sigid: 16728, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: NETBIOS Samba SMB1 chain_reply function memory corruption attempt; sigid: 17647, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-FLASH Adobe Flash Player DefineSceneAndFrameLabelData memory corruption attempt; sigid: 17665, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OFFICE OpenOffice Word document table parsing heap buffer overflow attempt; sigid: 17741, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER MIT Kerberos asn1_decode_generaltime uninitialized pointer free attempt;
[omitted output]
选项2.按照以下步骤继续显示连接策略的活动IPS Snort签名列表。
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Connectivity Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled Router#utd threat-inspection signature active-list write-to bootflash:siglist_connectivity Router#more bootflash:siglist_connectivity ================================================================================= Signature Package Version: 31810.156.s Signature Ruleset: Connectivity Total no. of active signatures: 597 Total no. of drop signatures: 494 Total no. of alert signatures: 103 For more details of each signature please go to www.snort.org/rule_docs to lookup ================================================================================= List of Active Signatures: -------------------------- sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30942, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt; sigid: 30943, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt; sigid: 35897, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt; sigid: 35898, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt; sigid: 35902, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt; sigid: 35903, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt; sigid: 35926, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-WEBAPP Oracle Identity Management authorization bypass attempt; sigid: 35927, gid:3, log-level:1, action: drop, class-type: policy-violation, Descr: SERVER-WEBAPP Oracle Identity Management remote file execution attempt; sigid: 38671, gid:3, log-level:1, action: drop, class-type: attempted-user,
[omitted output]
选项3.按照以下步骤继续显示平衡策略的活动IPS Snort签名列表。
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Balanced Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled Router#utd threat-inspection signature active-list write-to bootflash:siglist_balanced Router#more bootflash:siglist_balanced ================================================================================= Signature Package Version: 31810.156.s Signature Ruleset: Balanced Total no. of active signatures: 10033 Total no. of drop signatures: 9534 Total no. of alert signatures: 499 For more details of each signature please go to www.snort.org/rule_docs to lookup ================================================================================= List of Active Signatures: -------------------------- sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30887, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER Cisco Tshell command injection attempt; sigid: 30888, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER Cisco Tshell command injection attempt; sigid: 30902, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ; sigid: 30903, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ; sigid: 30912, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt; sigid: 30913, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt; sigid: 30921, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt; sigid: 30922, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt; sigid: 30929, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER Cisco RV180 VPN CSRF attempt;
[omitted output]
注意:要显示“平衡”、“连接”或“安全”策略的活动IPS Snort签名,UTD Snort引擎必须运行您要查看的相应策略模式。
1.确保思科集成多业务路由器(ISR)运行XE 16.10.1a及更高版本(适用于IOx方法)。
2.确保思科集成多业务路由器(ISR)获得许可,并启用Securityk9功能。
3.验证ISR硬件模式是否符合最低资源配置文件。
4. UTD Snort引擎与基于区域的防火墙SYN-cookie和网络地址转换64(NAT64)不兼容
5.确认安装后已启动UTD Snort引擎服务。
6.在手动下载签名软件包期间,请确保软件包的版本与Snort引擎版本相同。如果版本不匹配,签名包更新可能会失败。
7.如果出现性能问题,请使用show app-hosting resource和show app-hosting utilization appid "UTD-NAME"检查UTD CPU、内存和存储空间。
Router#show app-hosting resource
CPU:
Quota: 75(Percentage)
Available: 50(Percentage)
VCPU:
Count: 6
Memory:
Quota: 10240(MB)
Available: 9216(MB)
Storage device: bootflash
Quota: 4000(MB)
Available: 4000(MB)
Storage device: harddisk
Quota: 20000(MB)
Available: 19029(MB)
Storage device: volume-group
Quota: 190768(MB)
Available: 169536(MB)
Storage device: CAF persist-disk
Quota: 20159(MB)
Available: 18078(MB)
Router#show app-hosting utilization appid utd
Application: utd
CPU Utilization:
CPU Allocation: 33 %
CPU Used: 3 %
Memory Utilization:
Memory Allocation: 1024 MB
Memory Used: 117632 KB
Disk Utilization:
Disk Allocation: 711 MB
Disk Used: 451746 KB
警告:如果您确认UTD Snort引擎的CPU、内存或磁盘使用率较高,请联系思科TAC。
出于故障排除目的,请使用下面列出的debug命令从UTD Snort引擎收集更多详细信息。
debug virtual-service all
debug virtual-service virtualPortGroup
debug virtual-service messaging
debug virtual-service timeout
debug utd config level error [error, info, warning]
debug utd engine standard all
警告:在生产期间运行debug命令会显着增加UTD Snort引擎或路由器上的CPU、内存或磁盘利用率,从而可能影响流量和系统稳定性。最好在维护窗口期间谨慎使用debug命令,并在收集所需数据后立即禁用它们。如果发现资源使用率或服务影响提高,请停止调试并联系思科TAC。
有关UTD Snort IPS部署的其他文档,请访问以下网址:
适用于ISR4K和CSR1000v的思科虚拟服务资源配置文件
CSCwf57595 ISR4K Snort IPS未部署,因为硬件没有足够的平台资源
版本 | 发布日期 | 备注 |
---|---|---|
3.0 |
17-Sep-2025
|
首次公开发布 |
1.0 |
11-Jul-2023
|
初始版本 |