本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本文說明如何使用IOx方法在Cisco整合多業務路由器ISR1K、ISR4K、CSR和ISRv系列上部署UTD Snort IPS引擎。
思科建議您瞭解以下主題:
本文中的資訊係根據以下軟體和硬體版本:
VMAN方法現在已棄用。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
統一威脅防禦(UTD)Snort IPS功能為思科整合多業務路由器ISR1K、ISR4K、CSR和ISRv系列上的分支機構啟用入侵防禦系統(IPS)或入侵檢測系統(IDS)。此功能使用開源Snort啟用IPS或IDS功能。
Snort是一種開源IPS,它執行即時流量分析,並在IP網路上檢測到威脅時生成警報。它還可以執行協定分析、內容搜尋或行進,並檢測各種攻擊和探測,如緩衝區溢位、隱藏埠掃描等。UTD Snort引擎在思科整合多業務路由器ISR1K、ISR4K、CSR和ISRv系列上作為虛擬容器服務運行。
UTD Snort IPS為思科整合多業務路由器ISR1K、ISR4K、CSR和ISRv系列提供IPS或IDS功能。
基於網路要求。UTD Snort IPS可以作為IPS或IDS啟用:
UTD Snort IPS作為服務在路由器ISR1K、ISR4K、CSR和ISRv系列上運行。服務容器使用虛擬化技術為應用提供思科裝置上的託管環境。Snort流量檢測在每個介面上啟用,或在所有支援的介面上全域性啟用。
UTD Snort引擎IPS解決方案由以下實體組成:
Snort感測器 — 監視通訊量以根據配置的安全策略(包括簽名、統計資訊、協定分析等)檢測異常,並將警報消息傳送到警報/報告伺服器。Snort感測器在路由器上部署為虛擬容器服務。
特徵碼庫 — 託管定期更新的思科特徵碼包。這些特徵碼包將定期或按需下載到Snort感測器。經驗證的簽名軟體包發佈到Cisco.com。根據配置,簽名軟體包可以從Cisco.com或本地伺服器下載。
在從cisco.com下載特徵碼包的過程中,路由器可以訪問以下域:
api.cisco.com
apx.cisco.com
cloudsso.cisco.com
cloudsso-test.cisco.com
cloudsso-test3.cisco.com
cloudsso-test4.cisco.com
cloudsso-test5.cisco.com
cloudsso-test6.cisco.com
cloudsso.cisco.com
download-ssc.cisco.com
dl.cisco.com
resolver1.opendns.com
resolver2.opendns.com
在Snort感測器可以檢索簽名軟體包之前,必須使用Cisco.com憑據將其從Cisco.com手動下載到本地伺服器。
警報/報告服務器 — 從Snort感測器接收警報事件。Snort感測器生成的警報事件可以傳送到IOS系統日誌或外部系統日誌伺服器,或者同時傳送到IOS系統日誌和外部系統日誌伺服器。Snort IPS解決方案未捆綁任何外部日誌伺服器。
管理 — 管理Snort IPS解決方案。使用IOS CLI配置管理。不能直接訪問Snort感測器,所有配置只能使用IOS CLI完成。
以下是UTD Snort引擎的許可要求:
a)社群簽名包:社區簽名包規則集提供有限的威脅覆蓋範圍。
b)基於訂戶的簽名包:基於訂戶的簽名包規則集提供抵禦威脅的最佳保護。 它包括在攻擊前提供保護,還可以為響應安全事件或主動發現新威脅提供最快的對更新特徵碼的訪問。思科完全支援此訂閱,並將在Cisco.com上持續更新該包。
UTD Snort訂戶簽名包可以從software.cisco.com下載,而snort簽名資訊可在snort.org上找到。
此外,您還可以使用以下snort.org Rule Documentation Search工具查詢特定的Snort IPS特徵碼ID。
以下是UTD Snort引擎支援的平台:
以下限制適用於UTD Snort引擎:
以下限制適用於UTD Snort引擎:
在Cisco 4000系列ISR上啟用Boost許可證時,無法為Snort IPS配置虛擬服務容器。
與基於區域的防火牆SYN-cookie功能不相容。
不支援網路地址轉換64(NAT64)。
開源Snort中的SNMP輪詢需要SnortSnmpPlugin。Snort IPS不支援SNMP輪詢功能或MIB,因為SnortSnmp外掛未安裝在UTD上。
以下是用於下載UTD Snort IPS引擎軟體映像檔案的Cisco連結,該檔案用於在Cisco路由器上安裝UTD Snort引擎。此外,您還可以找到UTD Snort訂戶簽名軟體包檔案,以下載UTD Snort IPS簽名,具體取決於運行的UTD Snort引擎版本。
附註:安裝UTD Snort引擎之前需要考慮的先決條件,如果是物理ISR,則必須運行IOS-XE 3.16.1版或更高版本。如果是CSR,則必須運行版本16.3.1或更高版本,如果是ISRv(ENCS),則必須運行版本16.8.1或更高版本。適用於Catalyst 8300(起始版本17.3.2和更高版本)、8200(起始版本17.4.1和更高版本)和8000V(起始版本17.4.1和更高版本)。
附註:如果使用者從下載軟體頁面手動下載UTD Snort使用者簽章套件,則使用者應確保套件具有與Snort引擎版本相同的版本。例如,如果Snort引擎版本為2982,則使用者應下載相同版本的簽名包。如果版本不匹配,簽名包更新將被拒絕並且會失敗。
附註:更新特徵碼包時,引擎將重新啟動,並且流量將在短期內中斷或旁路檢查,這取決於其資料平面失效開放/失效關閉配置。
步驟1.為UTD Snort引擎配置VirtualPortGroup介面,配置兩個埠組:
Router#configure terminal
Router(config)#interface VirtualPortGroup0
Router(config-if)#description Management Interface
Router(config-if)#ip address 192.168.1.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface VirtualPortGroup1
Router(config-if)#description Data Interface
Router(config-if)#ip address 192.168.2.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
注意:確保配置VirtualPortgroup0所需的NAT和路由,以便UTD Snort引擎能夠訪問外部syslog伺服器以及cisco.com獲取簽名更新檔案。
步驟 2. 在全域性配置模式下啟用IOx環境。
Router(config)#iox
步驟3.然後啟用虛擬服務並配置訪客IP,為此,請使用vnic配置配置應用託管。
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.1.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
Router(config-app-hosting)#app-vnic gateway1 virtualportgroup 1 guest-interface 1
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.2.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
步驟4(可選)。 配置資源配置檔案。
Router(config-app-hosting)#app-resource package-profile low [low,medium,high]
Router(config-app-hosting)#end
附註:UTD Snort引擎虛擬服務支援三個資源配置檔案:Low、Medium和High。這些配置檔案指示運行虛擬服務所需的CPU和記憶體資源。您可以配置這些資源配置檔案之一。資源配置檔案配置是可選的。如果未配置配置檔案,則虛擬服務會使用其預設資源配置檔案啟用。請檢視ISR4K和CSR1000v的Cisco虛擬服務資源配置檔案,以瞭解更多資源配置檔案詳細資訊。
附註:此選項對於ISR1K系列不可用。
步驟5. 將UTD Snort IPS引擎軟體檔案複製到路由器快閃記憶體中,然後按如下所示使用UTD.tar檔案安裝應用託管。
Router#app-hosting install appid UTD package bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar
附註:在UTD檔名上指定UTD引擎版本,確保要安裝的UTD引擎版本與思科路由器中運行的IOS-XE版本相容
應看到下一組系統日誌,指示UTD服務已正確安裝。
Installing package 'bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for 'utd'. Use 'show app-hosting list' for progress.
*Jun 26 19:25:35.975: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: R0/0: vman: Package 'iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for service container 'utd' is 'Cisco signed', signing level cached on original install is 'Cisco signed'
*Jun 26 19:25:50.746: %VIRT_SERVICE-5-INSTALL_STATE: Successfully installed virtual service utd
*Jun 26 19:25:53.176: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install succeeded: utd installed successfully Current state is deployed
附註:使用「show app-hosting list」時,狀態應顯示為「Deployed」
步驟6.啟動應用程式託管服務。
Router#configure terminal
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#start
Router(config-app-hosting)#end
附註:啟動應用託管服務後,應用託管狀態應為「Running」。 使用「show app-hosting list」或「show app-hosting detail」可檢視更多詳細資訊。
應看到下一條syslog消息,指示UTD服務已正確安裝。
*Jun 26 19:55:05.362: %VIRT_SERVICE-5-ACTIVATION_STATE: Successfully activated virtual service UTD
*Jun 26 19:55:07.412: %IM-6-START_MSG: R0/0: ioxman: app-hosting: Start succeeded: UTD started successfully Current state is running
成功安裝後,必須為UTD Snort引擎配置服務平面。UTD Snort引擎可配置為入侵防禦系統(IPS)或入侵檢測系統(IDS)以進行流量檢測。
警告:確認路由器中已啟用「securityk9」許可證功能,以繼續UTD服務平面配置。
步驟1.設定整合威脅防禦(UTD)標準引擎(服務平面)
Router#configure terminal
Router(config)#utd engine standard
步驟2.啟用UTD Snort引擎到遠端伺服器和IOSd系統日誌的日誌記錄。
Router(config-utd-eng-std)#logging host 192.168.10.5
Router(config-utd-eng-std)#logging syslog
附註:UTD Snort IPS會監控流量,並向外部日誌伺服器或IOS系統日誌報告事件。啟用日誌記錄到IOS系統日誌可能會由於日誌消息的潛在數量而影響效能。支援Snort日誌的外部第三方監視工具可用於日誌收集和分析。
步驟3.為Snort引擎啟用威脅檢測。
Router(config-utd-eng-std)#threat-inspection
步驟4.將威脅檢測(IDS)或入侵防禦系統(IPS)配置為Snort引擎的操作模式。
Router(config-utd-engstd-insp)#threat [protection,detection]
附註:對IPS使用關鍵字'protection' ,對IDS模式使用關鍵字'detection'。預設模式為「detection」
步驟5.為Snort引擎配置安全策略。
Router(config-utd-engstd-insp)#policy [balanced, connectivity, security]
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
附註:預設策略為'balanced',根據選擇的策略,snort引擎將為snort引擎保護啟用或停用IPS簽名。
步驟6(可選)。 啟用UTD允許清單(白名單)配置。
Router#configure terminal
Router(config)#utd threat-inspection whitelist
第7步(可選)。 配置要包括在白名單中的IPS Snort特徵碼ID。
Router(config-utd-whitelist)#generator id 40 signature id 54621 comment FILE-OFFICE traffic
or
Router(config-utd-whitelist)#signature id 13418 comment "whitelisted the IPS signature 13418"
附註:可以從需要隱藏的警報中複製簽名ID,您可以配置多個簽名ID。對需要新增到白名單的每個簽名ID重複此步驟。
附註:在配置允許的清單簽名ID(白名單)後,UTD Snort引擎將允許流通過裝置,而不發出任何警報和丟棄。
附註:生成器識別符號(GID)標識評估入侵規則並生成事件的子系統。標準文本入侵規則的生成器ID為1,共用對象入侵規則的生成器ID為3。還有幾組規則用於各種前處理器。下表1.生成器ID說明瞭GID。
第8步(可選)。 啟用威脅檢測配置上的允許清單。
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#whitelist
附註:配置白名單簽名ID後,snort引擎將允許流通過裝置,而不發出任何警報和丟棄
步驟9.配置特徵碼更新間隔以自動下載Snort特徵碼。
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#signature update occur-at [daily, monthly, weekly] 0 0
附註:第一個數字以24hr格式定義小時,第二個數字表示分鐘。
警告:UTD特徵碼更新會在更新時產生短暫的服務中斷。
步驟10.配置UTD Snort引擎簽名更新伺服器引數。
Router(config-utd-engstd-insp)#signature update server [cisco, url] username xxxx password xxxx
Example - Configuring signature updates from a Cisco Server:
Router(config-utd-engstd-insp)#signature update server cisco username xxxx password xxxx
or
Example - Configuring signature updates from a Local server:
Router(config-utd-engstd-insp)#signature update server url http://x.x.x.x/UTD-STD-SIGNATURE-31810-155-S.pkg
附註:使用關鍵字「cisco」指向用於特徵碼更新的思科伺服器,或使用關鍵字「url」定義更新伺服器的自定義http/https路徑。對於Cisco伺服器,您必須提供您的Cisco使用者名稱和密碼憑證。
附註:確保將DNS伺服器配置為從Cisco伺服器下載IPS Snort簽名。如果未將URL指定為IP地址,則Snort容器會執行域名查詢(在路由器上配置的DNS伺服器上),以解析從Cisco.com或本地伺服器上自動簽名更新的位置。
附註:分配給介面VirtualPortGroup0的UTD模組MGMT IP地址應包括在路由器NAT配置中,以允許模組訪問Internet以訪問Cisco伺服器下載snort簽名包。
步驟11.啟用UTD Snort引擎日誌記錄級別和威脅檢測警報統計資訊的日誌記錄:
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#logging level [alert,crit,debug,emerg,info,notice,warning]
Router(config-utd-engstd-insp)#logging statistics enable
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
附註:從Cisco IOS XE Fuji 16.8版本開始,您可以在運行下一個命令「show utd engine standard logging threat-inspection statisticsdetail」時獲得威脅檢查警報的彙總詳細信息。 僅當UTD Snort引擎的威脅檢測警報統計資訊記錄啟用時。
步驟12.啟用utd服務。
Router#configure terminal
Router(config)#utd
步驟13(可選)。 將資料流量從VirtualPortGroup介面重定向到UTD服務。
Router#configure terminal
Router(config)#utd
Router(config-utd)#redirect interface virtualPortGroup
附註:如果沒有設定重新導向,系統會自動偵測到。
步驟14.啟用UTD IPS引擎以檢查來自路由器上所有第3層介面的流量。
Router(config-utd)#all-interfaces
步驟15.啟用引擎標準。
Router(config-utd)#engine standard
應看到下一條syslog消息,指示UTD Snort引擎已正確啟用:
*Jun 27 23:41:03.062: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jun 27 23:41:13.039: %IOSXE-2-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008501210250689 %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Down => Red (3) for channel Threat Defense
*Jun 27 23:41:22.457: %IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008510628353985 %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: Red
第16步(可選)。 定義故障期間UTD Snort引擎的操作(UTD資料平面)
Router(config-engine-std)#fail open
Router(config-engine-std)#end
附註:當UTD引擎發生故障時,「fail close」選項會丟棄所有路由器流量,而「fail open」選項則允許路由器流量在UTD故障期間繼續流動,而不進行IPS/IDS檢測。預設選項為「失效開放」。
步驟17.儲存路由器配置。
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#
UTD Snort引擎具有埠掃描功能。埠掃描是一種網路偵測形式,攻擊者通常將其用作攻擊的前奏。在埠掃描中,攻擊者傳送旨在探測目標主機上的網路協定和服務的資料包。通過檢查主機響應傳送的資料包,攻擊者可以確定主機上哪些埠是開啟的,以及直接或推斷出哪些應用協定在這些埠上運行。
埠掃描本身並不能證明存在攻擊。網路上的合法使用者可能使用攻擊者使用的類似埠掃描技術。
por_scan檢查器檢測四種型別的portscan,並監控TCP、UDP、ICMP和IP協定上的連線嘗試。通過檢測活動模式,port_scan檢查器可幫助您確定哪些埠掃描可能是惡意的。
根據目標主機數量、掃描主機數量和掃描的埠數量,埠掃描通常分為四種型別。
下面的表3.顯示了埠掃描檢查器規則。
port_scan檢查器為UTD Snort引擎提供三個預設掃描敏感級別:
步驟1.設定整合威脅防禦(UTD)標準引擎(服務平面)
Router#configure terminal
Router(config)#utd engine standard
步驟2.為UTD Snort引擎啟用威脅檢測。
Router(config-utd-eng-std)#threat-inspection
步驟3.然後啟用port_scan。
Router(config-utd-engstd-insp)#port-scan
步驟4.設定port_scan敏感級別,可用的選項包括「高」、「中」或「低」。
Router(config-utd-threat-port-scan)# sense level [high | low | medium]
Example:
Router(config-utd-threat-port-scan)# sense level high
步驟5.啟用port_scan並配置UTD Snort引擎的敏感級別後,使用「show utd engine standard config」命令驗證port_scan配置。
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Security Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled
Router#show ip interface brief | i VirtualPortGroup
VirtualPortGroup0 192.168.1.1 YES NVRAM up up
VirtualPortGroup1 192.168.2.1 YES NVRAM up up
Router#show running-config | b interface
interface VirtualPortGroup0
description Management Interface
ip address 192.168.1.1 255.255.255.252
!
interface VirtualPortGroup1
description Data Interface
ip address 192.168.2.1 255.255.255.252
Router#show running-config | b app-hosting
app-hosting appid UTD
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.168.2.2 netmask 255.255.255.252
start
end
Router#show running-config | i iox
iox
Router#show app-hosting list
App id State
---------------------------------------------------------
UTD RUNNING
發出show app-hosting detail命令以確認UTD snort引擎狀態、正在運行的軟體版本、RAM、CPU和磁碟利用率、網路統計資訊和DNS配置是否到位。
Router#show app-hosting detail
App id : UTD
Owner : ioxm
State : RUNNING
Application
Type : LXC
Name : UTD-Snort-Feature
Version : 1.0.7_SV2.9.18.1_XE17.9
Description : Unified Threat Defense
Author :
Path : /bootflash/secapp-utd.17.09.03a.1.0.7_SV2.9.18.1_XE17.9.x86_64.tar
URL Path :
Multicast : yes
Activated profile name :
Resource reservation
Memory : 1024 MB
Disk : 752 MB
CPU :
CPU-percent : 25 %
VCPU : 0
Platform resource profiles
Profile Name CPU(unit) Memory(MB) Disk(MB)
--------------------------------------------------------------
Attached devices
Type Name Alias
---------------------------------------------
Disk /tmp/xml/UtdLogMappings-IOX
Disk /tmp/xml/UtdIpsAlert-IOX
Disk /tmp/xml/UtdDaqWcapi-IOX
Disk /tmp/xml/UtdUrlf-IOX
Disk /tmp/xml/UtdTls-IOX
Disk /tmp/xml/UtdDaq-IOX
Disk /tmp/xml/UtdAmp-IOX
Watchdog watchdog-503.0
Disk /tmp/binos-IOX
Disk /opt/var/core
Disk /tmp/HTX-IOX
Disk /opt/var
NIC ieobc_1 ieobc
Disk _rootfs
NIC mgmt_1 mgmt
NIC dp_1_1 net3
NIC dp_1_0 net2
Serial/Trace serial3
Network interfaces
---------------------------------------
eth0:
MAC address : 54:0e:00:0b:0c:02
IPv6 address : ::
Network name :
eth:
MAC address : 6c:41:0e:41:6b:08
IPv6 address : ::
Network name :
eth2:
MAC address : 6c:41:0e:41:6b:09
IPv6 address : ::
Network name :
eth1:
MAC address : 6c:41:0e:41:6b:0a
IPv4 address : 192.168.2.2
IPv6 address : ::
Network name :
----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
climgr UP 0Y 0W 0D 21:45:29 2
logger UP 0Y 0W 0D 19:25:56 0
snort_1 UP 0Y 0W 0D 19:25:56 0
Network stats:
eth0: RX packets:162886, TX packets:163855
eth1: RX packets:46, TX packets:65
DNS server:
domain cisco.com
nameserver 192.168.90.92
Coredump file(s): core, lost+found
Interface: eth2
ip address: 192.168.2.2/30
Interface: eth1
ip address: 192.168.1.2/30
Address/Mask Next Hop Intf.
-------------------------------------------------------------------------------
0.0.0.0/0 192.168.2.1 eth2
0.0.0.0/0 192.168.1.1 eth1
使用show utd engine standard version命令確認UTD Snort引擎相容性版本,以對抗正在運行的IOS-XE路由器版本。
Router#show utd engine standard version
UTD Virtual-service Name: UTD
IOS-XE Recommended UTD Version: 1.1.11_SV3.1.81.0_XE17.12
IOS-XE Supported UTD Regex: ^1\.1\.([0-9]+)_SV(.*)_XE17.12$
UTD Installed Version: 1.1.11_SV3.1.81.0_XE17.12
選項1。發出「show utd engine standard status」命令,以確認UTD Snort引擎的狀態、Status in 'Green'、Health in 'Green'和Overall system status in 'Green,指示UTD Snort引擎正在運行。
Router#show utd engine standard status Engine version : 1.1.11_SV3.1.81.0_XE17.12 Profile : Low System memory : Usage : 31.80 % Status : Green Number of engines : 1 Engine Running Health Reason ======================================================= Engine(#1): Yes Green None ======================================================= Overall system status: Green Signature update status: ========================= Current signature package version: 31810.155.s Last update status: Failed Last successful update time: Wed Sep 3 12:51:56 2025 CST Last failed update time: Wed Sep 3 17:55:02 2025 CST Last failed update reason: File not found Next update scheduled at: Thursday Sep 04 17:55 2025 CST Current status: Idle
附註:當UTD Snort引擎超額訂閱時,威脅防禦通道狀態在綠色和紅色之間變化。如果設定了fail-close,UTD資料平面將會捨棄所有進一步封包,或者如果沒有設定fail-close,則轉送未經檢查的封包(預設值)。 當UTD服務平面從超訂用中恢復時,它會以綠色狀態響應UTD資料平面。
選項2.發出「show platform software utd global」命令,獲取UTD Snort引擎運行狀態的簡短摘要。
Router#show platform software utd global
UTD Global state
=========================
Engine : Standard
Global Inspection : Enabled
Operational Mode : Intrusion Prevention
Fail Policy : Fail-open
Container technology : LXC
Redirect interface : VirtualPortGroup1
UTD interfaces
All dataplane interfaces
選項1。發出「show utd engine standard config」命令以顯示UTD Snort引擎配置詳細資訊、操作模式、策略模式、簽名更新配置、日誌記錄配置、白名單和埠掃描狀態。
Router#show utd engine standard config
UTD Engine Standard Configuration:
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : cisco
User Name : cisco
Password : KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
Occurs-at : daily ; Hour: 0; Minute: 0
Logging:
Server : 192.168.10.5
Level : info
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Enabled
Whitelist Signature IDs:
54621, 40
Port Scan : Enabled
Web-Filter : Disabled
選項2.發出「show running-config」 | b engine'命令,顯示UTD snort引擎的運行配置就位。
Router#show running-config | b engine
utd engine standard
logging host 192.168.10.5
logging syslog
threat-inspection
threat protection
policy security
signature update server cisco username cisco password KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
signature update occur-at daily 0 0
logging level info
whitelist
logging statistics enable
utd threat-inspection whitelist
generator id 40 signature id 54621 comment FILE-OFFICE traffic
utd
all-interfaces
redirect interface VirtualPortGroup1
engine standard
1.發出「show utd engine standard threat-inspection signature update status」命令,檢查IPS snort特徵碼更新狀態。
Router#show utd engine standard threat-inspection signature update status
Current signature package version: 31810.155.s
Current signature package name: UTD-STD-SIGNATURE-31810-155-S.pkg
Previous signature package version: 31810.154.s
---------------------------------------
Last update status: Failed
---------------------------------------
Last successful update time: Wed Sep 3 12:51:56 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.4.219/UTD-STD-SIGNATURE-31810-155-S.pkg
Last successful update speed: 6343108 bytes in 31 secs
---------------------------------------
Last failed update time: Thu Sep 4 17:55:02 2025 CST
Last failed update method: Auto
Last failed update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 17:55:02 2025 CST
Last attempted update method: Auto
Last attempted update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
---------------------------------------
Total num of updates successful: 2
Num of attempts successful: 2
Num of attempts failed: 29
Total num of attempts: 31
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
2.發出「utd threat-inspection signature update」命令,使用應用於UTD Snort引擎的現有伺服器配置執行手動IPS Snort特徵碼更新,以進行特徵碼下載。
Router#utd threat-inspection signature update
3.發出「utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force」命令,以使用指定的伺服器引數強制進行手動IPS snort特徵碼更新。
Router#utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force
Example:
Router#utd threat-inspection signature update server url http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg force
% This operation may cause the UTD service to restart which will briefly interrupt services.
Proceed with signature update? [confirm]
Router#
*Sep 5 02:08:13.845: %IOSXE_UTD-4-SIG_UPDATE_EXEC: UTD signature update has been executed - A brief service interruption is expected
*Sep 5 02:08:35.007: %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Green => Red (3) for channel Threat DefenseQFP:0.0 Thread:001 TS:00000217689533745619
Router#
*Sep 5 02:08:42.671: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: UTD signature update succeeded - previous version: 31810.155.s - current version: 31810.156.s
Router#
*Sep 5 02:09:00.284: %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: RedQFP:0.0 Thread:001 TS:00000217714810090067
Router#show utd engine standard signature update status
Current signature package version: 31810.156.s
Current signature package name: UTD-STD-SIGNATURE-31810-156-S.pkg
Previous signature package version: 31810.155.s
---------------------------------------
Last update status: No New Package found
---------------------------------------
Last successful update time: Thu Sep 4 20:08:41 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
Last successful update speed: 6344395 bytes in 27 secs
---------------------------------------
Last failed update time: Thu Sep 4 20:07:43 2025 CST
Last failed update method: Manual
Last failed update server: http://10.189.35.188/tftpboot/UTD-STD-SIGNATURE-31810-156-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 20:10:29 2025 CST
Last attempted update method: Manual
Last attempted update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
---------------------------------------
Total num of updates successful: 3
Num of attempts successful: 4
Num of attempts failed: 30
Total num of attempts: 34
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
使用以下show命令監控UTD Snort引擎處理的流量,並檢查與流量檢測相關的統計資訊。
選項1.在UTD Snort引擎處理流量時,從以下「show utd engine standard statistics」輸出中,「received」和「analyzed」計數器會遞增:
Router#show utd engine standard statistics
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62069 <------------
analyzed: 62069 <------------
allow: 60634
block: 38
replace: 1
whitelist: 1396
idle: 763994
rx_bytes: 13778491
--------------------------------------------------
codec
total: 62069 (100.000%)
eth: 62069 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62069 (100.000%)
tcp: 56168 ( 90.493%)
udp: 5667 ( 9.130%)
--------------------------------------------------
選項2.從下面的「show platform hardware qfp active feature utd stats」輸出中,當流量從路由器重定向到UTD snort引擎以進行流量檢測時,「decaps」和「Divert」計數器增加,當流量從UTD snort引擎重定向到路由器時,「encaps」和「Reject」計數器增加:
Router#show platform hardware qfp active feature utd stats Summary Statistics: Policy Active Connections 3 TCP Connections Created 83364 UDP Connections Created 532075 ICMP Connections Created 494 Channel Summary Active Connections 3 decaps 1156574 <------------ encaps 1157144 <------------ Expired Connections 615930 Packet stats - Policy Pkts dropped pkt 15802 byt 14111880 Pkts entered policy feature pkt 1306750 byt 363602774 Pkts slow path pkt 615933 byt 25317465 Packet stats - Channel Summary Bypass pkt 25368 byt 4459074 Divert pkt 1157144 <------------ byt 301046050 Reinject pkt 1156574 <------------ byt 301015446 Would Drop Statistics (fail-open): Policy TCP SYN w/data packet 15802 Channel Summary Stats were all zero General Statistics: Non Diverted Pkts to/from divert interface 2725 Inspection skipped - UTD policy not applicable 111161 Pkts Skipped - New pkt from RP 33139 Response Packet Seen 64766 Feature memory allocations 615933 Feature memory free 615930 Feature Object Delete 615930 Skipped - First-in-flow RST packets of a TCP flow 55 Diversion Statistics Summary: SN offloaded flow 3282 Flows Bypassed as SN Unhealthy 25368 Service Node Statistics: SN down 1 SN health green 13 SN health red 12 SN Health: Channel: Threat Defense : Green AppNAV registration 2 AppNAV deregister 1 SN Health: Channel: Service : Down Stats were all zero TLS Decryption policy not enabled Appnav Statistics: No FO Drop pkt 0 byt 0
選項3.當流量從路由器重新導向到UTD Snort引擎以進行流量檢查時,從以下「show utd engine standard statistics internal」輸出中,「received」和「analyzed」計數器會增加。此外,此輸出會顯示有關UTD Snort引擎所檢查流量的更多詳細資訊和統計資訊:
Router# show utd engine standard statistics internal
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62099 <------------
analyzed: 62099 <------------
allow: 60664
block: 38
replace: 1
whitelist: 1396
idle: 764287
rx_bytes: 13782351
--------------------------------------------------
codec
total: 62099 (100.000%)
eth: 62099 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62099 (100.000%)
tcp: 56198 ( 90.497%)
udp: 5667 ( 9.126%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
appid
packets: 62099
processed_packets: 62087
ignored_packets: 12
total_sessions: 9091
service_cache_adds: 4
bytes_in_use: 608
items_in_use: 4
--------------------------------------------------
binder
raw_packets: 12
new_flows: 9091
service_changes: 4360
inspects: 9103
--------------------------------------------------
detection
analyzed: 62099
hard_evals: 234
raw_searches: 12471
cooked_searches: 5699
pkt_searches: 18170
pdu_searches: 14839
file_searches: 491
alerts: 3
total_alerts: 3
logged: 3
buf_dumps: 3
--------------------------------------------------
dns
packets: 5529
requests: 2780
responses: 2749
--------------------------------------------------
http_inspect
flows: 2449
scans: 10523
reassembles: 10523
inspections: 10317
requests: 2604
responses: 2309
get_requests: 1618
head_requests: 1
post_requests: 1
connect_requests: 984
request_bodies: 1
uri_normalizations: 1339
concurrent_sessions: 15
max_concurrent_sessions: 20
connect_tunnel_cutovers: 984
total_bytes: 1849394
--------------------------------------------------
normalizer
test_tcp_trim_win: 6
tcp_ips_data: 1
tcp_block: 38
--------------------------------------------------
pcre
pcre_rules: 6317
pcre_native: 6317
--------------------------------------------------
port_scan
packets: 62099
trackers: 96
bytes_in_use: 20736
--------------------------------------------------
search_engine
max_queued: 135
total_flushed: 52095
total_inserts: 66077
total_unique: 52095
non_qualified_events: 52326
qualified_events: 3
searched_bytes: 9498731
--------------------------------------------------
ssl
packets: 3281
decoded: 3281
client_hello: 927
server_hello: 927
certificate: 244
server_done: 711
client_key_exchange: 242
server_key_exchange: 242
change_cipher: 1160
client_application: 149
server_application: 1283
unrecognized_records: 19
sessions_ignored: 927
concurrent_sessions: 27
max_concurrent_sessions: 94
--------------------------------------------------
stream
flows: 9091
total_prunes: 7566
idle_prunes_proto_timeout: 7566
tcp_timeout_prunes: 5895
udp_timeout_prunes: 1561
icmp_timeout_prunes: 110
current_flows: 294
uni_flows: 249
--------------------------------------------------
stream_ip
sessions: 110
max: 110
created: 110
released: 110
total_bytes: 60371
--------------------------------------------------
stream_tcp
sessions: 7414
max: 7414
created: 7414
released: 7126
instantiated: 7414
setups: 7414
restarts: 3376
discards: 38
invalid_seq_num: 6
invalid_ack: 1
events: 39
syn_trackers: 7414
segs_queued: 12824
segs_released: 12710
segs_used: 7681
rebuilt_packets: 13601
rebuilt_bytes: 8945365
overlaps: 1
gaps: 1
memory: 208052
initializing: 246
established: 27
closing: 15
syns: 28310
syn_acks: 2449
resets: 358
fins: 2430
max_segs: 13
max_bytes: 15665
--------------------------------------------------
stream_udp
sessions: 1567
max: 1567
created: 1567
released: 1561
total_bytes: 743786
--------------------------------------------------
wizard
tcp_scans: 3376
tcp_hits: 3376
udp_scans: 118
udp_misses: 118
--------------------------------------------------
Appid Statistics
--------------------------------------------------
detected apps and services
Application: Services Clients Users Payloads Misc Referred
chrome: 0 101 0 0 0 0
dns: 1448 1449 0 0 0 0
firefox: 0 139 0 0 0 0
http: 2449 0 0 0 0 0
microsoft_update: 0 0 0 34 0 0
squid: 0 0 0 1144 0 0
unknown: 1 0 0 2416 0 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 2
--------------------------------------------------
memory
start_up_use: 240250880
cur_in_use: 293490688
max_in_use: 294907904
epochs: 2718651
allocated: 198516408
deallocated: 168476672
app_all: 265459456
active: 274247680
resident: 281190400
retained: 12693504
使用以下show命令監控觸發的Snort IPS特徵碼、生成的IPS/IDS事件以及涉及的源和目標IP地址。
選項1.使用「show utd engine standard logging events [threat-inspection]」命令查詢IPS/IDS事件:
Router#show utd engine standard logging events [threat-inspection] 2025/09/03-15:03:42.946703 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:1417 -> 172.16.2.2:10 2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184 2025/09/03-16:10:12.705933 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:2184 -> 172.16.2.2:10
選項2.使用「show utd engine standard logging statistics threat-inspection」命令,查詢在過去24小時內觸發的頂級IPS Snort特徵碼以及每個特徵碼的觸發次數:
Router# show utd engine standard logging statistics threat-inspection Top Signatures Triggered in the past 24 hours --------------------------------------------------------------------- Signature-id Count Description --------------------------------------------------------------------- 122:7:2 137 portscan: TCP Filtered Portsweep 122:1:2 5 portscan: TCP Portscan 122:3:2 1 portscan: TCP Portsweep
選項3.使用「show utd engine standard logging statistics threat-inspection detail」命令,查詢在過去24小時內觸發的頂級IPS snort特徵碼、觸發每個特徵碼的次數以及觸發該特徵碼的源和目標IP地址:
Router#show utd engine standard logging statistics threat-inspection detail Top Signatures Triggered in the past 24 hours Signature-id:122:7:2 Count: 137 Description:portscan: TCP Filtered Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 x.x.157.3 0 7 172.16.2.2 x.x.157.14 0 6 172.16.2.2 x.x.29.13 0 6 172.16.2.2 x.x.104.78 0 6 172.16.2.2 x.x.29.14 0 5 172.16.2.2 x.x.157.15 0 5 172.16.2.2 x.x.28.23 0 5 172.16.2.2 x.x.135.19 0 5 172.16.2.2 x.x.135.3 0 4 172.16.2.2 x.x.157.11 0 4 Signature-id:122:1:2 Count: 5 Description:portscan: TCP Portscan --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.1.3 172.16.2.2 0 5 Signature-id:122:3:2 Count: 1 Description:portscan: TCP Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 172.16.1.3 0 1
選項4. UTD Snort引擎監控流量並將事件報告給外部日誌伺服器或IOS系統日誌。啟用日誌記錄到IOS系統日誌可能會由於日誌消息的潛在數量而影響效能。支援Snort日誌的外部第三方監視工具可用於日誌收集和分析。
每當UTD Snort引擎生成IPS/IDS事件時,路由器都會顯示如下所示的系統日誌消息:
Router# *Sep 3 22:10:18.544: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: 2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184
附註:僅當UTD Snort引擎的utd引擎標準配置下啟用logging syslog時,UTD Snort引擎日誌才會顯示在路由器IOSd CLI中。
當UTD Snort引擎配置為將註銷傳送到外部syslog伺服器時,您應該會看到遠端syslog伺服器中的UTD Snort引擎日誌,如下所示:
使用以下命令顯示UTD Snort引擎的活動、丟棄和警報IPS Snort簽名,具體取決於使用的策略配置(平衡、連線或安全)。
選項1.按照以下步驟繼續顯示安全策略的活動IPS Snort簽名清單。
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Security Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled Router#utd threat-inspection signature active-list write-to bootflash:siglist_security Router#more bootflash:siglist_security ================================================================================= Signature Package Version: 31810.156.s Signature Ruleset: Security Total no. of active signatures: 23398 Total no. of drop signatures: 22625 Total no. of alert signatures: 773 For more details of each signature please go to www.snort.org/rule_docs to lookup ================================================================================= List of Active Signatures: -------------------------- sigid: 13418, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt; sigid: 13897, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-MULTIMEDIA Apple QuickTime crgn atom parsing stack buffer overflow attempt; sigid: 14263, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: POLICY-SOCIAL Pidgin MSNP2P message integer overflow attempt; sigid: 15968, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt; sigid: 15975, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt; sigid: 15976, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt; sigid: 16232, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: OS-WINDOWS Microsoft Windows EOT font parsing integer overflow attempt; sigid: 16343, gid:3, log-level:3, action: drop, class-type: misc-activity, Descr: FILE-PDF PDF header obfuscation attempt; sigid: 16394, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt; sigid: 16728, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: NETBIOS Samba SMB1 chain_reply function memory corruption attempt; sigid: 17647, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-FLASH Adobe Flash Player DefineSceneAndFrameLabelData memory corruption attempt; sigid: 17665, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OFFICE OpenOffice Word document table parsing heap buffer overflow attempt; sigid: 17741, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER MIT Kerberos asn1_decode_generaltime uninitialized pointer free attempt;
[omitted output]
選項2.按照以下步驟繼續顯示連線策略的活動IPS Snort簽名清單。
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Connectivity Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled Router#utd threat-inspection signature active-list write-to bootflash:siglist_connectivity Router#more bootflash:siglist_connectivity ================================================================================= Signature Package Version: 31810.156.s Signature Ruleset: Connectivity Total no. of active signatures: 597 Total no. of drop signatures: 494 Total no. of alert signatures: 103 For more details of each signature please go to www.snort.org/rule_docs to lookup ================================================================================= List of Active Signatures: -------------------------- sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30942, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt; sigid: 30943, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt; sigid: 35897, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt; sigid: 35898, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt; sigid: 35902, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt; sigid: 35903, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt; sigid: 35926, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-WEBAPP Oracle Identity Management authorization bypass attempt; sigid: 35927, gid:3, log-level:1, action: drop, class-type: policy-violation, Descr: SERVER-WEBAPP Oracle Identity Management remote file execution attempt; sigid: 38671, gid:3, log-level:1, action: drop, class-type: attempted-user,
[omitted output]
選項3.按照以下步驟繼續顯示平衡策略的活動IPS Snort簽名清單。
Router#show utd engine standard config UTD Engine Standard Configuration: VirtualPortGroup Id: 1 IPS/IDS : Enabled Operation Mode : Intrusion Prevention Policy : Balanced Signature Update: Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg Occurs-at : daily ; Hour: 17; Minute: 55 Logging: Server : IOS Syslog; 172.16.2.2 Level : debug Statistics : Enabled Hostname : router System IP : Not set Whitelist : Disabled Whitelist Signature IDs: Port Scan : Enabled Sense level : High Web-Filter : Disabled Router#utd threat-inspection signature active-list write-to bootflash:siglist_balanced Router#more bootflash:siglist_balanced ================================================================================= Signature Package Version: 31810.156.s Signature Ruleset: Balanced Total no. of active signatures: 10033 Total no. of drop signatures: 9534 Total no. of alert signatures: 499 For more details of each signature please go to www.snort.org/rule_docs to lookup ================================================================================= List of Active Signatures: -------------------------- sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos, Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt; sigid: 30887, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER Cisco Tshell command injection attempt; sigid: 30888, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER Cisco Tshell command injection attempt; sigid: 30902, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ; sigid: 30903, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ; sigid: 30912, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt; sigid: 30913, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt; sigid: 30921, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt; sigid: 30922, gid:3, log-level:1, action: drop, class-type: attempted-user, Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt; sigid: 30929, gid:3, log-level:1, action: drop, class-type: attempted-admin, Descr: SERVER-OTHER Cisco RV180 VPN CSRF attempt;
[omitted output]
附註:要顯示「平衡」、「連線」或「安全」策略的活動IPS Snort特徵碼,UTD Snort引擎必須運行要檢視的相應策略模式。
1.確保思科整合服務路由器(ISR)運行XE 16.10.1a及更高版本(用於IOx方法)。
2.確保思科整合多業務路由器(ISR)在啟用SecurityK9功能的情況下獲得許可。
3.驗證ISR硬體模型符合最低資源配置檔案。
4. UTD Snort引擎與基於區域的防火牆SYN-cookie和網路地址轉換64(NAT64)不相容
5.確認安裝後已啟動UTD Snort引擎服務。
6.在手動下載特徵碼包期間,確保包與Snort引擎版本相同。如果版本不匹配,簽名包更新可能會失敗。
7.如果出現效能問題,請使用「show app-hosting resource」 和「show app-hosting utilization appid "UTD-NAME" 檢查UTD CPU、記憶體和儲存空間。
Router#show app-hosting resource
CPU:
Quota: 75(Percentage)
Available: 50(Percentage)
VCPU:
Count: 6
Memory:
Quota: 10240(MB)
Available: 9216(MB)
Storage device: bootflash
Quota: 4000(MB)
Available: 4000(MB)
Storage device: harddisk
Quota: 20000(MB)
Available: 19029(MB)
Storage device: volume-group
Quota: 190768(MB)
Available: 169536(MB)
Storage device: CAF persist-disk
Quota: 20159(MB)
Available: 18078(MB)
Router#show app-hosting utilization appid utd
Application: utd
CPU Utilization:
CPU Allocation: 33 %
CPU Used: 3 %
Memory Utilization:
Memory Allocation: 1024 MB
Memory Used: 117632 KB
Disk Utilization:
Disk Allocation: 711 MB
Disk Used: 451746 KB
警告:如果您確認UTD Snort引擎遇到高CPU、記憶體或磁碟使用率,請與Cisco TAC聯絡。
為了排除故障,請使用以下列出的debug命令從UTD Snort引擎收集更多詳細資訊。
debug virtual-service all
debug virtual-service virtualPortGroup
debug virtual-service messaging
debug virtual-service timeout
debug utd config level error [error, info, warning]
debug utd engine standard all
警告:在生產時間內運行debug命令會顯著增加UTD Snort引擎或路由器上的CPU、記憶體或磁碟利用率,從而可能影響流量和系統穩定性。最好在維護視窗期間謹慎使用debug命令,並在收集所需資料後立即禁用它們。如果觀察到提升的資源使用率或服務影響,請停止偵錯並與Cisco TAC聯絡。
在以下位置可以找到與UTD Snort IPS部署相關的其他文檔:
CSCwf57595 ISR4K Snort IPS未部署,因為硬體沒有足夠的平台資源
修訂 | 發佈日期 | 意見 |
---|---|---|
3.0 |
17-Sep-2025
|
初始版本 |
1.0 |
11-Jul-2023
|
初始版本 |