在思科整合多業務路由器1000、4000、CSR和ISRv系列上部署UTD Snort IPS
目錄
簡介
本文說明如何使用IOx方法在Cisco整合多業務路由器ISR1K、ISR4K、CSR和ISRv系列上部署UTD Snort IPS引擎。
必要條件
需求
思科建議您瞭解以下主題:
- 思科整合多業務路由器ISR1K、ISR4K、CSR和ISRv系列,至少帶8GB DRAM
- 基本IOS-XE命令知識
- 基本UTD Snort IPS知識
- 需要提供1年或3年的簽名IPS snort訂用
- IOS-XE 16.10.1a及更高版本
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- 運行17.9.3a版的ISR1K、ISR4K、CSR和ISRv系列
- UTD Snort引擎版本17.9.3a
- 用於ISR1K、ISR4K、CSR和ISRv系列的SecurityK9許可證
VMAN方法現在已棄用。
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
統一威脅防禦(UTD)Snort IPS功能為思科整合多業務路由器ISR1K、ISR4K、CSR和ISRv系列上的分支機構啟用入侵防禦系統(IPS)或入侵檢測系統(IDS)。此功能使用開源Snort啟用IPS或IDS功能。
Snort是一種開源IPS,它執行即時流量分析,並在IP網路上檢測到威脅時生成警報。它還可以執行協定分析、內容搜尋或行進,並檢測各種攻擊和探測,如緩衝區溢位、隱藏埠掃描等。UTD Snort引擎在思科整合多業務路由器ISR1K、ISR4K、CSR和ISRv系列上作為虛擬容器服務運行。
UTD Snort IPS為思科整合多業務路由器ISR1K、ISR4K、CSR和ISRv系列提供IPS或IDS功能。
- UTD監控網路流量,並根據定義的規則集分析流量。
- UTD執行連線分類。
- UTD會針對匹配的規則呼叫操作。
基於網路要求。UTD Snort IPS可以作為IPS或IDS啟用:
- 在IDS模式下:UTD Snort引擎會檢查流量並報告警報,但不會採取任何操作來防止攻擊。
- 在IPS模式下:UTD Snort引擎會像IDS一樣檢查流量並報告警報,但會採取措施來防止攻擊。
UTD Snort IPS作為服務在路由器ISR1K、ISR4K、CSR和ISRv系列上運行。服務容器使用虛擬化技術為應用提供思科裝置上的託管環境。Snort流量檢測在每個介面上啟用,或在所有支援的介面上全域性啟用。
UTD Snort引擎IPS解決方案
UTD Snort引擎IPS解決方案由以下實體組成:
-
Snort感測器 — 監視通訊量以根據配置的安全策略(包括簽名、統計資訊、協定分析等)檢測異常,並將警報消息傳送到警報/報告伺服器。Snort感測器在路由器上部署為虛擬容器服務。
-
特徵碼庫 — 託管定期更新的思科特徵碼包。這些特徵碼包將定期或按需下載到Snort感測器。經驗證的簽名軟體包發佈到Cisco.com。根據配置,簽名軟體包可以從Cisco.com或本地伺服器下載。
在從cisco.com下載特徵碼包的過程中,路由器可以訪問以下域:
-
api.cisco.com
-
apx.cisco.com
-
cloudsso.cisco.com
-
cloudsso-test.cisco.com
-
cloudsso-test3.cisco.com
-
cloudsso-test4.cisco.com
-
cloudsso-test5.cisco.com
-
cloudsso-test6.cisco.com
-
cloudsso.cisco.com
-
download-ssc.cisco.com
-
dl.cisco.com
-
resolver1.opendns.com
-
resolver2.opendns.com
在Snort感測器可以檢索簽名軟體包之前,必須使用Cisco.com憑據將其從Cisco.com手動下載到本地伺服器。
-
-
警報/報告服務器 — 從Snort感測器接收警報事件。Snort感測器生成的警報事件可以傳送到IOS系統日誌或外部系統日誌伺服器,或者同時傳送到IOS系統日誌和外部系統日誌伺服器。Snort IPS解決方案未捆綁任何外部日誌伺服器。
-
管理 — 管理Snort IPS解決方案。使用IOS CLI配置管理。不能直接訪問Snort感測器,所有配置只能使用IOS CLI完成。
許可證要求
以下是UTD Snort引擎的許可要求:
- ISR1K、ISR4K路由器、CSR和ISRv需要安全K9許可證。此外,簽名訂用也需要1年或3年,有兩種訂用:
a)社群簽名包:社區簽名包規則集提供有限的威脅覆蓋範圍。
b)基於訂戶的簽名包:基於訂戶的簽名包規則集提供抵禦威脅的最佳保護。 它包括在攻擊前提供保護,還可以為響應安全事件或主動發現新威脅提供最快的對更新特徵碼的訪問。思科完全支援此訂閱,並將在Cisco.com上持續更新該包。
UTD Snort訂戶簽名包可以從software.cisco.com下載,而snort簽名資訊可在snort.org上找到。
此外,您還可以使用以下snort.org Rule Documentation Search工具查詢特定的Snort IPS特徵碼ID。
- 在支援的平台部分中提到的Catalyst 8000邊緣路由器上需要DNA-Essentials許可證,才能使用IPS/Snort。
支援的平台
以下是UTD Snort引擎支援的平台:
- ISR 4461、4451、4431、4351、4331、4321、4221X、4221、CSR、ISRv和ISR 1K(從17.2.1r版本開始,X PID,如1111X、1121X、1161X等,僅支援8GB DRAM)
- Catalyst 8500L、8300、8200、8000V。
限制
以下限制適用於UTD Snort引擎:
- 只有tcp、udp和icmp封包將轉送到UTD snort引擎進行檢查
- 只有通過機箱的流量才會轉送到UTD Snort引擎進行檢查
限制
以下限制適用於UTD Snort引擎:
-
在Cisco 4000系列ISR上啟用Boost許可證時,無法為Snort IPS配置虛擬服務容器。
-
與基於區域的防火牆SYN-cookie功能不相容。
-
不支援網路地址轉換64(NAT64)。
-
開源Snort中的SNMP輪詢需要SnortSnmpPlugin。Snort IPS不支援SNMP輪詢功能或MIB,因為SnortSnmp外掛未安裝在UTD上。
-
- IOS系統日誌受速率限制,因此Snort生成的所有警報可能無法通過IOS系統日誌看到。但是,如果將所有Syslog消息匯出到外部syslog伺服器,則可以檢視這些消息。
UTD Snort引擎IPS下載連結
以下是用於下載UTD Snort IPS引擎軟體映像檔案的Cisco連結,該檔案用於在Cisco路由器上安裝UTD Snort引擎。此外,您還可以找到UTD Snort訂戶簽名軟體包檔案,以下載UTD Snort IPS簽名,具體取決於運行的UTD Snort引擎版本。
- Catalyst 8500L -https://software.cisco.com/download/home/286324574/type
- Catalyst 8300 -https://software.cisco.com/download/home/286324476/type
- Catalyst 8200 -https://software.cisco.com/download/home/286324472/type
- Catalyst 8000V -https://software.cisco.com/download/home/286327102/type
網路圖表
設定
UTD Snort引擎安裝
步驟1.為UTD Snort引擎配置VirtualPortGroup介面,配置兩個埠組:
- 用於管理流量的VirtualPortGroup0:此VirtualPortGroup將用於將日誌源到日誌收集器,以及從Cisco.com提取簽名更新。
- 用於資料流量的VirtualPortGroup1:此VirtualPortGroup將用於傳送和接收標籤為待檢查的資料包,這些資料包到達資料平面進行IPS檢查。
Router#configure terminal
Router(config)#interface VirtualPortGroup0
Router(config-if)#description Management Interface
Router(config-if)#ip address 192.168.1.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface VirtualPortGroup1
Router(config-if)#description Data Interface
Router(config-if)#ip address 192.168.2.1 255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
步驟 2. 在全域性配置模式下啟用IOx環境。
Router(config)#iox
步驟3.然後啟用虛擬服務並配置訪客IP,為此,請使用vnic配置配置應用託管。
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#app-vnic gateway0 virtualportgroup 0 guest-interface 0
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.1.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
Router(config-app-hosting)#app-vnic gateway1 virtualportgroup 1 guest-interface 1
Router(config-app-hosting-gateway0)#guest-ipaddress 192.168.2.2 netmask 255.255.255.252
Router(config-app-hosting-gateway0)#exit
步驟4(可選)。 配置資源配置檔案。
Router(config-app-hosting)#app-resource package-profile low [low,medium,high]
Router(config-app-hosting)#end
步驟5. 將UTD Snort IPS引擎軟體檔案複製到路由器快閃記憶體中,然後按如下所示使用UTD.tar檔案安裝應用託管。
Router#app-hosting install appid UTD package bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar
應看到下一組系統日誌,指示UTD服務已正確安裝。
Installing package 'bootflash:iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for 'utd'. Use 'show app-hosting list' for progress.
*Jun 26 19:25:35.975: %VMAN-5-PACKAGE_SIGNING_LEVEL_ON_INSTALL: R0/0: vman: Package 'iox-iosxe-utd.16.12.08.1.0.24_SV2.9.16.1_XE16.12.x86_64.tar' for service container 'utd' is 'Cisco signed', signing level cached on original install is 'Cisco signed'
*Jun 26 19:25:50.746: %VIRT_SERVICE-5-INSTALL_STATE: Successfully installed virtual service utd
*Jun 26 19:25:53.176: %IM-6-INSTALL_MSG: R0/0: ioxman: app-hosting: Install succeeded: utd installed successfully Current state is deployed
步驟6.啟動應用程式託管服務。
Router#configure terminal
Router(config)#app-hosting appid UTD
Router(config-app-hosting)#start
Router(config-app-hosting)#end
應看到下一條syslog消息,指示UTD服務已正確安裝。
*Jun 26 19:55:05.362: %VIRT_SERVICE-5-ACTIVATION_STATE: Successfully activated virtual service UTD
*Jun 26 19:55:07.412: %IM-6-START_MSG: R0/0: ioxman: app-hosting: Start succeeded: UTD started successfully Current state is running
將UTD Snort引擎配置為IPS或IDS
成功安裝後,必須為UTD Snort引擎配置服務平面。UTD Snort引擎可配置為入侵防禦系統(IPS)或入侵檢測系統(IDS)以進行流量檢測。
步驟1.設定整合威脅防禦(UTD)標準引擎(服務平面)
Router#configure terminal
Router(config)#utd engine standard
步驟2.啟用UTD Snort引擎到遠端伺服器和IOSd系統日誌的日誌記錄。
Router(config-utd-eng-std)#logging host 192.168.10.5
Router(config-utd-eng-std)#logging syslog
附註:UTD Snort IPS會監控流量,並向外部日誌伺服器或IOS系統日誌報告事件。啟用日誌記錄到IOS系統日誌可能會由於日誌消息的潛在數量而影響效能。支援Snort日誌的外部第三方監視工具可用於日誌收集和分析。
步驟3.為Snort引擎啟用威脅檢測。
Router(config-utd-eng-std)#threat-inspection
步驟4.將威脅檢測(IDS)或入侵防禦系統(IPS)配置為Snort引擎的操作模式。
Router(config-utd-engstd-insp)#threat [protection,detection]
步驟5.為Snort引擎配置安全策略。
Router(config-utd-engstd-insp)#policy [balanced, connectivity, security]
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
步驟6(可選)。 啟用UTD允許清單(白名單)配置。
Router#configure terminal
Router(config)#utd threat-inspection whitelist
第7步(可選)。 配置要包括在白名單中的IPS Snort特徵碼ID。
Router(config-utd-whitelist)#generator id 40 signature id 54621 comment FILE-OFFICE traffic
or
Router(config-utd-whitelist)#signature id 13418 comment "whitelisted the IPS signature 13418"
第8步(可選)。 啟用威脅檢測配置上的允許清單。
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#whitelist
步驟9.配置特徵碼更新間隔以自動下載Snort特徵碼。
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#signature update occur-at [daily, monthly, weekly] 0 0
步驟10.配置UTD Snort引擎簽名更新伺服器引數。
Router(config-utd-engstd-insp)#signature update server [cisco, url] username xxxx password xxxx
Example - Configuring signature updates from a Cisco Server:
Router(config-utd-engstd-insp)#signature update server cisco username xxxx password xxxx
or
Example - Configuring signature updates from a Local server:
Router(config-utd-engstd-insp)#signature update server url http://x.x.x.x/UTD-STD-SIGNATURE-31810-155-S.pkg
步驟11.啟用UTD Snort引擎日誌記錄級別和威脅檢測警報統計資訊的日誌記錄:
Router#config terminal
Router(config)#utd engine standard
Router(config-utd-eng-std)#threat-inspection
Router(config-utd-engstd-insp)#logging level [alert,crit,debug,emerg,info,notice,warning]
Router(config-utd-engstd-insp)#logging statistics enable
Router(config-utd-engstd-insp)#exit
Router(config-utd-eng-std)#exit
步驟12.啟用utd服務。
Router#configure terminal
Router(config)#utd
步驟13(可選)。 將資料流量從VirtualPortGroup介面重定向到UTD服務。
Router#configure terminal
Router(config)#utd
Router(config-utd)#redirect interface virtualPortGroup
步驟14.啟用UTD IPS引擎以檢查來自路由器上所有第3層介面的流量。
Router(config-utd)#all-interfaces
步驟15.啟用引擎標準。
Router(config-utd)#engine standard
應看到下一條syslog消息,指示UTD Snort引擎已正確啟用:
*Jun 27 23:41:03.062: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jun 27 23:41:13.039: %IOSXE-2-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008501210250689 %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Down => Red (3) for channel Threat Defense
*Jun 27 23:41:22.457: %IOSXE-5-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000008510628353985 %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: Red
第16步(可選)。 定義故障期間UTD Snort引擎的操作(UTD資料平面)
Router(config-engine-std)#fail open
Router(config-engine-std)#end
步驟17.儲存路由器配置。
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#
適用於UTD Snort引擎的連線埠掃描檢查器
UTD Snort引擎具有埠掃描功能。埠掃描是一種網路偵測形式,攻擊者通常將其用作攻擊的前奏。在埠掃描中,攻擊者傳送旨在探測目標主機上的網路協定和服務的資料包。通過檢查主機響應傳送的資料包,攻擊者可以確定主機上哪些埠是開啟的,以及直接或推斷出哪些應用協定在這些埠上運行。
埠掃描本身並不能證明存在攻擊。網路上的合法使用者可能使用攻擊者使用的類似埠掃描技術。
por_scan檢查器檢測四種型別的portscan,並監控TCP、UDP、ICMP和IP協定上的連線嘗試。通過檢測活動模式,port_scan檢查器可幫助您確定哪些埠掃描可能是惡意的。
根據目標主機數量、掃描主機數量和掃描的埠數量,埠掃描通常分為四種型別。
埠掃描檢查器規則
下面的表3.顯示了埠掃描檢查器規則。
埠掃描敏感級別
port_scan檢查器為UTD Snort引擎提供三個預設掃描敏感級別:
- 高port_scan
- 低port_scan
- Medium port_scan
為UTD Snort引擎配置埠掃描檢查器
步驟1.設定整合威脅防禦(UTD)標準引擎(服務平面)
Router#configure terminal
Router(config)#utd engine standard
步驟2.為UTD Snort引擎啟用威脅檢測。
Router(config-utd-eng-std)#threat-inspection
步驟3.然後啟用port_scan。
Router(config-utd-engstd-insp)#port-scan
步驟4.設定port_scan敏感級別,可用的選項包括「高」、「中」或「低」。
Router(config-utd-threat-port-scan)# sense level [high | low | medium]
Example:
Router(config-utd-threat-port-scan)# sense level high
步驟5.啟用port_scan並配置UTD Snort引擎的敏感級別後,使用「show utd engine standard config」命令驗證port_scan配置。
Router#show utd engine standard config
UTD Engine Standard Configuration:
VirtualPortGroup Id: 1
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Occurs-at : daily ; Hour: 17; Minute: 55
Logging:
Server : IOS Syslog; 172.16.2.2
Level : debug
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Disabled
Whitelist Signature IDs:
Port Scan : Enabled
Sense level : High
Web-Filter : Disabled
驗證
檢查VirtualPortGroup IP地址和介面狀態
Router#show ip interface brief | i VirtualPortGroup
VirtualPortGroup0 192.168.1.1 YES NVRAM up up
VirtualPortGroup1 192.168.2.1 YES NVRAM up up
檢查VirtualPortGroup介面配置
Router#show running-config | b interface
interface VirtualPortGroup0
description Management Interface
ip address 192.168.1.1 255.255.255.252
!
interface VirtualPortGroup1
description Data Interface
ip address 192.168.2.1 255.255.255.252
檢查應用託管配置
Router#show running-config | b app-hosting
app-hosting appid UTD
app-vnic gateway0 virtualportgroup 0 guest-interface 0
guest-ipaddress 192.168.1.2 netmask 255.255.255.252
app-vnic gateway1 virtualportgroup 1 guest-interface 1
guest-ipaddress 192.168.2.2 netmask 255.255.255.252
start
end
檢查iox啟用
Router#show running-config | i iox
iox
檢查應用程式宿主狀態
Router#show app-hosting list
App id State
---------------------------------------------------------
UTD RUNNING
檢查應用託管詳細資訊
發出show app-hosting detail命令以確認UTD snort引擎狀態、正在運行的軟體版本、RAM、CPU和磁碟利用率、網路統計資訊和DNS配置是否到位。
Router#show app-hosting detail
App id : UTD
Owner : ioxm
State : RUNNING
Application
Type : LXC
Name : UTD-Snort-Feature
Version : 1.0.7_SV2.9.18.1_XE17.9
Description : Unified Threat Defense
Author :
Path : /bootflash/secapp-utd.17.09.03a.1.0.7_SV2.9.18.1_XE17.9.x86_64.tar
URL Path :
Multicast : yes
Activated profile name :
Resource reservation
Memory : 1024 MB
Disk : 752 MB
CPU :
CPU-percent : 25 %
VCPU : 0
Platform resource profiles
Profile Name CPU(unit) Memory(MB) Disk(MB)
--------------------------------------------------------------
Attached devices
Type Name Alias
---------------------------------------------
Disk /tmp/xml/UtdLogMappings-IOX
Disk /tmp/xml/UtdIpsAlert-IOX
Disk /tmp/xml/UtdDaqWcapi-IOX
Disk /tmp/xml/UtdUrlf-IOX
Disk /tmp/xml/UtdTls-IOX
Disk /tmp/xml/UtdDaq-IOX
Disk /tmp/xml/UtdAmp-IOX
Watchdog watchdog-503.0
Disk /tmp/binos-IOX
Disk /opt/var/core
Disk /tmp/HTX-IOX
Disk /opt/var
NIC ieobc_1 ieobc
Disk _rootfs
NIC mgmt_1 mgmt
NIC dp_1_1 net3
NIC dp_1_0 net2
Serial/Trace serial3
Network interfaces
---------------------------------------
eth0:
MAC address : 54:0e:00:0b:0c:02
IPv6 address : ::
Network name :
eth:
MAC address : 6c:41:0e:41:6b:08
IPv6 address : ::
Network name :
eth2:
MAC address : 6c:41:0e:41:6b:09
IPv6 address : ::
Network name :
eth1:
MAC address : 6c:41:0e:41:6b:0a
IPv4 address : 192.168.2.2
IPv6 address : ::
Network name :
----------------------------------------------------------------------
Process Status Uptime # of restarts
----------------------------------------------------------------------
climgr UP 0Y 0W 0D 21:45:29 2
logger UP 0Y 0W 0D 19:25:56 0
snort_1 UP 0Y 0W 0D 19:25:56 0
Network stats:
eth0: RX packets:162886, TX packets:163855
eth1: RX packets:46, TX packets:65
DNS server:
domain cisco.com
nameserver 192.168.90.92
Coredump file(s): core, lost+found
Interface: eth2
ip address: 192.168.2.2/30
Interface: eth1
ip address: 192.168.1.2/30
Address/Mask Next Hop Intf.
-------------------------------------------------------------------------------
0.0.0.0/0 192.168.2.1 eth2
0.0.0.0/0 192.168.1.1 eth1
檢查UTD Snort引擎相容性版本,檢查正在運行的Router IOS-XE版本
使用show utd engine standard version命令確認UTD Snort引擎相容性版本,以對抗正在運行的IOS-XE路由器版本。
Router#show utd engine standard version
UTD Virtual-service Name: UTD
IOS-XE Recommended UTD Version: 1.1.11_SV3.1.81.0_XE17.12
IOS-XE Supported UTD Regex: ^1\.1\.([0-9]+)_SV(.*)_XE17.12$
UTD Installed Version: 1.1.11_SV3.1.81.0_XE17.12
檢查UTD Snort引擎狀態
選項1。發出「show utd engine standard status」命令,以確認UTD Snort引擎的狀態、Status in 'Green'、Health in 'Green'和Overall system status in 'Green,指示UTD Snort引擎正在運行。
Router#show utd engine standard status
Engine version : 1.1.11_SV3.1.81.0_XE17.12
Profile : Low
System memory :
Usage : 31.80 %
Status : Green
Number of engines : 1
Engine Running Health Reason
=======================================================
Engine(#1): Yes Green None
=======================================================
Overall system status: Green
Signature update status:
=========================
Current signature package version: 31810.155.s
Last update status: Failed
Last successful update time: Wed Sep 3 12:51:56 2025 CST
Last failed update time: Wed Sep 3 17:55:02 2025 CST
Last failed update reason: File not found
Next update scheduled at: Thursday Sep 04 17:55 2025 CST
Current status: Idle選項2.發出「show platform software utd global」命令,獲取UTD Snort引擎運行狀態的簡短摘要。
Router#show platform software utd global
UTD Global state
=========================
Engine : Standard
Global Inspection : Enabled
Operational Mode : Intrusion Prevention
Fail Policy : Fail-open
Container technology : LXC
Redirect interface : VirtualPortGroup1
UTD interfaces
All dataplane interfaces
檢查UTD Snort引擎配置
選項1。發出「show utd engine standard config」命令以顯示UTD Snort引擎配置詳細資訊、操作模式、策略模式、簽名更新配置、日誌記錄配置、白名單和埠掃描狀態。
Router#show utd engine standard config
UTD Engine Standard Configuration:
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : cisco
User Name : cisco
Password : KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
Occurs-at : daily ; Hour: 0; Minute: 0
Logging:
Server : 192.168.10.5
Level : info
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Enabled
Whitelist Signature IDs:
54621, 40
Port Scan : Enabled
Web-Filter : Disabled
選項2.發出「show running-config」 | b engine'命令,顯示UTD snort引擎的運行配置就位。
Router#show running-config | b engine
utd engine standard
logging host 192.168.10.5
logging syslog
threat-inspection
threat protection
policy security
signature update server cisco username cisco password KcEDIO[gYafNZheBHBD`CC\g`_cSeFAAB
signature update occur-at daily 0 0
logging level info
whitelist
logging statistics enable
utd threat-inspection whitelist
generator id 40 signature id 54621 comment FILE-OFFICE traffic
utd
all-interfaces
redirect interface VirtualPortGroup1
engine standard
檢查UTD Snort引擎IPS Snort特徵碼更新狀態
1.發出「show utd engine standard threat-inspection signature update status」命令,檢查IPS snort特徵碼更新狀態。
Router#show utd engine standard threat-inspection signature update status
Current signature package version: 31810.155.s
Current signature package name: UTD-STD-SIGNATURE-31810-155-S.pkg
Previous signature package version: 31810.154.s
---------------------------------------
Last update status: Failed
---------------------------------------
Last successful update time: Wed Sep 3 12:51:56 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.4.219/UTD-STD-SIGNATURE-31810-155-S.pkg
Last successful update speed: 6343108 bytes in 31 secs
---------------------------------------
Last failed update time: Thu Sep 4 17:55:02 2025 CST
Last failed update method: Auto
Last failed update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 17:55:02 2025 CST
Last attempted update method: Auto
Last attempted update server: http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
---------------------------------------
Total num of updates successful: 2
Num of attempts successful: 2
Num of attempts failed: 29
Total num of attempts: 31
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
2.發出「utd threat-inspection signature update」命令,使用應用於UTD Snort引擎的現有伺服器配置執行手動IPS Snort特徵碼更新,以進行特徵碼下載。
Router#utd threat-inspection signature update
3.發出「utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force」命令,以使用指定的伺服器引數強制進行手動IPS snort特徵碼更新。
Router#utd threat-inspection signature update server [cisco, url] username xxxxx password xxxxx force
Example:
Router#utd threat-inspection signature update server url http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg force
% This operation may cause the UTD service to restart which will briefly interrupt services.
Proceed with signature update? [confirm]
Router#
*Sep 5 02:08:13.845: %IOSXE_UTD-4-SIG_UPDATE_EXEC: UTD signature update has been executed - A brief service interruption is expected
*Sep 5 02:08:35.007: %SDVT-2-SDVT_HEALTH_CHANGE: Service node 192.168.2.2 changed state from Green => Red (3) for channel Threat DefenseQFP:0.0 Thread:001 TS:00000217689533745619
Router#
*Sep 5 02:08:42.671: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: UTD signature update succeeded - previous version: 31810.155.s - current version: 31810.156.s
Router#
*Sep 5 02:09:00.284: %SDVT-5-SDVT_HEALTH_UP: Service node 192.168.2.2 is up for channel Threat Defense. Current Health: Green, Previous Health: RedQFP:0.0 Thread:001 TS:00000217714810090067
Router#show utd engine standard signature update status
Current signature package version: 31810.156.s
Current signature package name: UTD-STD-SIGNATURE-31810-156-S.pkg
Previous signature package version: 31810.155.s
---------------------------------------
Last update status: No New Package found
---------------------------------------
Last successful update time: Thu Sep 4 20:08:41 2025 CST
Last successful update method: Manual
Last successful update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
Last successful update speed: 6344395 bytes in 27 secs
---------------------------------------
Last failed update time: Thu Sep 4 20:07:43 2025 CST
Last failed update method: Manual
Last failed update server: http://10.189.35.188/tftpboot/UTD-STD-SIGNATURE-31810-156-S.pkg
Last failed update reason: File not found
---------------------------------------
Last attempted update time: Thu Sep 4 20:10:29 2025 CST
Last attempted update method: Manual
Last attempted update server: http://10.189.35.188/UTD-STD-SIGNATURE-31810-156-S.pkg
---------------------------------------
Total num of updates successful: 3
Num of attempts successful: 4
Num of attempts failed: 30
Total num of attempts: 34
---------------------------------------
Next update scheduled at: Friday Sep 05 17:55 2025 CST
---------------------------------------
Current status: Idle
如何確認UTD Snort引擎是否正在檢查流量
使用以下show命令監控UTD Snort引擎處理的流量,並檢查與流量檢測相關的統計資訊。
選項1.在UTD Snort引擎處理流量時,從以下「show utd engine standard statistics」輸出中,「received」和「analyzed」計數器會遞增:
Router#show utd engine standard statistics
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62069 <------------
analyzed: 62069 <------------
allow: 60634
block: 38
replace: 1
whitelist: 1396
idle: 763994
rx_bytes: 13778491
--------------------------------------------------
codec
total: 62069 (100.000%)
eth: 62069 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62069 (100.000%)
tcp: 56168 ( 90.493%)
udp: 5667 ( 9.130%)
--------------------------------------------------
選項2.從下面的「show platform hardware qfp active feature utd stats」輸出中,當流量從路由器重定向到UTD snort引擎以進行流量檢測時,「decaps」和「Divert」計數器增加,當流量從UTD snort引擎重定向到路由器時,「encaps」和「Reject」計數器增加:
Router#show platform hardware qfp active feature utd stats
Summary Statistics:
Policy
Active Connections 3
TCP Connections Created 83364
UDP Connections Created 532075
ICMP Connections Created 494
Channel Summary
Active Connections 3
decaps 1156574 <------------
encaps 1157144 <------------
Expired Connections 615930
Packet stats - Policy
Pkts dropped pkt 15802
byt 14111880
Pkts entered policy feature pkt 1306750
byt 363602774
Pkts slow path pkt 615933
byt 25317465
Packet stats - Channel Summary
Bypass pkt 25368
byt 4459074
Divert pkt 1157144 <------------
byt 301046050
Reinject pkt 1156574 <------------
byt 301015446
Would Drop Statistics (fail-open):
Policy
TCP SYN w/data packet 15802
Channel Summary
Stats were all zero
General Statistics:
Non Diverted Pkts to/from divert interface 2725
Inspection skipped - UTD policy not applicable 111161
Pkts Skipped - New pkt from RP 33139
Response Packet Seen 64766
Feature memory allocations 615933
Feature memory free 615930
Feature Object Delete 615930
Skipped - First-in-flow RST packets of a TCP flow 55
Diversion Statistics Summary:
SN offloaded flow 3282
Flows Bypassed as SN Unhealthy 25368
Service Node Statistics:
SN down 1
SN health green 13
SN health red 12
SN Health: Channel: Threat Defense : Green
AppNAV registration 2
AppNAV deregister 1
SN Health: Channel: Service : Down
Stats were all zero
TLS Decryption policy not enabled
Appnav Statistics:
No FO Drop pkt 0
byt 0選項3.當流量從路由器重新導向到UTD Snort引擎以進行流量檢查時,從以下「show utd engine standard statistics internal」輸出中,「received」和「analyzed」計數器會增加。此外,此輸出會顯示有關UTD Snort引擎所檢查流量的更多詳細資訊和統計資訊:
Router# show utd engine standard statistics internal
************************************
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 62099 <------------
analyzed: 62099 <------------
allow: 60664
block: 38
replace: 1
whitelist: 1396
idle: 764287
rx_bytes: 13782351
--------------------------------------------------
codec
total: 62099 (100.000%)
eth: 62099 (100.000%)
icmp4: 234 ( 0.377%)
icmp4_ip: 234 ( 0.377%)
ipv4: 62099 (100.000%)
tcp: 56198 ( 90.497%)
udp: 5667 ( 9.126%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
appid
packets: 62099
processed_packets: 62087
ignored_packets: 12
total_sessions: 9091
service_cache_adds: 4
bytes_in_use: 608
items_in_use: 4
--------------------------------------------------
binder
raw_packets: 12
new_flows: 9091
service_changes: 4360
inspects: 9103
--------------------------------------------------
detection
analyzed: 62099
hard_evals: 234
raw_searches: 12471
cooked_searches: 5699
pkt_searches: 18170
pdu_searches: 14839
file_searches: 491
alerts: 3
total_alerts: 3
logged: 3
buf_dumps: 3
--------------------------------------------------
dns
packets: 5529
requests: 2780
responses: 2749
--------------------------------------------------
http_inspect
flows: 2449
scans: 10523
reassembles: 10523
inspections: 10317
requests: 2604
responses: 2309
get_requests: 1618
head_requests: 1
post_requests: 1
connect_requests: 984
request_bodies: 1
uri_normalizations: 1339
concurrent_sessions: 15
max_concurrent_sessions: 20
connect_tunnel_cutovers: 984
total_bytes: 1849394
--------------------------------------------------
normalizer
test_tcp_trim_win: 6
tcp_ips_data: 1
tcp_block: 38
--------------------------------------------------
pcre
pcre_rules: 6317
pcre_native: 6317
--------------------------------------------------
port_scan
packets: 62099
trackers: 96
bytes_in_use: 20736
--------------------------------------------------
search_engine
max_queued: 135
total_flushed: 52095
total_inserts: 66077
total_unique: 52095
non_qualified_events: 52326
qualified_events: 3
searched_bytes: 9498731
--------------------------------------------------
ssl
packets: 3281
decoded: 3281
client_hello: 927
server_hello: 927
certificate: 244
server_done: 711
client_key_exchange: 242
server_key_exchange: 242
change_cipher: 1160
client_application: 149
server_application: 1283
unrecognized_records: 19
sessions_ignored: 927
concurrent_sessions: 27
max_concurrent_sessions: 94
--------------------------------------------------
stream
flows: 9091
total_prunes: 7566
idle_prunes_proto_timeout: 7566
tcp_timeout_prunes: 5895
udp_timeout_prunes: 1561
icmp_timeout_prunes: 110
current_flows: 294
uni_flows: 249
--------------------------------------------------
stream_ip
sessions: 110
max: 110
created: 110
released: 110
total_bytes: 60371
--------------------------------------------------
stream_tcp
sessions: 7414
max: 7414
created: 7414
released: 7126
instantiated: 7414
setups: 7414
restarts: 3376
discards: 38
invalid_seq_num: 6
invalid_ack: 1
events: 39
syn_trackers: 7414
segs_queued: 12824
segs_released: 12710
segs_used: 7681
rebuilt_packets: 13601
rebuilt_bytes: 8945365
overlaps: 1
gaps: 1
memory: 208052
initializing: 246
established: 27
closing: 15
syns: 28310
syn_acks: 2449
resets: 358
fins: 2430
max_segs: 13
max_bytes: 15665
--------------------------------------------------
stream_udp
sessions: 1567
max: 1567
created: 1567
released: 1561
total_bytes: 743786
--------------------------------------------------
wizard
tcp_scans: 3376
tcp_hits: 3376
udp_scans: 118
udp_misses: 118
--------------------------------------------------
Appid Statistics
--------------------------------------------------
detected apps and services
Application: Services Clients Users Payloads Misc Referred
chrome: 0 101 0 0 0 0
dns: 1448 1449 0 0 0 0
firefox: 0 139 0 0 0 0
http: 2449 0 0 0 0 0
microsoft_update: 0 0 0 34 0 0
squid: 0 0 0 1144 0 0
unknown: 1 0 0 2416 0 0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 2
--------------------------------------------------
memory
start_up_use: 240250880
cur_in_use: 293490688
max_in_use: 294907904
epochs: 2718651
allocated: 198516408
deallocated: 168476672
app_all: 265459456
active: 274247680
resident: 281190400
retained: 12693504
如何確認UTD Snort引擎是否已觸發IPS Snort簽名
使用以下show命令監控觸發的Snort IPS特徵碼、生成的IPS/IDS事件以及涉及的源和目標IP地址。
選項1.使用「show utd engine standard logging events [threat-inspection]」命令查詢IPS/IDS事件:
Router#show utd engine standard logging events [threat-inspection]
2025/09/03-15:03:42.946703 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:1417 -> 172.16.2.2:10
2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184
2025/09/03-16:10:12.705933 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:1:2] portscan: TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.1.3:2184 -> 172.16.2.2:10選項2.使用「show utd engine standard logging statistics threat-inspection」命令,查詢在過去24小時內觸發的頂級IPS Snort特徵碼以及每個特徵碼的觸發次數:
Router# show utd engine standard logging statistics threat-inspection Top Signatures Triggered in the past 24 hours --------------------------------------------------------------------- Signature-id Count Description --------------------------------------------------------------------- 122:7:2 137 portscan: TCP Filtered Portsweep 122:1:2 5 portscan: TCP Portscan 122:3:2 1 portscan: TCP Portsweep
選項3.使用「show utd engine standard logging statistics threat-inspection detail」命令,查詢在過去24小時內觸發的頂級IPS snort特徵碼、觸發每個特徵碼的次數以及觸發該特徵碼的源和目標IP地址:
Router#show utd engine standard logging statistics threat-inspection detail Top Signatures Triggered in the past 24 hours Signature-id:122:7:2 Count: 137 Description:portscan: TCP Filtered Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 x.x.157.3 0 7 172.16.2.2 x.x.157.14 0 6 172.16.2.2 x.x.29.13 0 6 172.16.2.2 x.x.104.78 0 6 172.16.2.2 x.x.29.14 0 5 172.16.2.2 x.x.157.15 0 5 172.16.2.2 x.x.28.23 0 5 172.16.2.2 x.x.135.19 0 5 172.16.2.2 x.x.135.3 0 4 172.16.2.2 x.x.157.11 0 4 Signature-id:122:1:2 Count: 5 Description:portscan: TCP Portscan --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.1.3 172.16.2.2 0 5 Signature-id:122:3:2 Count: 1 Description:portscan: TCP Portsweep --------------------------------------------------------------------- Source IP Destination IP VRF Count --------------------------------------------------------------------- 172.16.2.2 172.16.1.3 0 1
選項4. UTD Snort引擎監控流量並將事件報告給外部日誌伺服器或IOS系統日誌。啟用日誌記錄到IOS系統日誌可能會由於日誌消息的潛在數量而影響效能。支援Snort日誌的外部第三方監視工具可用於日誌收集和分析。
每當UTD Snort引擎生成IPS/IDS事件時,路由器都會顯示如下所示的系統日誌消息:
Router#
*Sep 3 22:10:18.544: %IM-5-IOX_INST_NOTICE: R0/0: ioxman: IOX SERVICE UTD LOG: 2025/09/03-16:10:12.699925 CST [**] [Hostname: router] [**] [Instance_ID: 1] [**] Alert [**] [122:3:2] portscan: TCP Portsweep [**] [Classification: Attempted Information Leak] [Priority: 2] [VRF: 0] {TCP} 172.16.2.2:3 -> 172.16.1.3:2184當UTD Snort引擎配置為將註銷傳送到外部syslog伺服器時,您應該會看到遠端syslog伺服器中的UTD Snort引擎日誌,如下所示:
如何顯示活動的IPS Snort簽名
使用以下命令顯示UTD Snort引擎的活動、丟棄和警報IPS Snort簽名,具體取決於使用的策略配置(平衡、連線或安全)。
選項1.按照以下步驟繼續顯示安全策略的活動IPS Snort簽名清單。
Router#show utd engine standard config
UTD Engine Standard Configuration:
VirtualPortGroup Id: 1
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Security
Signature Update:
Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Occurs-at : daily ; Hour: 17; Minute: 55
Logging:
Server : IOS Syslog; 172.16.2.2
Level : debug
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Disabled
Whitelist Signature IDs:
Port Scan : Enabled
Sense level : High
Web-Filter : Disabled
Router#utd threat-inspection signature active-list write-to bootflash:siglist_security
Router#more bootflash:siglist_security
=================================================================================
Signature Package Version: 31810.156.s
Signature Ruleset: Security
Total no. of active signatures: 23398
Total no. of drop signatures: 22625
Total no. of alert signatures: 773
For more details of each signature please go to www.snort.org/rule_docs to lookup
=================================================================================
List of Active Signatures:
--------------------------
sigid: 13418, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt;
sigid: 13897, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-MULTIMEDIA Apple QuickTime crgn atom parsing stack buffer overflow attempt;
sigid: 14263, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: POLICY-SOCIAL Pidgin MSNP2P message integer overflow attempt;
sigid: 15968, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt;
sigid: 15975, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt;
sigid: 15976, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-IMAGE OpenOffice TIFF parsing integer overflow attempt;
sigid: 16232, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: OS-WINDOWS Microsoft Windows EOT font parsing integer overflow attempt;
sigid: 16343, gid:3, log-level:3, action: drop, class-type: misc-activity,
Descr: FILE-PDF PDF header obfuscation attempt;
sigid: 16394, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: OS-WINDOWS Active Directory Kerberos referral TGT renewal DoS attempt;
sigid: 16728, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: NETBIOS Samba SMB1 chain_reply function memory corruption attempt;
sigid: 17647, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-FLASH Adobe Flash Player DefineSceneAndFrameLabelData memory corruption attempt;
sigid: 17665, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OFFICE OpenOffice Word document table parsing heap buffer overflow attempt;
sigid: 17741, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER MIT Kerberos asn1_decode_generaltime uninitialized pointer free attempt;
[omitted output]選項2.按照以下步驟繼續顯示連線策略的活動IPS Snort簽名清單。
Router#show utd engine standard config
UTD Engine Standard Configuration:
VirtualPortGroup Id: 1
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Connectivity
Signature Update:
Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Occurs-at : daily ; Hour: 17; Minute: 55
Logging:
Server : IOS Syslog; 172.16.2.2
Level : debug
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Disabled
Whitelist Signature IDs:
Port Scan : Enabled
Sense level : High
Web-Filter : Disabled
Router#utd threat-inspection signature active-list write-to bootflash:siglist_connectivity
Router#more bootflash:siglist_connectivity
=================================================================================
Signature Package Version: 31810.156.s
Signature Ruleset: Connectivity
Total no. of active signatures: 597
Total no. of drop signatures: 494
Total no. of alert signatures: 103
For more details of each signature please go to www.snort.org/rule_docs to lookup
=================================================================================
List of Active Signatures:
--------------------------
sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30942, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt;
sigid: 30943, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: FILE-OTHER Cisco Webex ARF Player LZW decompress memory corruption denial of service attempt;
sigid: 35897, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt;
sigid: 35898, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt;
sigid: 35902, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt;
sigid: 35903, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt;
sigid: 35926, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-WEBAPP Oracle Identity Management authorization bypass attempt;
sigid: 35927, gid:3, log-level:1, action: drop, class-type: policy-violation,
Descr: SERVER-WEBAPP Oracle Identity Management remote file execution attempt;
sigid: 38671, gid:3, log-level:1, action: drop, class-type: attempted-user,
[omitted output]選項3.按照以下步驟繼續顯示平衡策略的活動IPS Snort簽名清單。
Router#show utd engine standard config
UTD Engine Standard Configuration:
VirtualPortGroup Id: 1
IPS/IDS : Enabled
Operation Mode : Intrusion Prevention
Policy : Balanced
Signature Update:
Server : http://10.31.104.72/tftpboot/UTD-STD-SIGNATURE-31810-155-S.pkg
Occurs-at : daily ; Hour: 17; Minute: 55
Logging:
Server : IOS Syslog; 172.16.2.2
Level : debug
Statistics : Enabled
Hostname : router
System IP : Not set
Whitelist : Disabled
Whitelist Signature IDs:
Port Scan : Enabled
Sense level : High
Web-Filter : Disabled
Router#utd threat-inspection signature active-list write-to bootflash:siglist_balanced
Router#more bootflash:siglist_balanced
=================================================================================
Signature Package Version: 31810.156.s
Signature Ruleset: Balanced
Total no. of active signatures: 10033
Total no. of drop signatures: 9534
Total no. of alert signatures: 499
For more details of each signature please go to www.snort.org/rule_docs to lookup
=================================================================================
List of Active Signatures:
--------------------------
sigid: 30282, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30283, gid:3, log-level:2, action: drop, class-type: attempted-dos,
Descr: PROTOCOL-VOIP Cisco IOS SIP header denial of service attempt;
sigid: 30887, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER Cisco Tshell command injection attempt;
sigid: 30888, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER Cisco Tshell command injection attempt;
sigid: 30902, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ;
sigid: 30903, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt ;
sigid: 30912, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt;
sigid: 30913, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco Webex WRF heap corruption attempt;
sigid: 30921, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt;
sigid: 30922, gid:3, log-level:1, action: drop, class-type: attempted-user,
Descr: FILE-OTHER Cisco WebEx Player atas32.dll memory overread attempt;
sigid: 30929, gid:3, log-level:1, action: drop, class-type: attempted-admin,
Descr: SERVER-OTHER Cisco RV180 VPN CSRF attempt;
[omitted output]疑難排解
1.確保思科整合服務路由器(ISR)運行XE 16.10.1a及更高版本(用於IOx方法)。
2.確保思科整合多業務路由器(ISR)在啟用SecurityK9功能的情況下獲得許可。
3.驗證ISR硬體模型符合最低資源配置檔案。
4. UTD Snort引擎與基於區域的防火牆SYN-cookie和網路地址轉換64(NAT64)不相容
5.確認安裝後已啟動UTD Snort引擎服務。
6.在手動下載特徵碼包期間,確保包與Snort引擎版本相同。如果版本不匹配,簽名包更新可能會失敗。
7.如果出現效能問題,請使用「show app-hosting resource」 和「show app-hosting utilization appid "UTD-NAME" 檢查UTD CPU、記憶體和儲存空間。
Router#show app-hosting resource
CPU:
Quota: 75(Percentage)
Available: 50(Percentage)
VCPU:
Count: 6
Memory:
Quota: 10240(MB)
Available: 9216(MB)
Storage device: bootflash
Quota: 4000(MB)
Available: 4000(MB)
Storage device: harddisk
Quota: 20000(MB)
Available: 19029(MB)
Storage device: volume-group
Quota: 190768(MB)
Available: 169536(MB)
Storage device: CAF persist-disk
Quota: 20159(MB)
Available: 18078(MB)
Router#show app-hosting utilization appid utd
Application: utd
CPU Utilization:
CPU Allocation: 33 %
CPU Used: 3 %
Memory Utilization:
Memory Allocation: 1024 MB
Memory Used: 117632 KB
Disk Utilization:
Disk Allocation: 711 MB
Disk Used: 451746 KB
調試
為了排除故障,請使用以下列出的debug命令從UTD Snort引擎收集更多詳細資訊。
debug virtual-service all
debug virtual-service virtualPortGroup
debug virtual-service messaging
debug virtual-service timeout
debug utd config level error [error, info, warning]
debug utd engine standard all
警告:在生產時間內運行debug命令會顯著增加UTD Snort引擎或路由器上的CPU、記憶體或磁碟利用率,從而可能影響流量和系統穩定性。最好在維護視窗期間謹慎使用debug命令,並在收集所需資料後立即禁用它們。如果觀察到提升的資源使用率或服務影響,請停止偵錯並與Cisco TAC聯絡。
相關資訊
在以下位置可以找到與UTD Snort IPS部署相關的其他文檔:
CSCwf57595 ISR4K Snort IPS未部署,因為硬體沒有足夠的平台資源
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
3.0 |
17-Sep-2025
|
初始版本 |
1.0 |
11-Jul-2023
|
初始版本 |
意見