Implementing Cisco IOS IPS
In this section, we introduce the Cisco IOS IPS router solution and walk through a complete configuration using the Cisco SDM. We will also look at logging options available and methods in both the SDM and the CLI to verify the configuration.
Cisco states that the Cisco IOS IPS is an inline network IPS. Actually, it’s a bit redundant saying this, since we have established that whether a device is inline to the traffic or analyzes copies of the traffic offline is what marks the difference between IPS and IDS technology in the first place. Regardless, one of the advantages of having the IPS run on the router is that, unlike IPS deployments where the sensor and the router are separate and must be configured to cooperate with one another, the IPS logic is integral to the router and can leverage on the router’s firewall to take response actions to intrusions. We covered the various response actions in the last section.
Cisco IOS IPS Feature Blend
Cisco IOS IPS blends features from the Cisco IPS 4200 Series of sensors, as well as the IDSM module for the Cisco Catalyst 6500 Series of switches. It uses three main detection technologies:
- Profile-based
- Signature-based
- Protocol analysis-based
The first two were discussed in the last section. The third was not and bears some discussion. Protocol analysis-based technology simply means that the IPS analyzes the complete structure of the IP packets and their layer 4 through 7 payload to look for suspicious or abnormal activity. If this analysis was based solely on the protocols’ standards, a lot of traffic would be flagged as anomalous. Instead, this is the Cisco IOS IPS signatures common practice rather than some ideal, reflecting the fact that many protocols violate standards in some fashion.
Cisco IOS IPS Primary Benefits
Cisco specifies the following benefits for the IOS IPS:
- Attack Signatures. Over 2,000 are supported, using a common database across Cisco IPS appliances.
- Management Tool Support. Supported by Cisco SDM, Cisco Security MARS, Cisco Security Manager, and Cisco IEV.
- Cisco Self-Defending Network. Integrates into a Self-Defending Network made up of Cisco IPS, Cisco IOS Firewall, Cisco VPN, and Cisco NAC solutions.
- Inline IPS. All inbound and outbound traffic has to flow through the IPS, meaning that malicious traffic can be detected both inside and outside the network.
- Multi-Threat Detection. Easily integrates into existing network infrastructure to protect against threats to network infrastructure, servers, and other endpoints.
- Router Integration. Cisco IOS IPS’s use of the underlying router infrastructure adds an extra layer of security.
Cisco IOS IPS Signature Integration
As stated, the Cisco IOS IPS borrows heavily from the Cisco IPS 4200 Series of sensors and Catalyst 6500 IDSM IPS modules. Table 8.8 shows the features of the signatures in the Cisco IOS IPS.
Configuring Cisco IOS IPS with the Cisco SDM
We configure the Cisco IOS IPS using the Cisco SDM, starting with an IOS router with no IPS configuration on it.
There’s no requirement that the IOS IPS work in conjunction with either CBAC (Cisco IOS classic firewall) or the newer Zone-Based Policy Firewall (ZPF), both of which were discussed in Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy.” The Cisco IOS IPS could simply be added to basic router functionality on the edge of the network for network designers that subscribe to the separation of services philosophy, with a firewall configured with Cisco ZPF establishing a separate, inner perimeter.
Figure 8.9 illustrates the Cisco SDM home page, indicating an unconfigured IOS IPS.
Figure 8.10 illustrates the SDM Configure->Intrusion Prevention System (IPS) window.
Before we start configuring the IPS, let’s look at some of the choices we have when we navigate to Configure->Intrusion Prevention from the home page in the Cisco SDM, as indicated in Figure 8.10. Along the top of the Intrusion Prevention System (IPS) window are these choices, presented as tabs:
- Create IPS. Contains a single choice—the IPS Rule wizard (see the following note) used to automate the creation of a Cisco IOS IPS rule and all facets of configuring the IPS.
- Edit IPS. Enables you to manually edit Cisco IOS IPS rules and either associate or disassociate them from interfaces.
- Security Dashboard. Enables you to view Cisco’s Top Threat table and deploy signatures to counter those threats.
- IPS Migration. This is used to migrate IOS IPS configurations, which
were created in earlier versions of the Cisco IOS software. You must be running IOS Software Release 12.4(11)T or later to use this function. There is also the Launch IPS Rule Wizard button that (although you really want to press it now!) we will look at shortly.
Substitute the words “IPS signature configuration” for “IPS rule configuration” every time you see it in the SDM. In some of the dialogs, SDM calls signatures “rules.” This is inconsistent use of the word “rule” because the Launch IPS Rule Wizard button (see Figure 8.10, as well as the previous paragraph) does not launch a wizard where you can change the signatures! The word “rule” in that context means policy. Ouch! While we’re on the subject, sharp-eyed readers will notice that the SDM wizard is called the Intrusion Prevention System wizard, whereas we have been calling it the Intrusion Protection System up to now. This is just semantics, and you shouldn’t read anything into the difference because they actually mean the same thing. Just when you thought you were figuring out the terminology!
The reference diagram for configuring Cisco IOS IPS is found in Figure 8.11. It is a slight modification to the reference diagram found in Figure 8.6 that we have been using in this chapter. The management VLAN is VLAN 3. The production VLAN is VLAN 1. This is where the wired workstations reside that belong to our internal knowledge workers. Similarly, there is a separate VLAN, VLAN 99, deployed for our wireless hotspot. Essentially, all three of these VLANs represent internal networks for the purpose of configuring the IOS IPS. FastEthernet 4 is the external, Internet-facing interface.
Because there is currently no IPS configured, we follow these steps to configure the Cisco IOS IPS:
- Navigate to Configure->Intrusion Prevention->Create IPS. The screen that appears is illustrated in Figure 8.12.
- Push the Launch IPS Rule Wizard button.
- If this is a first-time configuration, an information window appears, indicating that “SDM will open a subscription with the router to get the SDEE events.” Press OK.
- The Welcome to the IPS Policies Wizard screen appears. Click Next. The Select Interfaces screen opens and is illustrated in Figure 8.13.
- Place a check mark beside each interface in the check box corresponding to the direction, Inbound and Outbound, that you want to inspect the packets for signs of intrusion. In this example, FastEthernet4 is the Internet-facing interface, and Vlan1, Vlan3, and Vlan99 are all inside the perimeter (refer to Figure 8.11) .
- Click Next. The Signature File and Public Key window appears and is illustrated in Figure 8.14.
NOTE
Recall that there are no built-in signatures as of IOS Software Release 12.4(11)T. Some IOS routers ship from Cisco with SDF (Signature Definition Files) already in flash memory. Also, when you download and install the SDM, there are SDF files included with the SDM archive for different amounts of RAM that can get you started without having to go to CCO. That said, the latest signature files are available on CCO to users with sufficient access.
In this window, you can push either of two radio buttons:- Specify the signature file you want to use with the IOS IPS.
- Get the latest signature file from Cisco.com and save to PC.
If you choose the first choice, you will be led through a dialog that enables you to fetch the signature file from one of the following: router flash, the local PC, or the URL of an external source such as a web server.NOTEWhen fetching the file from your PC, the signature file will be of the form sigv5-SDMSxxx.zip, where xxx is the signature set’s version number. If you choose to specify the router’s flash, use the format IOS-Sxxx-CLI.pkg.If you choose the second choice, you will be prompted for where you want to save the file; you then are prompted for your username and password on CCO and to save the SDF file (in .zip format) to your local PC’s hard drive and subsequently install on the IPS. Incidentally, this will also download the update files in the form of a .pkg file, which you can push to the router (see the preceding note).
In both cases, you must enter the name and value of Cisco’s public key before you proceed. This is because any changes you make to the signatures (so called “deltas”) will need to be signed with this key for security reasons. You must visit this URL to look up both the name of the key to put in the Name field and the key’s value to put in the Key field. The URL is http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup. Enter the values in both fields as indicated; then proceed by clicking Next.
- The Config Location and Category windows appear as illustrated in Figure 8.15.
You are presented with these options:- Config Location. Specify where the IPS configuration, .pkg files, and delta files are located. This may be in router flash or on an external server such as an HTTP server specified by URL. Follow the prompts.
- Signature Category.
- Basic. If the router has 128MB or less of flash, Cisco recommends using the Basic category to avoid memory allocation errors.
- Advanced. If the router has more than 256MB of flash, you may choose the Advanced category.
NOTE
The Cisco IINS v1.0 courseware that was referenced for this Exam Cram specifies that Basic is recommended for 128MB or less of flash memory vs. RAM. This isn’t correct (and doesn’t make sense). This URL at Cisco indicates otherwise. Remember, though, that what’s in the course is always the right wrong answer! (http://www.cisco.com/en/US/prod/collateral/ iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html)
- Click Next when you have filled out the information per the previous step. The Summary window of the IPS Policies Wizard appears. This is illustrated in Figure 8.16.
- Review the information in the window; then click Finish to deliver the configuration to the router. Click OK on the Commands Delivery Status window when this has been completed. The IOS IPS Configuration Status window appears, indicating that the signatures are being configured on the router. This is illustrated in Figure 8.17.
- After the IPS Configuration has been completed, the Configure> Intrusion Prevention window appears, this time with the Edit IPS tab selected, as illustrated in Figure 8.18. Review the information in this window:
Looking at the bottom of the Edit IPS screen in Figure 8.18 indicates that no filters have been set for the traffic that will be inspected (inbound, in this example) on the interfaces. Thus when you select an interface, the warning “IPS rule is enabled, but there is no filter configured for this rule. IPS will scan all inbound traffic” appears. This can be fine-tuned separately if desired.
When you return to the Cisco SDM home page, the working IPS configuration can be seen as in Figure 8.19. In the right-bottom quadrant of the screenshot in Figure 8.19, we learn the following:
- Total Active Signatures: 373. These are the number of signatures that are active out of the total possible signatures in the signature database.
- No. of IPS-enabled Interfaces: 4. This makes sense because we enabled IPS on VLANs 1, 3, and 99 and FastEthernet 4 (see Figures 8.11 and 8.13).
- Signature Version: S332.0. This is the version of the signature file that we downloaded and installed from Cisco.
If you were looking at syslog output (if configured) or you had a terminal window to the CLI open while the IPS was being configured, you might see some interesting output as the micro-engines are being compiled into RAM. First, let’s examine what the %IPS-6-ENGINE message text means in the IPS messages that are displayed to the terminal:
- ENGINE_BUILDS_STARTED. Each micro-engine starts the compile process. Recall from the previous section that this part of the process consumes more RAM than is used once the build completes.
- ENGINE_BUILDING. The micro-engines is in the process of being compiled. Note that this is done consecutively until all the microengines that have enabled signatures are compiled into memory.
- ENGINE_READY. The compile process for the micro-engine is complete. The next engine starts.
Now here is an example of the screen output of an actual terminal session. Note that the term monitor command has been executed to ensure that the terminal windows that we are using will see output that would normally be directed to the default output device, console 0. We would not need to use this command if this output was taken from a terminal connected to console 0. The output represents the 13 signature micro engines (SMEs) compiling signatures and the number of signatures that are being compiled per SME.
CiscoISR-A#terminal monitor CiscoISR-A# May 19 20:36:32.906: %IPS-6-ENGINE_BUILDS_STARTED: 20:36:32 UTC May 19 2008 May 19 20:36:32.910: %IPS-6-ENGINE_BUILDING: multi-string - 8 signatures - 1 of 13 engines May 19 20:36:33.070: %IPS-6-ENGINE_READY: multi-string - build time 160 ms - packets for this engine will be scanned May 19 20:36:33.086: %IPS-6-ENGINE_BUILDING: service-http - 627 signatures - 2 of 13 engines May 19 20:36:43.339: %IPS-6-ENGINE_READY: service-http - build time 10256 ms - packets for this engine will be scanned May 19 20:36:43.363: %IPS-6-ENGINE_BUILDING: string-tcp - 1045 signatures - 3 of 13 engines May 19 20:36:49.258: %IPS-6-ENGINE_READY: string-tcp - build time 5896 ms - packets for this engine will be scanned May 19 20:36:49.266: %IPS-6-ENGINE_BUILDING: string-udp - 75 signatures - 4 of 13 engines May 19 20:36:50.034: %IPS-6-ENGINE_READY: string-udp - build time 764 ms packets for this engine will be scanned May 19 20:36:50.038: %IPS-6-ENGINE_BUILDING: state - 28 signatures - 5 of 13 engines May 19 20:36:50.113: %IPS-6-ENGINE_READY: state - build time 76 ms - packets for this engine will be scanned May 19 20:36:50.197: %IPS-6-ENGINE_BUILDING: atomic-ip - 287 signatures - 6 of 13 engines May 19 20:36:52.333: %IPS-6-ENGINE_READY: atomic-ip - build time 2132 ms packets for this engine will be scanned May 19 20:36:52.381: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - 7 of 13 engines May 19 20:36:52.421: %IPS-6-ENGINE_READY: string-icmp - build time 36 ms packets for this engine will be scanned May 19 20:36:52.421: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - 8 of 13 engines May 19 20:36:52.441: %IPS-6-ENGINE_READY: service-ftp - build time 16 ms packets for this engine will be scanned May 19 20:36:52.441: %IPS-6-ENGINE_BUILDING: service-rpc - 75 signatures - 9 of 13 engines May 19 20:36:52.689: %IPS-6-ENGINE_READY: service-rpc - build time 244 ms - packets for this engine will be scanned May 19 20:36:52.693: %IPS-6-ENGINE_BUILDING: service-dns - 38 signatures - 10 of 13 engines May 19 20:36:52.773: %IPS-6-ENGINE_READY: service-dns - build time 80 ms packets for this engine will be scanned May 19 20:36:52.777: %IPS-6-ENGINE_BUILDING: normalizer - 9 signatures - 11 of 13 engines May 19 20:36:52.785: %IPS-6-ENGINE_READY: normalizer - build time 4 ms packets for this engine will be scanned May 19 20:36:52.785: %IPS-6-ENGINE_BUILDING: service-smb-advanced - 36 signatures - 12 of 13 engines May 19 20:36:55.512: %IPS-6-ENGINE_READY: service-smb-advanced - build time 2724 ms - packets for this engine will be scanned May 19 20:36:55.536: %IPS-6-ENGINE_BUILDING: service-msrpc - 27 signatures - 13 of 13 engines May 19 20:36:55.712: %IPS-6-ENGINE_READY: service-msrpc - build time 164 ms - packets for this engine will be scanned May 19 20:36:55.720: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 22820 ms
The highlights in the previous command output indicate the SME that was loaded as well as the number of signatures that have been compiled for each SME. Compare the output with the SME names in Table 8.7 You can verify that the signatures are loaded by entering the show ip ips signatures count command. The Cisco SDF release version number, the names of the SMEs, and the total number of signatures is highlighted for reference.
CiscoISR-A#show ip ips signatures count Cisco SDF release version S332.0 Trend SDF release version V0.0 Signature Micro-Engine: multi-string: Total Signatures 8 multi-string enabled signatures: 8 multi-string retired signatures: 3 multi-string compiled signatures: 5 Signature Micro-Engine: service-http: Total Signatures 627 service-http enabled signatures: 130 service-http retired signatures: 525 service-http compiled signatures: 102 service-http obsoleted signatures: 1 Signature Micro-Engine: string-tcp: Total Signatures 1045 string-tcp enabled signatures: 541 string-tcp retired signatures: 950 string-tcp compiled signatures: 95 string-tcpobsoleted signatures: 9 Signature Micro-Engine: string-udp: Total Signatures 75 string-udp enabled signatures: 2 string-udp retired signatures: 54 string-udp compiled signatures: 21 string-udpobsoleted signatures: 1 Signature Micro-Engine: state: Total Signatures 28 state enabled signatures: 15 state retired signatures: 25 state compiled signatures: 3 Signature Micro-Engine: atomic-ip: Total Signatures 287 atomic-ip enabled signatures: 88 atomic-ip retired signatures: 252 atomic-ip compiled signatures: 35 Signature Micro-Engine: string-icmp: Total Signatures 3 string-icmp enabled signatures: 0 string-icmp retired signatures: 1 string-icmp compiled signatures: 2 Signature Micro-Engine: service-ftp: Total Signatures 3 service-ftp enabled signatures: 1 service-ftp retired signatures: 2 service-ftp compiled signatures: 1 Signature Micro-Engine: service-rpc: Total Signatures 75 service-rpc enabled signatures: 44 service-rpc retired signatures: 43 service-rpc compiled signatures: 32 Signature Micro-Engine: service-dns: Total Signatures 38 service-dns enabled signatures: 30 service-dns retired signatures: 9 service-dns compiled signatures: 29 Signature Micro-Engine: normalizer: Total Signatures 9 normalizer enabled signatures: 8 normalizer retired signatures: 1 normalizer compiled signatures: 8 Signature Micro-Engine: service-smb-advanced: Total Signatures 36 service-smb-advanced enabled signatures: 36 service-smb-advanced retired signatures: 1 service-smb-advanced compiled signatures: 35 Signature Micro-Engine: service-msrpc: Total Signatures 27 service-msrpc enabled signatures: 27 service-msrpc retired signatures: 22 service-msrpc compiled signatures: 5 Total Signatures: 2261 Total Enabled Signatures: 930 Total Retired Signatures: 1888 Total Compiled Signatures: 373 Total Obsoleted Signatures: 11
Note that the output of the show ip ips signatures count command shows the signatures organized by micro-engine and in the same order that they were compiled, as was seen in the syslog output.
Cisco IOS IPS CLI Configuration
Here are the basic commands used to configure the IOS IPS with the CLI. We’ll start with an example that matches the worked example that we have just completed with the SDM and then look at the commands one by one and in the order shown (note: the configuration for interfaces Vlan99 and Vlan3 has been omitted):
ip ips config location flash:/ips/ retries 1 ip ips notify SDEE ip ips name sdm_ips_rule ! ip ips signature-category category all retired true category ios_ips basic retired false ! interface Vlan1 ip ips sdm_ips_rule in ip virtual-reassembly ! interface FastEthernet4 ip ips sdm_ips_rule in ip virtual-reassembly
Here is an explanation of the commands (see the previous configuration for specific examples used in our reference network):
- ip ips config location. This global configuration command specifies the location of the IPS configuration. In this example, it is in the flash:/ips/ directory.
- ip ips notify. This global configuration command specifies the method of event notification. In this example, SDEE is being used.
- ip ips name. This global configuration command specifies the IPS rule (policy) name—sdm_ips_rule in this example.
- ip ips signature-category. This global configuration command configures the router to support the default basic or advanced signature set.
- p ips ips_rule_name. This interface configuration command applies the named IPS rule (policy) on the selected interface.
- ip virtual-reassembly. This interface configuration command turns on Virtual Fragment Reassembly (VFR). Dynamic ACLs are created to protect the network against various fragmentation attacks.
Configuring IPS Signatures
This section examines the steps required to configure IPS signatures using the SDM.
Configuring IPS Signature Severity
You may recall earlier that one of Cisco’s recommendations for IPS best practices is to set the alert level of any signature to the severity level of the signature itself. You can set the severity level of a signature, both the included ones as well as ones you create, by following these steps:
- From the SDM, navigate to Configure->Intrusion Prevention->Edit IPS->Signatures->All Categories. The list of all signatures appears, as illustrated in Figure 8.20.
- Select the signature whose severity level you want to change; then rightclick to bring up the context menu. Select Set Severity Level to and select from: high, informational, low, or medium. This is illustrated in Figure 8.20
- Click Apply Changes in the Edit IPS window when you are done.
Configuring Signature Actions
Recall that IPS signatures have default actions or “responses.” (See the subsection “Signature Attack Responses” for a complete list of responses and their meaning.) The SDM enables you to change these actions. To change the action for a signature, follow these steps (using the Email signature category as an example):
- From the SDM, navigate to Configure->Intrusion Prevention->Edit IPS->Signatures->Email.
- Select the signature whose severity level you want to change; then rightclick to bring up the context menu. Select Assign Actions from the context menu. A new Assign Actions window appears, as illustrated in Figure 8.21.
- Place a check mark in the box beside the action(s) you want to take.
The actions you can choose from are the following:- Deny Attacker Inline
- Deny Connection Inline
- Deny Packet Inline
- Produce Alert (the default for this IMAP Email Signature)
- Reset TCP Connection
- Click OK.
- Click Apply Changes in the Edit IPS window when you are done.
Editing IPS Signatures Using Cisco SDM
You can edit a signature, both the included ones as well as ones you create, by following these steps. This example will choose a signature from the
Reconnaissance category called TCP Ports Sweeps:
- From the SDM, navigate to Configure->Intrusion Prevention->Edit
IPS->Signatures->Reconnaissance->TCP Ports Sweeps. - Select the signature you want to edit and click the Edit button.
- The Edit Signature window appears, as illustrated in Figure 8.22.
The parameters you see depend on the signature. Here’s a list of what you may edit in this window, depending on the signature:- Signature ID. Unique number assigned to each signature.
- SubSignature ID. Unique number assigned to the subsignature. Allows for more granularity of signature definitions.
- Alert Severity. Defines the severity of alert sent to the sensor when this signature triggers.
- Sig Description. This is a section where you can give the signature a name, put in user comments, alert notes, alert traits, and release number. Certain of these parameters are pre-defined (though editable) for Cisco signatures.
- Engine. Specifies information as to which micro-engine this signature uses.
- Event Counter. This is a section where you can define the event count, event count key, and whether a specific alert interval is to be specified (useful for rate-limiting to defend against DoS attacks against the IPS).
- Alert Frequency. Define frequency of the alert.
- Status. This section specifies whether the signature is enabled or disabled and whether or not it is retired.
- Click OK when you are done with the changes.
- Click Apply Changes in the Edit IPS window when you are done.
SDEE and Syslog Logging Protocol Support
The Cisco IOS IPS supports both the Security Device Event Exchange (SDEE) and syslog protocols to send alerts. Recall that an alarm is generated when an enabled signature is triggered. The alarms are stored in a buffer on the sensor. One disadvantage of syslog is that the syslog server is passive, relying on the sensor to send alerts to it. This is indicated by the arrow in Figure 8.23 pointing to the syslog server from the Cisco IOS IPS. SDEE, on the other hand, is a subscription type of service where hosts can pull alarms from the sensor at any time. This is indicated by the two-headed arrow indicated in Figure 8.23. SDEE-format messages are much richer in their information content.
Here are some other things you need to know about SDEE:
- 1,000 events can be stored in the SDEE buffer. 200 is the default. Disabling SDEE notification erases the buffer.
- Network management applications pull SDEE messages from the IOS IPS.
- SDEE is evolving as the standard format for security reporting network management.
- SDEE is vendor-independent.
- SDEE uses HTTP or HTTPS (more secure) for transport, thus must be enabled on the router.
- The IOS IPS still sends alerts via syslog.
Viewing the SDEE Message Log
Navigate to Monitor->Logging->SDEE Message Log to view the SDEE message log. This dialog is illustrated in Figure 8.24.
Here’s an example of an SDEE message captured in the CLI. The IPS is sending an alert of a possible fragmentation attack since signature 1207 has been triggered:
May 20 12:37:24.723: %IPS-4-SIGNATURE: Sig:1207 Subsig:0 Sev:25 IP
Fragment Too Many Datagrams [192.168.2.119:0 -> 192.168.2.254:0]
RiskRating:25
Viewing the Syslog Message Log
Navigate to Monitor->Logging->Syslog to view the syslog message log. This dialog is illustrated in Figure 8.25.
Verifying IOS IPS Operation
This section outlines procedures to verify IOS IPS operation with both the SDM and the CLI.
Verifying IPS Policies (Rules)
Navigate to Configure->Intrusion Prevention->Edit IPS to verify that IPS has been enabled on interfaces and in which direction. This is illustrated in
Figure 8.26.
Also note in Figure 8.26 that VFR (Virtual Fragment Reassembly) has been enabled on all of the interfaces. The IOS IPS cannot detect intrusions by examining fragments of IP packets. They must be coalesced so the entire packet can be checked. Of course, the Edit IPS tab can be used to edit and not just verify the IPS!
Verifying the IPS Configuration
The command show ip ips configuration (reviewed previously) can be used to verify a summary of the IPS configuration, including the configured location of the files, name of policies (rules), and which interfaces they have been applied on and in which direction. These are highlighted in the following command output:
CiscoISR-A#show ip ips configuration IPS Signature File Configuration Status Configured Config Locations: flash:/ips/ Last signature default load time: 20:36:55 UTC May 19 2008 Last signature delta load time: 20:38:01 UTC May 19 2008 Last event action (SEAP) load time: -noneGeneral SEAP Config: Global Deny Timeout: 3600 seconds Global Overrides Status: Enabled Global Filters Status: Enabled IPS Auto Update is not currently configured IPS Syslog and SDEE Notification Status Event notification through syslog is enabled Event notification through SDEE is enabled IPS Signature Status Total Active Signatures: 373 Total Inactive Signatures: 1888 IPS Packet Scanning and Interface Status IPS Rule Configuration IPS name sdm_ips_rule IPS fail closed is disabled IPS deny-action ips-interface is false Fastpath ips is enabled Quick run mode is enabled Interface Configuration Interface Vlan3 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set Interface Vlan1 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set Interface FastEthernet4 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set Interface Vlan99 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set IPS Category CLI Configuration: Category all: Retire: True Category ios_ips basic: Retire: False CiscoISR-A#
Verifying IPS Interfaces
If you simply want to see which interface(s) the policies (rules) have been applied on, you can use the show ip ips interfaces command. Here we see the SDMgenerated IPS policy sdm_ips_rule applied inbound on Vlan1, Vlan3, Vlan99, and FastEthernet 4:
CiscoISR-A#show ip ips interfaces Interface Configuration Interface Vlan3 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set Interface Vlan1 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set Interface FastEthernet4 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set Interface Vlan99 Inbound IPS rule is sdm_ips_rule Outgoing IPS rule is not set CiscoISR-A#
Verifying All Cisco IOS IPS Settings
To view all the Cisco IOS IPS settings, including information that is not displayed with the show ip ips configuration command, use the show ip ips all command. In the following output, we see that both syslog and SDEE logging has been enabled and that there are 373 active signatures and 1,888 inactive signatures:
(output omitted) CiscoISR-A#showipips all IPS Signature File Configuration Status Configured Config Locations: flash:/ips/ Last signature default load time: 20:36:55 UTC May 19 2008 Last signature delta load time: 20:38:01 UTC May 19 2008 Last event action (SEAP) load time: -noneGeneral SEAP Config: Global Deny Timeout: 3600 seconds Global Overrides Status: Enabled Global Filters Status: Enabled IPS Auto Update is not currently configured IPS Syslog and SDEE Notification Status Event notification through syslog is enabled Event notification through SDEE is enabled IPS Signature Status Total Active Signatures: 373 Total Inactive Signatures: 1888