https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239399#M77277 <HTML><HEAD></HEAD><BODY><P>Hi Ribin,</P><P></P><P>attack-drop.sdf is the basic signature file. You need to download 128MB.sdf or 256MB.sdf, which is also in SDM disk. </P><P></P><P>"ip ips sdf location " command is for 18XX router</P><P>use the following command for 28xx</P><P></P><P>ip ips config location flash://128MB.sdf</P><P></P><P>H2H</P><P>Roshan</P></BODY></HTML> Sun, 19 Apr 2009 11:05:48 GMT roshan.maskey 2009-04-19T11:05:48Z https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239395#M77273 <P>Hi all,</P><P></P><P>I have a Cisco 2811 with IOS Version 12.4(20)T and I need to enable IPS or IDS in this. What is the config for this?</P><P>First of all, I need to know whether I can do IPS/IDS in my router as well..</P><P></P><P>- Ribin</P> Sun, 10 Mar 2019 11:35:53 GMT https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239395#M77273 ribin.jones 2019-03-10T11:35:53Z https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239396#M77274 <HTML><HEAD></HEAD><BODY><P>Hi Ribin,</P><P></P><P>Cisco Router supports IOS IPS 5.x.</P><P></P><P>The following is the sample configuration:</P><P>Step 1: Verify if you have signature file (128MB.sdf or 256MB.sdf)</P><P>router# sh flash</P><P></P><P>Step2: Specify router to use sig-definition file</P><P>router(config)# ip ips sdf location flash://128MB.sdf</P><P></P><P>Step3: create signature_rule</P><P>router(config)# ip ips name myips_rule</P><P></P><P>Step4: Apply IPS rule to interface</P><P>router(config)# interface fa0/0</P><P>router(config-if)# ip ips myips_rule in</P><P></P><P>Step5: Enable IPS SDEE notification</P><P>router(config)# ip ips notify sdee</P><P></P><P>You can further tune IPS signature using SDM</P><P></P><P>H2H</P><P>Roshan</P></BODY></HTML> Sun, 19 Apr 2009 10:12:09 GMT https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239396#M77274 roshan.maskey 2009-04-19T10:12:09Z https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239397#M77275 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I don't have 128MB.sdf or 256MB.sdf. But I do have a attack-drop.sdf. Any idea what it might be?</P></BODY></HTML> Sun, 19 Apr 2009 10:38:53 GMT https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239397#M77275 ribin.jones 2009-04-19T10:38:53Z https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239398#M77276 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>Also, I see the below from my config prompt</P><P></P><P>Router(config)#ip ips ?</P><P> auto-update Auto Update</P><P> config Location of IPS configuration files</P><P> deny-action Specify Deny action</P><P> event-action-rules Event Action Rules (SEAP)</P><P> fail Specify what to do during any failures</P><P> name Specify an IPS rule</P><P> notify Specify the notification mechanisms (SDEE or log) for</P><P> the alarms</P><P> signature-category Signature Category</P><P> signature-definition Signature Definition</P><P></P><P></P><P>I don't see </P><P>ips sdf command.</P></BODY></HTML> Sun, 19 Apr 2009 10:51:50 GMT https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239398#M77276 ribin.jones 2009-04-19T10:51:50Z https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239399#M77277 <HTML><HEAD></HEAD><BODY><P>Hi Ribin,</P><P></P><P>attack-drop.sdf is the basic signature file. You need to download 128MB.sdf or 256MB.sdf, which is also in SDM disk. </P><P></P><P>"ip ips sdf location " command is for 18XX router</P><P>use the following command for 28xx</P><P></P><P>ip ips config location flash://128MB.sdf</P><P></P><P>H2H</P><P>Roshan</P></BODY></HTML> Sun, 19 Apr 2009 11:05:48 GMT https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239399#M77277 roshan.maskey 2009-04-19T11:05:48Z https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239400#M77278 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I did enabled IPS in the router and configured to notify to our log server. Below is the log I received in my log server. </P><P></P><P>What does IPS does now and what kind of logs I can expect?</P><P></P><P>Thanks,</P><P>Ribin</P><P></P><P></P><P>Apr 19 14:53:38 192.168.11.10 4546: *Apr 19 09:27:41.254: %SYS-5-CONFIG_I: Configured from console by ribin on vty0 (192.168.11.35)</P><P>Apr 19 18:04:29 192.168.11.10 4548: *Apr 19 12:38:32.601: %CRYPTO-6-IPSEC_USING_DEFAULT: IPSec is using default transforms</P><P>Apr 19 18:12:10 192.168.11.10 4549: *Apr 19 12:46:14.541: %IPS-6-ENGINE_BUILDS_STARTED: 12:46:14 UTC Apr 19 2009</P><P>Apr 19 18:12:10 192.168.11.10 4550: *Apr 19 12:46:14.541: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines</P><P>Apr 19 18:12:10 192.168.11.10 4551: *Apr 19 12:46:14.557: %IPS-6-ENGINE_READY: atomic-ip - build time 16 ms - packets for this engine will be scanned</P><P>Apr 19 18:12:10 192.168.11.10 4552: *Apr 19 12:46:14.557: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 16 ms</P><P></P></BODY></HTML> Sun, 19 Apr 2009 11:47:44 GMT https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239400#M77278 ribin.jones 2009-04-19T11:47:44Z https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239401#M77279 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>Also I see the following error in my log server:</P><P></P><P>%IPS-3-IPS_FILE_OPEN_ERROR: flash://128MB.sdf/Router11.10-seap-typedef.xml - Requested operation requires a directory</P></BODY></HTML> Sun, 19 Apr 2009 13:06:55 GMT https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239401#M77279 ribin.jones 2009-04-19T13:06:55Z https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239402#M77280 <HTML><HEAD></HEAD><BODY><P>The recommendation to use the 128MB.sdf or 256MB.sdf is not correct for the version of software that you're using. IOS 12.4(11)T and later use the v5 signatures, available here:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup" target="_blank">http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup</A></P><P></P><P>There is a video demonstration describing the use of Cisco Configuration Professional for IPS, here:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/cdc_content_elements/flash/ios/configios/index.html" target="_blank">http://www.cisco.com/cdc_content_elements/flash/ios/configios/index.html</A></P><P></P><P>The CLI configuration guide is here:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html" target="_blank">http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html</A></P><P></P><P>Be sure that you configure the IPS to load the 'ios_ips basic' or 'ios_ips advanced' categories. If the router tries to load the default signatures, it will run out of memory and crash.</P></BODY></HTML> Wed, 06 May 2009 20:16:39 GMT https://community.cisco.com/t5/network-security/how-to-enable-ips-ips-ids-in-cisco-2811/m-p/1239402#M77280 bstiff 2009-05-06T20:16:39Z