cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5636
Views
0
Helpful
12
Replies
Highlighted
Beginner

Enable Ping Signature on cisco IPS

Hi,

I have enabled signature for ping  2000 and 2004 and i have set them sev to high still i am not get alert.

I also did nmap attack and it give alert

how can i achieve this ?

thanksssssssssss                   

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests.  Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

View solution in original post

Highlighted

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

12 REPLIES 12
Highlighted
Rising star

2000 and 2004 are retired by default now.  You will need to make sure that you both enable and unretire these signatures before testing.

Highlighted

which kinds of signatures we can test with nmap (the id of signature )pleaseeee

Highlighted
Beginner

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests.  Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

View solution in original post

Highlighted
Beginner

thx Todd Pula and ruppala,

i enable the signature and unretire it it is working, i want to ask why the signature get retired ????

another question i have alot of signature that is not enabled i want to enable all of them for alerting, can i do it without going to each single one and enable it i.e is there anyway (like script) i can u se to enable all of them in one time ???

thankssssssssssssssssssssssssssssssss

Highlighted

Unretiring and enabling many signatures would have a performance impact. Only unretire and enable those signatures which are really important.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
Highlighted

thx sawan,

what about enabling more than one signature for alerting (config. from CLI) is this applicable ?

thankssssssssssss

Highlighted

Yes, enabling a few signatures is fine.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
Highlighted

thx sawan, i think i did not explain what is my problem exactly.

i have 1000 signature in IPS (not enabled), i want to enable all of them, i dont want to pass all of them one by one and enable it.

Is there away i can do it, may be some command i can issue ???

thankssssssssssssssssss

Highlighted

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

Highlighted
Beginner

thx Sawan, Todd, ruppla

Highlighted
Beginner

Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to

alert, and drop.

R1(config)# ip ips signature-definition

R1(config-sigdef)# signature 2004 0

R1(config-sigdef-sig)# status

R1(config-sigdef-sig-status)# retired false

R1(config-sigdef-sig-status)# enabled true

R1(config-sigdef-sig-status)# exit

R1(config-sigdef-sig)# engine

R1(config-sigdef-sig-engine)# event-action produce-alert

R1(config-sigdef-sig-engine)# event-action deny-packet-inline

R1(config-sigdef-sig-engine)# exit

R1(config-sigdef-sig)# exit

R1(config-sigdef)# exit

Do you want to accept these changes? [confirm]

Highlighted
Beginner

Hi,

Maybe as a personal suggestion you can use the summary option for these type of signatures so you wont see or get all the alerts, you can have a summary of them at a time to have some of them fired

Regards,

Sent from Cisco Technical Support iPhone App

Content for Community-Ad