cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8392
Views
0
Helpful
12
Replies

Enable Ping Signature on cisco IPS

alkabeer80
Level 1
Level 1

Hi,

I have enabled signature for ping  2000 and 2004 and i have set them sev to high still i am not get alert.

I also did nmap attack and it give alert

how can i achieve this ?

thanksssssssssss                   

2 Accepted Solutions

Accepted Solutions

ruppala
Level 1
Level 1

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests.  Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

View solution in original post

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

12 Replies 12

Todd Pula
Level 7
Level 7

2000 and 2004 are retired by default now.  You will need to make sure that you both enable and unretire these signatures before testing.

which kinds of signatures we can test with nmap (the id of signature )pleaseeee

ruppala
Level 1
Level 1

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests.  Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

alkabeer80
Level 1
Level 1

thx Todd Pula and ruppala,

i enable the signature and unretire it it is working, i want to ask why the signature get retired ????

another question i have alot of signature that is not enabled i want to enable all of them for alerting, can i do it without going to each single one and enable it i.e is there anyway (like script) i can u se to enable all of them in one time ???

thankssssssssssssssssssssssssssssssss

Unretiring and enabling many signatures would have a performance impact. Only unretire and enable those signatures which are really important.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

thx sawan,

what about enabling more than one signature for alerting (config. from CLI) is this applicable ?

thankssssssssssss

Yes, enabling a few signatures is fine.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

thx sawan, i think i did not explain what is my problem exactly.

i have 1000 signature in IPS (not enabled), i want to enable all of them, i dont want to pass all of them one by one and enable it.

Is there away i can do it, may be some command i can issue ???

thankssssssssssssssssss

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

alkabeer80
Level 1
Level 1

thx Sawan, Todd, ruppla

andrea sentali
Level 1
Level 1

Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to

alert, and drop.

R1(config)# ip ips signature-definition

R1(config-sigdef)# signature 2004 0

R1(config-sigdef-sig)# status

R1(config-sigdef-sig-status)# retired false

R1(config-sigdef-sig-status)# enabled true

R1(config-sigdef-sig-status)# exit

R1(config-sigdef-sig)# engine

R1(config-sigdef-sig-engine)# event-action produce-alert

R1(config-sigdef-sig-engine)# event-action deny-packet-inline

R1(config-sigdef-sig-engine)# exit

R1(config-sigdef-sig)# exit

R1(config-sigdef)# exit

Do you want to accept these changes? [confirm]

andduart
Level 1
Level 1

Hi,

Maybe as a personal suggestion you can use the summary option for these type of signatures so you wont see or get all the alerts, you can have a summary of them at a time to have some of them fired

Regards,

Sent from Cisco Technical Support iPhone App

Review Cisco Networking for a $25 gift card