Solved: which kinds of signatures we

alkabeer80 · ‎05-01-2012

Hi,

I have enabled signature for ping 2000 and 2004 and i have set them sev to high still i am not get alert.

I also did nmap attack and it give alert

how can i achieve this ?

thanksssssssssss

ruppala · ‎05-04-2012

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests. Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

View solution in original post

sawgupta · ‎05-06-2012

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

Todd Pula · ‎05-02-2012

2000 and 2004 are retired by default now. You will need to make sure that you both enable and unretire these signatures before testing.

nounouna341 · ‎04-20-2015

which kinds of signatures we can test with nmap (the id of signature )pleaseeee

ruppala · ‎05-04-2012

Signature 2000-0 triggers on ICMP Echo Replies and 2004-0 triggers on ICMP Echo Requests. Note that these are

extremely common network traffic. If you have enabled and unretired the sigs and if the sigs fire when tested using NMAP, they seem to be working fine. May be theres some other device on your network thats blocking such packets.

alkabeer80 · ‎05-05-2012

thx Todd Pula and ruppala,

i enable the signature and unretire it it is working, i want to ask why the signature get retired ????

another question i have alot of signature that is not enabled i want to enable all of them for alerting, can i do it without going to each single one and enable it i.e is there anyway (like script) i can u se to enable all of them in one time ???

thankssssssssssssssssssssssssssssssss

sawgupta · ‎05-06-2012

Unretiring and enabling many signatures would have a performance impact. Only unretire and enable those signatures which are really important.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

alkabeer80 · ‎05-06-2012

thx sawan,

what about enabling more than one signature for alerting (config. from CLI) is this applicable ?

thankssssssssssss

sawgupta · ‎05-06-2012

Yes, enabling a few signatures is fine.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

alkabeer80 · ‎05-06-2012

thx sawan, i think i did not explain what is my problem exactly.

i have 1000 signature in IPS (not enabled), i want to enable all of them, i dont want to pass all of them one by one and enable it.

Is there away i can do it, may be some command i can issue ???

thankssssssssssssssssss

sawgupta · ‎05-06-2012

Yes using IDM you can select multiple signatures and right-click -> Enable.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

alkabeer80 · ‎05-07-2012

thx Sawan, Todd, ruppla

andrea sentali · ‎10-21-2013

Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to

alert, and drop.

R1(config)# ip ips signature-definition

R1(config-sigdef)# signature 2004 0

R1(config-sigdef-sig)# status

R1(config-sigdef-sig-status)# retired false

R1(config-sigdef-sig-status)# enabled true

R1(config-sigdef-sig-status)# exit

R1(config-sigdef-sig)# engine

R1(config-sigdef-sig-engine)# event-action produce-alert

R1(config-sigdef-sig-engine)# event-action deny-packet-inline

R1(config-sigdef-sig-engine)# exit

R1(config-sigdef-sig)# exit

R1(config-sigdef)# exit

Do you want to accept these changes? [confirm]

andduart · ‎10-27-2013

Hi,

Maybe as a personal suggestion you can use the summary option for these type of signatures so you wont see or get all the alerts, you can have a summary of them at a time to have some of them fired

Regards,

Sent from Cisco Technical Support iPhone App

Enable Ping Signature on cisco IPS