Re: IOS Based IPS --> No Alerts??

wmblake755 · ‎04-10-2007

We are trying to setup a 2811 router to run IOS based IPS. We followed all the procedures but we can't seem to get the system to send any alerts via syslog. We have tried various port scanners with no luck. Are we missing something?

ymzhang · ‎04-10-2007

Hi,

Can you provide more details about your IOS image and configuration that you have.

For latest IOS T-train image, you can try the getting started guide at http://www.cisco.com/en/US/products/ps6634/products_white_paper0900aecd805c4ea8.shtml.

With more information, I can better answer your questions.

Thanks,

-Chris

wmblake755 · ‎04-10-2007

Here is the IOS version:

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Experimental Version 12.4(20070215:163920) [jenneyc-V124_11_T1 107]

Compiled Sun 11-Mar-07 12:16 by jenneyc

Also, this is the only message we got that might be considered a IDS alert. But we don't get any alerts when we perform normal port scans.

<188>2459: Apr 10 15:04:47.885: %IPS-4-SIGNATURE: Sig:2157 Subsig:1 Sev:75 [10.15.250.30:0 -> 10.11.100.61:0] RiskRating:63

rtrwan-anf000#sho ip ips configuration

Configured Config Locations: flash:ips5/

Last signature default load time: 16:57:56 est Mar 14 2007

Last signature delta load time: 12:03:57 est Apr 10 2007

Last event action (SEAP) load time: -none-

General SEAP Config:

Global Deny Timeout: 3600 seconds

Global Overrides Status: Enabled

Global Filters Status: Enabled

IPS Auto Update is not currently configured

IPS fail closed is disabled

Fastpath ips is enabled

Quick run mode is enabled

Event notification through syslog is enabled

Event notification through SDEE is disabled

Total Active Signatures: 1090

Total Inactive Signatures: 899

IPS Rule Configuration

IPS name testips

IPS Category CLI Configuration:

Category all:

Retire: False

Category viruses/worms/trojans all-viruses/worms/trojans:

Retire: False

Category p2p bittorrent:

Retire: False

Category p2p edonkey:

Retire: False

Category p2p kazaa:

Retire: False

Category reconnaissance:

Retire: False Alert

Interface Configuration

Interface FastEthernet0/0.1

Inbound IPS rule is testips

Outgoing IPS rule is testips

Interface FastEthernet0/0.2

Inbound IPS rule is testips

Outgoing IPS rule is testips

Interface Serial0/0/0

Inbound IPS rule is testips

Outgoing IPS rule is testips

Interface Serial0/0/0.34

Inbound IPS rule is testips

Outgoing IPS rule is testips

Interface Serial0/0/0.35

Inbound IPS rule is testips

Outgoing IPS rule is testips

ymzhang · ‎04-10-2007

Your configuration seems ok. Can you please provide the following output:

1. show ip ips signature (as attachment)

2. What port scanning tool you used and how you used it.

Your configuration has syslog/sdee enabled.If you have configured syslog server properly, the ips alerts will be sent to syslog server. So the question is whether IPS actually working and will be able to trigger events as expected.

If you know how to use metasploit, you can try use that to test it. "3Com 3CDaemon FTP Server Overflow" should trigger signature 3166/3173. (Use 'show ip ips signautre | in 3166' to check, it should show something like "3166:0 Y Y A HIGH 0 1 0 0 0 FA N 100 S190")

Thanks,

-Chris

rhermes · ‎04-11-2007

Try enabling sig 2004, ICMP Echo Request and then ping the interface of the router that has the IPS policy attached to it.