Академический Документы
Профессиональный Документы
Культура Документы
Getting Started with Cisco IOS IPS with 5.x Format Signatures: A Step-by-Step Guide
This guide is divided into two sections: Getting Started with Cisco IOS IPS and Signature Tuning.
The first section of the guide provides a detailed step-by-step process using the Cisco IOS Software command-line interface (CLI) to get started in using the Cisco IOS IPS 5.x format signatures. It contains the following five steps: Step 1: Downloading Cisco IOS IPS Files Step 2: Creating Directory on Flash Step 3: Configuring Cisco IOS IPS Crypto Key Step 4: Enabling Cisco IOS IPS Step 5: Loading Signatures to Cisco IOS IPS Each step and specific commands are described. The Additional Commands and References section under each step provides additional information. Example configurations are displayed in a box below each command. The second section of the guide provides instructions and examples on advanced options for signature tuning. Topics include: Enable/Disable Signatures Retire/Unretire Signatures Change Signature Actions
Prerequisites
Before getting started with the above steps, ensure that you have the following: A Cisco 870, 1800, 2800, or 3800 Series Integrated Services Router 128 MB or more DRAM and at least 2 MB free flash memory Console or Telnet connectivity to the router Cisco IOS Software Release 12.4(11)T or later A valid Cisco.com login username and password A current Cisco Services for IPS Contract for licensed signature update services You should be familiar with basic router commands for: Exec mode Configure mode Exit configure mode Backup and restore configuration
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 12
White Paper
References
Cisco IOS Basic Skills: http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_guide_chapter091 86a0080118cd0.html Cabling and Setup Quick Start Guide for Cisco 800 Series Access Routers: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/85x87x/857qsg/index.htm
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 12
White Paper
Additional Commands and References To verify the contents of the flash, enter the following command at the router prompt: show flash: training#show flash: 24576K bytes of processor board System flash (Intel Strataflash) Directory of flash:/ 2 rwx 17198508 --- -- ---- --:--:-- ----- c870advipservicesk9-mz.12.4-11.T1 3 drwx 0 Aug 11 2006 23:16:18 -08:00 ipsstore 23482368 bytes total (6279168 bytes free)
To rename the directory name, use the Rename Directory Command example or the combination of the Remove Directory Command and Create Directory Command at the router prompt. Rename the directory (Rename Directory Command): rename <current name> <new name> training#rename ipsstore ips Destination filename [ips]?
OR First remove the directory (Remove Directory Command): rmdir <current directory name> Create the directory again (Create Directory Command): mkdir <new directory name> training#rmdir ips Remove directory filename [ips]? Delete flash:ips? [confirm] Removed dir flash:ips training#mkdir ipsstore Create directory filename [ipsstore]? Created dir flash:ipsstore
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 12
White Paper
Quit Step 3.5 Compare the crypto key configuration with the text file to make sure that the key is correctly configured. Step 3.6 Save the configuration: copy running-configure startup-configure
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 12
White Paper
Additional Commands and References If the key is configured incorrectly, you need to remove the crypto key first and then reconfigure it. To remove the key, enter the following commands in order in Router Configure Mode: training#configure terminal training(config)#no crypto key pubkey-chain rsa training(config-pubkey-chain)#no named-key realm-cisco.pub signature training(config-pubkey-chain)#exit training(config)#exit
Verify that the key is removed from the configuration using the following command at the router prompt: show run Configure the key again by following Steps 3.1 through 3.5.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 12
White Paper
Step 4.4 Configure Cisco IOS IPS to use the default basic signature set: training(config)#ip ips signature-category training(config-ips-category)# category all training (config-ips-category-action)# retired true training (config-ips-category-action)# exit training(config-ips-category)# category ios_ips basic training (config-ips-category-action)# retired false training (config-ips-category-action)# exit training(config-ips-category)# exit Do you want to accept these changes? [confirm]y training(config)# Step 4.5 Enable IPS rule on the desired interface and direction: interface <interface name> ip ips <rule name> <in | out> training(config)#interface vlan 1 training(config-if)#ip ips myips in training(config-if)#exit training(config)#exit training# Additional Commands and References Cisco IOS IPS Configuration Guide: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html
training#terminal monitor Step 5.1 Save your router configuration. training#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK]
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 6 of 12
White Paper
Step 5.2 Copy the downloaded package (IOS-S259-CLI.pkg) to the TFTP server and load the signatures from TFTP server to Cisco IOS IPS: copy tftp://<Server IP address>/IOS-S259-CLI.pkg idconf training#copy tftp://10.10.10.2/IOS-S259-CLI.pkg idconf Loading IOS-S259-CLI.pkg from 10.10.10.2 (via Vlan1): !!! Step 5.3 Verify the version, signatures were loaded, and the active signature count using the following command: show ip ips signature count training#show ip ips signature count Cisco SDF release version S259.0 Signature package version Trend SDF release version V0.0
Signature Micro-Engine: multi-string Total Signatures: 3 Enabled: 3 Retired: 3 Skipped Signature Micro-Engine: normalizer Total Signatures: 9 Enabled: 8 Retired: 1 Compiled: 8
Total Signatures: 1964 Total Enabled Signatures: 736 Total Retired Signatures: 1625 Total Compiled Signatures: 338 Total active compiled signatures Total Signatures with invalid parameters: 1 training# Additional Commands and References After Cisco IOS IPS loads the signature package into memory, it starts reading signatures and attempts to build them according to the configuration. An error message such as: %IPS-3-INVALID_DIGITAL_SIGNATURE: Invalid Digital Signature found (key not found) means the public crypto key is invalid. Refer to Configuring Cisco IOS IPS Crypto Key (Step 3) to reconfigure the public crypto key.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 7 of 12
White Paper
If there is no access to a TFTP server, a USB flash drive could be an alternate way to load the signature package into Cisco IOS IPS. First, copy the signature package into the USB drive, then insert the USB flash drive into one of the USB ports on the router. The following message will show up in the router console: *Aug 18 06:46:49.554 PST: %USBFLASH-5-CHANGE: usbflash1 has been inserted!
Now use the copy command to load the signature package from usbflash to Cisco IOS IPS: training#copy usbflash1:IOS-S261-CLI.pkg idconf
All signatures are by default configured to Alarm action only. If you want to configure additional actions, the following CLI commands are available to change the signature configurations. training(config)#ip ips signature-category training(config-ips-category)#category ios_ips basic training(config-ips-category-action)#event-action deny-packet-inline training(config-ips-category-action)#event-action reset-tcpconnection training(config-ips-category-action)#exit training(config-ips-category)#exit Do you want to accept these changes? [confirm]y 000114: *Aug 11 23:53:26.945 PST: Applying Category configuration to signatures ...
IMPORTANT: Make sure that you accept the changes when prompted. Otherwise, they will not be saved. Use the show run command at the router prompt to verify the signature category configuration: show run ip ips signature-category category all retired true category ios_ips basic retired false event-action deny-packet-inline event-action reset-tcp-connection
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 8 of 12
White Paper
In the configured Cisco IOS IPS storage directory, you may find the following files. These files have a name format of <routername>-sigdef-xxx.xml. training#cd ipsstore training#show flash: 24576K bytes of processor board System flash (Intel Strataflash)
Directory of flash:/ipsstore/
4 5 6
5693 21285
172587
These files are stored in a Cisco proprietary compression format and are not editable or viewable directly. The contents of each file are described below: training-sigdef-typedef.xml: A file that has all the signature parameter definitions training-sigdef-category.xml: Has all the signature category information, such as category ios_ips basic and advanced training-sigdef-default.xml: Contains all the factory default signature definitions
6 Enable/Disable Signatures
You can use the Cisco IOS Software command-line interface (CLI) to enable or disable one signature or a group of signatures based on signature categories. Following are example CLI commands to disable signature 6130/10. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-definition training(config-sigdef)#signature 6130 10 training(config-sigdef-sig)#status training(config-sigdef-sig-status)#enabled false training(config-sigdef-sig-status)#exit training(config-sigdef-sig)#exit training(config-sigdef)#exit Do you want to accept these changes? [confirm]y training(config)# End with CNTL/Z.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 9 of 12
White Paper
Here is another example to enable all signatures belonging to signature Cisco IOS IPS basic category. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-category training(config-ips-category)# category ios_ips basic training(config-ips-category-action)#enabled true training(config-ips-category-action)#exit training(config-ips-category)#exit Do you want to accept these changes? [confirm]y Additional Commands and References Cisco IOS IPS Configuration Guide: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html End with CNTL/Z
7 Retire/Unretire Signatures
You can use the Cisco IOS Software CLI to retire or unretire one signature or a group of signatures based on signature categories. Retiring a signature means Cisco IOS IPS will not compile that signature into memory for scanning. Unretiring a signature instructs Cisco IOS IPS to compile the signature into memory and use the signature to scan traffic. Following are sample CLI commands to retire signature 6130/10. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-definition training(config-sigdef)#signature 6130 10 training(config-sigdef-sig)#status training(config-sigdef-sig-status)#retired true training(config-sigdef-sig-status)#exit training(config-sigdef-sig)#exit training(config-sigdef)#exit Do you want to accept these changes? [confirm]y training(config)# End with CNTL/Z.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 10 of 12
White Paper
Here is another example to unretire all signatures belonging to the ios_ips basic category. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-category training(config-ips-category)# category ios_ips basic training(config-ips-category-action)#retired false training(config-ips-category-action)#exit training(config-ips-category)#exit Do you want to accept these changes? [confirm]y Additional Commands and References Cisco IOS IPS Configuration Guide: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html End with CNTL/Z
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 11 of 12
White Paper
Here is another example to change event actions for all signatures belonging to signature Cisco IOS IPS basic category. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-category training(config-ips-category)# category ios_ips basic training(config-ips-category-action)#event-action produce-alert training(config-ips-category-action)#event-action deny-packet-inline training(config-ips-category-action)#event-action reset-tcpconnection training(config-ips-category-action)#exit training(config-ips-category)#exit Do you want to accept these changes? [confirm]y training(config)# Additional Commands and References Cisco IOS IPS Configuration Guide: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html End with CNTL/Z
Printed in USA
C11-390389-00 1/07
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 12 of 12