GettingStart Ios IPS

White Paper
Getting Started with Cisco IOS IPS with 5.x Format Signatures: A Step-by-Step Guide
This guide is divided into two sections: Getting Started with Cisco IOS IPS and Signature Tuning.
The first section of the guide provides a detailed step-by-step process using the Cisco IOS Software command-line interface (CLI) to get started in using the Cisco IOS IPS 5.x format signatures. It contains the following five steps: Step 1: Downloading Cisco IOS IPS Files Step 2: Creating Directory on Flash Step 3: Configuring Cisco IOS IPS Crypto Key Step 4: Enabling Cisco IOS IPS Step 5: Loading Signatures to Cisco IOS IPS Each step and specific commands are described. The Additional Commands and References section under each step provides additional information. Example configurations are displayed in a box below each command. The second section of the guide provides instructions and examples on advanced options for signature tuning. Topics include: Enable/Disable Signatures Retire/Unretire Signatures Change Signature Actions
Prerequisites
Before getting started with the above steps, ensure that you have the following: A Cisco 870, 1800, 2800, or 3800 Series Integrated Services Router 128 MB or more DRAM and at least 2 MB free flash memory Console or Telnet connectivity to the router Cisco IOS Software Release 12.4(11)T or later A valid Cisco.com login username and password A current Cisco Services for IPS Contract for licensed signature update services You should be familiar with basic router commands for: Exec mode Configure mode Exit configure mode Backup and restore configuration
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 12
White Paper
References
Cisco IOS Basic Skills: http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_guide_chapter091 86a0080118cd0.html Cabling and Setup Quick Start Guide for Cisco 800 Series Access Routers: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/85x87x/857qsg/index.htm
1 Downloading Cisco IOS IPS Files

The first step is to download IOS IPS signature package files and public crypto key from Cisco.com. These files are required in later steps of configuration. Step 1.1 Download the required signature files from Cisco.com to your PC. Ensure that you have a valid Cisco.com username and password. Cisco.com location: http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup Files to download: IOS-Sxxx-CLI.pkg: Latest signature package; pick the signature package with largest number in xxx realm-cisco.pub.key.txt: Public crypto key Additional Commands and References Cisco IOS IPS Website: http://www.cisco.com/go/iosips
2 Creating Directory on Flash

The second step is to create a directory on your routers flash where you can store the required signature files and signature configurations. Step 2.1 To create a directory, enter the following command at the router prompt: mkdir <directory name> training#mkdir ipsstore Create directory filename [ipsstore]? Created dir flash:ipsstore
Page 2 of 12
White Paper
Additional Commands and References To verify the contents of the flash, enter the following command at the router prompt: show flash: training#show flash: 24576K bytes of processor board System flash (Intel Strataflash) Directory of flash:/ 2 rwx 17198508 --- -- ---- --:--:-- ----- c870advipservicesk9-mz.12.4-11.T1 3 drwx 0 Aug 11 2006 23:16:18 -08:00 ipsstore 23482368 bytes total (6279168 bytes free)
To rename the directory name, use the Rename Directory Command example or the combination of the Remove Directory Command and Create Directory Command at the router prompt. Rename the directory (Rename Directory Command): rename <current name> <new name> training#rename ipsstore ips Destination filename [ips]?
OR First remove the directory (Remove Directory Command): rmdir <current directory name> Create the directory again (Create Directory Command): mkdir <new directory name> training#rmdir ips Remove directory filename [ips]? Delete flash:ips? [confirm] Removed dir flash:ips training#mkdir ipsstore Create directory filename [ipsstore]? Created dir flash:ipsstore
Page 3 of 12
White Paper
3 Configuring Cisco IOS IPS Crypto Key

The third step is to configure the crypto key used by Cisco IOS IPS. This key is located in the realm-cisco.pub.key.txt file that was downloaded to the PC from Cisco.com. Step 3.1 Open the text file and copy the contents of the file Step 3.2 Enter configure terminal to enter Router Configure Mode Step 3.3 Paste the text file content at the <hostname>(config)# prompt Step 3.4 Enter the show run command at the router prompt to confirm that the crypto key is configured: show run (only the crypto key portion of the configuration is shown below) crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001
Quit Step 3.5 Compare the crypto key configuration with the text file to make sure that the key is correctly configured. Step 3.6 Save the configuration: copy running-configure startup-configure
Page 4 of 12
White Paper
Additional Commands and References If the key is configured incorrectly, you need to remove the crypto key first and then reconfigure it. To remove the key, enter the following commands in order in Router Configure Mode: training#configure terminal training(config)#no crypto key pubkey-chain rsa training(config-pubkey-chain)#no named-key realm-cisco.pub signature training(config-pubkey-chain)#exit training(config)#exit
Verify that the key is removed from the configuration using the following command at the router prompt: show run Configure the key again by following Steps 3.1 through 3.5.
4 Enabling Cisco IOS IPS

The fourth step is to configure Cisco IOS IPS using the following sequence of steps: Step 4.1 Create a rule name (this will be used on an interface to enable IPS) ip ips name <rule name> training#configure terminal training(config)# ip ips name myips Step 4.2 Configure IPS signature storage location; the directory name is the directory ipsstore created in Step 2: ip ips config location flash:<directory name> training#configure terminal training(config)#ip ips config location flash:ipsstore Step 4.3 Enable IPS SDEE event notification: ip ips notify sdee training(config)#ip ips notify sdee
Page 5 of 12
White Paper
Step 4.4 Configure Cisco IOS IPS to use the default basic signature set: training(config)#ip ips signature-category training(config-ips-category)# category all training (config-ips-category-action)# retired true training (config-ips-category-action)# exit training(config-ips-category)# category ios_ips basic training (config-ips-category-action)# retired false training (config-ips-category-action)# exit training(config-ips-category)# exit Do you want to accept these changes? [confirm]y training(config)# Step 4.5 Enable IPS rule on the desired interface and direction: interface <interface name> ip ips <rule name> <in | out> training(config)#interface vlan 1 training(config-if)#ip ips myips in training(config-if)#exit training(config)#exit training# Additional Commands and References Cisco IOS IPS Configuration Guide: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html
5 Loading Signatures to Cisco IOS IPS

The last step is to load the signatures into Cisco IOS IPS. In the following example, we start a TFTP server on the PC and put the Cisco IOS IPS signature package under the TFTP directory. Please refer to the Additional Commands and References section for more about TFTP servers and alternative methods of loading Cisco IOS IPS signatures. If using a Telnet session, turn on the terminal monitor to view the console output.
training#terminal monitor Step 5.1 Save your router configuration. training#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK]
Page 6 of 12
White Paper
Step 5.2 Copy the downloaded package (IOS-S259-CLI.pkg) to the TFTP server and load the signatures from TFTP server to Cisco IOS IPS: copy tftp://<Server IP address>/IOS-S259-CLI.pkg idconf training#copy tftp://10.10.10.2/IOS-S259-CLI.pkg idconf Loading IOS-S259-CLI.pkg from 10.10.10.2 (via Vlan1): !!! Step 5.3 Verify the version, signatures were loaded, and the active signature count using the following command: show ip ips signature count training#show ip ips signature count Cisco SDF release version S259.0 Signature package version Trend SDF release version V0.0
Signature Micro-Engine: multi-string Total Signatures: 3 Enabled: 3 Retired: 3 Skipped Signature Micro-Engine: normalizer Total Signatures: 9 Enabled: 8 Retired: 1 Compiled: 8
Total Signatures: 1964 Total Enabled Signatures: 736 Total Retired Signatures: 1625 Total Compiled Signatures: 338 Total active compiled signatures Total Signatures with invalid parameters: 1 training# Additional Commands and References After Cisco IOS IPS loads the signature package into memory, it starts reading signatures and attempts to build them according to the configuration. An error message such as: %IPS-3-INVALID_DIGITAL_SIGNATURE: Invalid Digital Signature found (key not found) means the public crypto key is invalid. Refer to Configuring Cisco IOS IPS Crypto Key (Step 3) to reconfigure the public crypto key.
Page 7 of 12
White Paper
If there is no access to a TFTP server, a USB flash drive could be an alternate way to load the signature package into Cisco IOS IPS. First, copy the signature package into the USB drive, then insert the USB flash drive into one of the USB ports on the router. The following message will show up in the router console: *Aug 18 06:46:49.554 PST: %USBFLASH-5-CHANGE: usbflash1 has been inserted!
Now use the copy command to load the signature package from usbflash to Cisco IOS IPS: training#copy usbflash1:IOS-S261-CLI.pkg idconf
All signatures are by default configured to Alarm action only. If you want to configure additional actions, the following CLI commands are available to change the signature configurations. training(config)#ip ips signature-category training(config-ips-category)#category ios_ips basic training(config-ips-category-action)#event-action deny-packet-inline training(config-ips-category-action)#event-action reset-tcpconnection training(config-ips-category-action)#exit training(config-ips-category)#exit Do you want to accept these changes? [confirm]y 000114: *Aug 11 23:53:26.945 PST: Applying Category configuration to signatures ...
IMPORTANT: Make sure that you accept the changes when prompted. Otherwise, they will not be saved. Use the show run command at the router prompt to verify the signature category configuration: show run ip ips signature-category category all retired true category ios_ips basic retired false event-action deny-packet-inline event-action reset-tcp-connection
Page 8 of 12
White Paper
In the configured Cisco IOS IPS storage directory, you may find the following files. These files have a name format of <routername>-sigdef-xxx.xml. training#cd ipsstore training#show flash: 24576K bytes of processor board System flash (Intel Strataflash)
Directory of flash:/ipsstore/
4 5 6
-rwx -rwx -rwx
5693 21285
Aug 11 2006 23:41:32 -08:00 Aug 11 2006 23:41:35 -08:00
training-sigdef-typedef.xml training-sigdef-category.xml training-sigdef-default.xml
172587
Aug 11 2006 23:43:29 -08:00
23482368 bytes total (6076416 bytes free) training#
These files are stored in a Cisco proprietary compression format and are not editable or viewable directly. The contents of each file are described below: training-sigdef-typedef.xml: A file that has all the signature parameter definitions training-sigdef-category.xml: Has all the signature category information, such as category ios_ips basic and advanced training-sigdef-default.xml: Contains all the factory default signature definitions
6 Enable/Disable Signatures
You can use the Cisco IOS Software command-line interface (CLI) to enable or disable one signature or a group of signatures based on signature categories. Following are example CLI commands to disable signature 6130/10. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-definition training(config-sigdef)#signature 6130 10 training(config-sigdef-sig)#status training(config-sigdef-sig-status)#enabled false training(config-sigdef-sig-status)#exit training(config-sigdef-sig)#exit training(config-sigdef)#exit Do you want to accept these changes? [confirm]y training(config)# End with CNTL/Z.
Page 9 of 12
White Paper
Here is another example to enable all signatures belonging to signature Cisco IOS IPS basic category. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-category training(config-ips-category)# category ios_ips basic training(config-ips-category-action)#enabled true training(config-ips-category-action)#exit training(config-ips-category)#exit Do you want to accept these changes? [confirm]y Additional Commands and References Cisco IOS IPS Configuration Guide: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html End with CNTL/Z
7 Retire/Unretire Signatures
You can use the Cisco IOS Software CLI to retire or unretire one signature or a group of signatures based on signature categories. Retiring a signature means Cisco IOS IPS will not compile that signature into memory for scanning. Unretiring a signature instructs Cisco IOS IPS to compile the signature into memory and use the signature to scan traffic. Following are sample CLI commands to retire signature 6130/10. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-definition training(config-sigdef)#signature 6130 10 training(config-sigdef-sig)#status training(config-sigdef-sig-status)#retired true training(config-sigdef-sig-status)#exit training(config-sigdef-sig)#exit training(config-sigdef)#exit Do you want to accept these changes? [confirm]y training(config)# End with CNTL/Z.
Page 10 of 12
White Paper
Here is another example to unretire all signatures belonging to the ios_ips basic category. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-category training(config-ips-category)# category ios_ips basic training(config-ips-category-action)#retired false training(config-ips-category-action)#exit training(config-ips-category)#exit Do you want to accept these changes? [confirm]y Additional Commands and References Cisco IOS IPS Configuration Guide: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html End with CNTL/Z
8 Change Signature Actions

You can use the Cisco IOS Software CLI to change signature actions for one signature or a group of signatures based on signature categories. Following are example CLI commands to change signature action to alert, drop, and reset for signature 6130/10. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-definition training(config-sigdef)#signature 6130 10 training(config-sigdef-sig)#engine training(config-sigdef-sig-engine)#event-action produce-alert training(config-sigdef-sig-engine)#event-action deny-packet-inline training(config-sigdef-sig-engine)#event-action reset-tcp-connection training(config-sigdef-sig-engine)#exit training(config-sigdef-sig)#exit training(config-sigdef)#exit Do you want to accept these changes? [confirm]y training(config)# End with CNTL/Z.
Page 11 of 12
White Paper
Here is another example to change event actions for all signatures belonging to signature Cisco IOS IPS basic category. training#configure terminal Enter configuration commands, one per line. training(config)#ip ips signature-category training(config-ips-category)# category ios_ips basic training(config-ips-category-action)#event-action produce-alert training(config-ips-category-action)#event-action deny-packet-inline training(config-ips-category-action)#event-action reset-tcpconnection training(config-ips-category-action)#exit training(config-ips-category)#exit Do you want to accept these changes? [confirm]y training(config)# Additional Commands and References Cisco IOS IPS Configuration Guide: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html End with CNTL/Z
Printed in USA
C11-390389-00 1/07
Page 12 of 12

GettingStart Ios IPS

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

GettingStart Ios IPS

Загружено:

Авторское право:

Доступные форматы

White Paper

1 Downloading Cisco IOS IPS Files

2 Creating Directory on Flash

3 Configuring Cisco IOS IPS Crypto Key

4 Enabling Cisco IOS IPS

5 Loading Signatures to Cisco IOS IPS

-rwx -rwx -rwx

Aug 11 2006 23:41:32 -08:00 Aug 11 2006 23:41:35 -08:00

training-sigdef-typedef.xml training-sigdef-category.xml training-sigdef-default.xml

Aug 11 2006 23:43:29 -08:00

23482368 bytes total (6076416 bytes free) training#

8 Change Signature Actions

Вам также может понравиться