The new IPS is very memory intensive. If you do not retire all signatures first, it seems the router will fail to compile the signatures and you will only see the 2 or 3 signatures active. If you only enable the ios_ips basic category, this will load around 250 signatures onto the router. Upon my tests, this seems to be acceptable if you have 256 Mb of ram. So before you load the signatures into idconf, make sure to retire all signatures except for the ones you require: router(config)#ip ips signature-category router(config-ips-category)# category all router(config-ips-category-action)# retired true router(config-ips-category-action)# exit router(config-ips-category)# category ios_ips basic router(config-ips-category-action)# retired false router(config-ips-category-action)# exit router(config-ips-category)# exit
>From Cisco documentation: Router memory and resource constraints prevent a router from loading all Cisco IOS IPS signatures. Thus, it is recommended that you load only a selected set of signatures that are defined by the categories. Because the categories are applied in a "top-down" order, you should first retire all signatures, followed by "unretiring" specific categories. Retiring signatures enables the router to load information for all signatures, but the router will not build the parallel scanning data structure. Retired signatures are not scanned by Cisco IOS IPS, so they will not fire alarms. If a signature is irrelevant to your network or if you want to save router memory, you should retire signatures, as appropriate. http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_i ps5_sig_fs_ue.html#wp1064428 _____ From: [email protected] [mailto:[email protected]] On Behalf Of Stuart Hare Sent: Saturday, May 30, 2009 1:00 PM To: Willians Barboza Cc: Cisco certification; OSL Security Subject: Re: [OSL | CCIE_Security] IOS IPS Yup its already on there not the latest one but it should do the trick. Hence: R5#copy flash:IOS-S376-CLI.pkg idconf stu On Sat, May 30, 2009 at 7:57 PM, Willians Barboza <[email protected]> wrote: Dude, you have to download the signature file from the Cisco web page and transfter it to the flash... When I was studing IOS IPS, I got the IOS-S391-CLI.pkg file. You can check the latest signatures at this link: http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup You must have a CCO with valid service contract to be able to download Regards, Willians 2009/5/30 Stuart Hare <[email protected]> Im concerned about the IOS IPS that is now in v12.4. It seems to have gone from a very easily implemented feature to one that is now extremely cumbersome, and what seems on the surface error prone. When I enable it I can never get anymore than 3 signatures and 1 sig engine active for starters. I then go through the process of installing the key chain for the encryted package, creating the directory etc etc. When I try to compile the sig pkg it not only takes 5 mins or so to compile it also fails to enable a large portion of the engines/sigs with MALLOC failures and unsupported engines etc. (Output below). Then too my annoyance I reboot the router to see if this will resolve the issue, to find that I am back to to only 3 sigs active in my IPS config, and all the rest missing. I can only have bad feelings about how such an issue will kill you time in the lab. I then tried this on a different device just in case it was a hardware issue to find that as soon a entered the copy flash idconf cmd the router reloaded (deep joy). Hopefully this is something I am doing wrong,or a device issue. Stu R5#copy flash:IOS-S376-CLI.pkg idconf *May 31 17:24:31.787: %IPS-6-ENGINE_BUILDS_STARTED: 17:24:31 UTC May 31 2009 *May 31 17:24:31.787: %IPS-6-ENGINE_BUILDING: multi-string - 12 signatures - 1 of 13 engines *May 31 17:24:32.375: %IPS-6-ENGINE_READY: multi-string - build time 588 ms - packets for this engine will be scanned *May 31 17:24:32.395: %IPS-6-ENGINE_BUILDING: service-http - 667 signatures - 2 of 13 engines *May 31 17:24:33.067: %IPS-4-META_ENGINE_UNSUPPORTED: service-http 5903:1 - this signature is a component of the unsupported META engine *May 31 17:26:34.859: %SYS-2-MALLOCFAIL: Memory allocation of 1059916 bytes failed from 0x42F03704, alignment 0 Pool: Processor Free: 12190324 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= "Exec", ipl= 0, pid= 122, -Traceback= 0x41920FEC 0x40083D80 0x40089EF8 0x4008A62C 0x441D93C0 0x42F0370C 0x42F03E6C 0x42F03F44 0x43896FDC 0x43897A54 0x438B0B6C 0x438B0FC4 0x438E9888 *May 31 17:26:34.859: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5413:0 - compilation of regular expression failed *May 31 17:27:15.395: %SYS-2-MALLOCFAIL: Memory allocation of 1530912 bytes failed from 0x42F03704, alignment 0 Pool: Processor Free: 8335160 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool -Process= "Exec", ipl= 0, pid= 122, -Traceback= 0x41920FEC 0x40083D80 0x40089EF8 0x4008A62C 0x441D93C0 0x42F0370C 0x42F03E6C 0x42F03F44 0x43896FDC 0x43897A54 0x438B0B6C 0x438B0FC4 0x438E9888 *May 31 17:27:15.399: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5460:0 - compilation of regular expression failed *May 31 17:27:15.403: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5460:0 - compilation of regular expression failed *May 31 17:27:18.147: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5427:0 - compiles discontinued for this engine *May 31 17:27:18.147: %IPS-4-SIGNATURE_COMPILE_FAILURE: service-http 5316:0 - compiles discontinued for this engine -- Stuart Hare [email protected] -- Stuart Hare [email protected]
