Thanks Kings, that was the same I was thinking and now its confirmed with your response.. :) by the way...I think I can delete those files with **sidef**.xml and then restart again..?
Rack40R2#sh fla -#- --length-- -----date/time------ path 1 32 Sep 30 2010 09:46:08 +00:00 IOS-CA.ser 2 168 Oct 29 2010 09:50:48 +00:00 IOS-CA.crl 3 2679 Jan 14 2011 19:29:34 +00:00 ip.phdf 4 2748 Sep 25 2008 23:19:34 +00:00 sdmconfig-2811.cfg 5 334531 Feb 6 2011 21:46:18 +00:00 R2-sigdef-default.xml 6 704 Jan 2 2011 20:13:54 +00:00 Rack1R2-sigdef-default.xml 7 1038 Sep 25 2008 23:21:12 +00:00 home.shtml 8 266 Jan 2 2011 21:01:54 +00:00 Rack1R2-sigdef-delta.xml 9 1195 Sep 28 2010 22:51:18 +00:00 IOS-CA_00001.p12 10 32 Jan 26 2011 10:10:06 +00:00 IOSCA.ser 11 415956 Sep 25 2008 23:22:40 +00:00 sslclient-win-1.1.4.176.pkg 12 53131032 Sep 1 2010 23:09:54 +00:00 c2800nm-adventerprisek9-mz.124-15.T12.bin 13 8509 Jan 2 2011 20:48:56 +00:00 Rack1R2-sigdef-typedef.xml 14 38523 Jan 2 2011 20:49:00 +00:00 Rack1R2-sigdef-category.xml 15 304 Jan 2 2011 20:13:54 +00:00 Rack1R2-seap-delta.xml 16 491 Jan 2 2011 20:13:54 +00:00 Rack1R2-seap-typedef.xml 17 255 Feb 6 2011 21:30:20 +00:00 R2-sigdef-delta.xml 18 8509 Feb 6 2011 21:44:30 +00:00 R2-sigdef-typedef.xml 19 38523 Feb 6 2011 21:44:34 +00:00 R2-sigdef-category.xml 20 257 Feb 6 2011 21:30:20 +00:00 R2-seap-delta.xml 21 491 Feb 6 2011 21:30:20 +00:00 R2-seap-typedef.xml 22 189627 Jan 14 2011 17:52:36 +00:00 crashinfo_20110114-175237 23 2447 Jan 14 2011 18:59:12 +00:00 tcp.phdf 24 1115 Jan 14 2011 18:59:34 +00:00 udp.phdf 25 1115 Jan 14 2011 18:59:44 +00:00 n 26 949 Jan 14 2011 19:29:48 +00:00 icmp.phdf 27 206179 Jan 14 2011 19:53:00 +00:00 crashinfo_20110114-195301 28 178283 Jan 14 2011 20:01:40 +00:00 crashinfo_20110114-200141 29 241 Jan 27 2011 09:00:28 +00:00 IOSCA.crl 30 1699 Jan 26 2011 08:49:46 +00:00 IOSCA_00001.p12 31 1667 Jan 26 2011 09:00:28 +00:00 IOSCA_00002.p12 9355264 bytes available (54661120 bytes used) Rack40R2# On Sat, Feb 26, 2011 at 6:16 AM, Kingsley Charles < [email protected]> wrote: > That's because the confg location that you configured would have already > had a sig file stored when the router was previously configured for IPS. > > With regards > KIngs > > On Sat, Feb 26, 2011 at 12:07 AM, Pemasiri Devanarayana < > [email protected]> wrote: > >> Hi, >> >> When I was configuring IOS IPS, I could saw that before I download the >> signature package file, all the signatures was enabled, I'm wondering how >> this can be.. , however I have used the same router some time back to do the >> same lab, but that time it was as expected. Here are the steps I did when >> configuring IOS IPS. >> >> 1) load the cisco public rsa key >> 2) retired all signature and enabled only the required category >> 3) configure IOS IPS parameters such as IPS name, config location, notify >> SDEE etc >> 4) apply the IOS IPS name to interface (both in and out) >> >> then immediately I was able to see the below messages: >> >> >> R2(config)#ip ips no >> R2(config)#ip ips notify S >> R2(config)#ip ips notify SDEE >> R2(config)#ip is >> R2(config)#ip ip >> R2(config)#ip ips na >> R2(config)#ip ips name iosips >> R2(config)#int fa0/0 >> R2(config-if)#ip ips >> R2(config-if)#ip ips n >> R2(config-if)#ip ips n >> R2(config-if)#ip ips na >> R2(config-if)#ip ips iosips in >> R2(config-if)#ip ips iosips in >> R2(config-if)#ip ips iosips out >> R2(config-if)# >> R2(config-if)#exit >> R2(config)#do sh ip ips sig count >> Another IPS operation is accessing the signatures. >> R2(config)# >> Feb 25 12:41:30.743: %IPS-3-IPS_CONCURRENT_ACCESS: Another IPS operation >> is accessing the signatures. >> R2(config)# >> Feb 25 12:41:47.047: %IPS-6-ENGINE_BUILDS_STARTED: 12:41:47 UTC Feb 25 >> 2011 >> Feb 25 12:41:47.051: %IPS-6-ENGINE_BUILDING: multi-string - 17 signatures >> - 1 of 13 engines >> Feb 25 12:41:47.091: %IPS-6-ENGINE_READY: multi-string - build time 40 ms >> - packets for this engine will be scanned >> Feb 25 12:41:47.235: %IPS-6-ENGINE_BUILDING: service-http - 721 signatures >> - 2 of 13 engines >> Feb 25 12:41:47.983: %IPS-6-ENGINE_READY: service-http - build time 748 ms >> - packets for this engine will be scanned >> Feb 25 12:41:48.407: %IPS-6-ENGINE_BUILDING: string-tcp - 1658 signatures >> - 3 of 13 engines >> R2(config)# >> Feb 25 12:41:59.007: %IPS-6-ENGINE_READY: string-tcp - build time 10600 ms >> - packets for this engine will be scanned >> Feb 25 12:41:59.271: %IPS-6-ENGINE_BUILDING: string-udp - 78 signatures - >> 4 of 13 engines >> Feb 25 12:41:59.351: %IPS-6-ENGINE_READY: string-udp - build time 80 ms - >> packets for this engine will be scanned >> Feb 25 12:41:59.367: %IPS-6-ENGINE_BUILDING: state - 34 signatures - 5 of >> 13 engines >> Feb 25 12:41:59.387: %IPS-6-ENGINE_READY: state - build time 20 ms - >> packets for this engine will be scanned >> Feb 25 12:41:59.451: %IPS-6-ENGINE_BUILDING: atomic-ip - 342 signatures - >> 6 of 13 engines >> R2(config)# >> Feb 25 12:42:00.607: %IPS-6-ENGINE_READY: atomic-ip - build time 1156 ms - >> packets for this engine will be scanned >> Feb 25 12:42:00.647: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures - >> 7 of 13 engines >> Feb 25 12:42:00.647: %IPS-6-ENGINE_READY: string-icmp - build time 0 ms - >> packets for this engine will be scanned >> Feb 25 12:42:00.651: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures - >> 8 of 13 engines >> >> >> then I gave the below commands and noticed all the signature are loaded >> before downloading IOS-S416-CLI.pkg to idconf.. >> >> R2(config)#do sh ip ips sig count >> >> Cisco SDF release version S416.0 >> Trend SDF release version V0.0 >> >> Signature Micro-Engine: multi-string: Total Signatures 17 >> multi-string enabled signatures: 13 >> multi-string retired signatures: 17 >> >> Signature Micro-Engine: service-http: Total Signatures 721 >> service-http enabled signatures: 145 >> service-http retired signatures: 715 >> service-http compiled signatures: 6 >> service-http obsoleted signatures: 2 >> >> Signature Micro-Engine: string-tcp: Total Signatures 1658 >> string-tcp enabled signatures: 650 >> string-tcp retired signatures: 1620 >> string-tcp compiled signatures: 38 >> string-tcp obsoleted signatures: 22 >> >> Signature Micro-Engine: string-udp: Total Signatures 78 >> string-udp enabled signatures: 2 >> string-udp retired signatures: 75 >> string-udp compiled signatures: 3 >> string-udp obsoleted signatures: 1 >> >> Signature Micro-Engine: state: Total Signatures 34 >> state enabled signatures: 17 >> state retired signatures: 34 >> >> Signature Micro-Engine: atomic-ip: Total Signatures 342 >> atomic-ip enabled signatures: 90 >> atomic-ip retired signatures: 338 >> atomic-ip compiled signatures: 4 >> >> Signature Micro-Engine: string-icmp: Total Signatures 3 >> string-icmp enabled signatures: 0 >> string-icmp retired signatures: 3 >> >> Signature Micro-Engine: service-ftp: Total Signatures 3 >> service-ftp enabled signatures: 1 >> service-ftp retired signatures: 3 >> >> Signature Micro-Engine: service-rpc: Total Signatures 76 >> service-rpc enabled signatures: 44 >> service-rpc retired signatures: 76 >> >> Signature Micro-Engine: service-dns: Total Signatures 39 >> service-dns enabled signatures: 27 >> service-dns retired signatures: 39 >> service-dns obsoleted signatures: 1 >> >> Signature Micro-Engine: normalizer: Total Signatures 9 >> normalizer enabled signatures: 8 >> normalizer retired signatures: 9 >> >> Signature Micro-Engine: service-smb-advanced: Total Signatures 49 >> service-smb-advanced enabled signatures: 42 >> service-smb-advanced retired signatures: 49 >> >> Signature Micro-Engine: service-msrpc: Total Signatures 33 >> service-msrpc enabled signatures: 22 >> service-msrpc retired signatures: 33 >> service-msrpc obsoleted signatures: 1 >> >> Total Signatures: 3062 >> Total Enabled Signatures: 1061 >> Total Retired Signatures: 3011 >> Total Compiled Signatures: 51 >> Total Obsoleted Signatures: 27 >> >> My question is how come router load those signature before loading package >> file to idconf..??? (how ever the same lab I did on the same router some >> time back,,,) >> >> Thanks >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
