Has anyone else on here ever tested a stateful signature on the IOS IPS? Is it supported? I am not sure. FPM doesn't support stateful packet inspection. I am not sure about IOS IPS.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Eugene Pefti Sent: Friday, March 04, 2011 1:57 AM To: Kingsley Charles Cc: OSL Security Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP There you go: See "FA", Fire All under "SM", Summary mode. No luck so far, IPS is as silent as the dead see. May be I'm testing it the wrong way? I'm telnetting to the router to the interface where this IPS is applied in both directions: interface FastEthernet0/0 ip address 192.168.1.101 255.255.255.0 ip ips IPS in ip ips IPS out zone-member security TELUS-WAN-ZONE duplex auto speed auto R3#show ip ips signature sigid 60001 subid 0 SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel ----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- --- 60001:0 Y Y A MED 0 1 0 0 0 FA N 75 custom sig-name: Test Telnet sig-string-info: My Sig Info sig-comment: Sig Comment sig-type: Other Engine string-tcp params: min-match-length: 0 regex-string: [cC][oO][nN][fF] service-ports: 23 direction: to-service exact-match-offset: 0 max-match-offset: 0 min-match-offset: 0 R3# From: Kingsley Charles [mailto:[email protected]] Sent: Thursday, March 03, 2011 10:45 PM To: Eugene Pefti Cc: Jerome Dolphin; OSL Security Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP Can you configure "fireall" and let me know, if you are still facing the issue. With regards Kings On Fri, Mar 4, 2011 at 11:03 AM, Eugene Pefti <[email protected]> wrote: Summary Mode: Summarize Summary Interval: 15 Summary Key: Attacker Address Specify Global Summary Threshold: No What does it have to do with it, Kings? The signature didn't fire once. From: Kingsley Charles <[email protected]> Date: Fri, 4 Mar 2011 10:47:17 +0530 To: Ivan Lopuhov <[email protected]> Cc: Jerome Dolphin <[email protected]>, OSL Security <[email protected]> Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP What is the summary mode configured for the signature? With regards Kings On Fri, Mar 4, 2011 at 2:45 AM, Eugene Pefti <[email protected]> wrote: Hi guys, I'm back to my CCIE studies after a lot of lengthy projects. I was able to reproduce/re-create this custom signature but had to use IPS module inside ASA firewall and it worked for me. The signature 60003 looks like this: signatures 60003 0 sig-description sig-name Test Telnet exit engine string-tcp regex-string GET service-ports 80 exit exit exit Basically it fires every time when any browser makes a connection to a web server and sends GET request to fetch the web page. I have another problem with IPS and it is IOS IPS. I know it doesn't fall into CCIE blueprint but just out curiosity and for the sake of knowledge. I'm trying to show the value of IOS IPS to the client and created almost the same custom signature: R3#sh ip ips signature sigid 60001 subid 0 En - possible values are Y, Y*, N, or N* Y: signature is enabled N: enabled=false in the signature definition file *: retired=true in the signature definition file Cmp - possible values are Y, Ni, Nr, Nf, or No Y: signature is compiled Ni: signature not compiled due to invalid or missing parameters Nr: signature not compiled because it is retired Nf: signature compile failed No: signature is obsoleted Nd: signature is disallowed Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low Trait=alert-traits EC=event-count AI=alert-interval GST=global-summary-threshold SI=summary-interval SM=summary-mode SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel ----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- --- 60001:0 Y Y A MED 0 1 0 0 0 FA N 75 custom sig-name: Test Telnet sig-string-info: My Sig Info sig-comment: Sig Comment sig-type: Other Engine string-tcp params: min-match-length: 0 regex-string: [cC][oO][nN][fF] service-ports: 23 direction: to-service exact-match-offset: 0 max-match-offset: 0 min-match-offset: 0 The signature is supposed to fire every time someone connects over Telnet to the router and then issues "conf" command. I do see signatures 2000 and 2004 for ICMP firing when enabled but nothing works for me with the custom signature. Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Jerome Dolphin Sent: 02 March 2011 22:20 To: Kingsley Charles Cc: OSL Security Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP Sorry Kings, too late now, the rack rental session has ended - should have taken a copy of the IPS config before it wrapped up. On Thu, Mar 3, 2011 at 5:05 PM, Kingsley Charles <[email protected]> wrote: Can you post your sig config. With regards Kings On Thu, Mar 3, 2011 at 10:03 AM, Vybhav Ramachandran <[email protected]> wrote: Grr too! Too bad IPS is too expensive to have in one's home lab :) Can anyone shed light on this? Cheers, TacACK _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
