That's what made me confused. I mean statefull and stateless IPS. I followed
the official Cisco guide on IOS IPS, it is actually a technical review document
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps7264/ps6634/IOS_IPS_Technical_Review.pdf
It mentions both Stateless and Stateful IPS in different phases of the packet
flow. Unfortunately I failed to find a proper explanation of Stateful and
Stateless IPS terms and assumed that Stateful IPS is available in IOS IPS.
Asking the IPS on the router to show me the available engines produces the
following output, which includes string-tcp engine
R3#sh ip ips signat engine
Available engines are:
atomic-ip
normalizer
service-http-v2
service-http
service-smb-advanced
service-msrpc
service-smtp-v1
state
service-ftp-v2
service-ftp
string-tcp
service-rpc
service-dns
string-udp
multi-string
string-icmp
From: Tyson Scott [mailto:[email protected]]
Sent: 04 March 2011 06:21
To: Eugene Pefti; 'Kingsley Charles'
Cc: 'OSL Security'
Subject: RE: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP
Has anyone else on here ever tested a stateful signature on the IOS IPS? Is it
supported? I am not sure. FPM doesn't support stateful packet inspection. I
am not sure about IOS IPS.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: [email protected]<mailto:[email protected]>
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit:
www.ipexpert.com/chat<http://www.ipexpert.com/chat>
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at
www.ipexpert.com/communities<http://www.ipexpert.com/communities> and our
public website at www.ipexpert.com<http://www.ipexpert.com/>
From: [email protected]
[mailto:[email protected]] On Behalf Of Eugene Pefti
Sent: Friday, March 04, 2011 1:57 AM
To: Kingsley Charles
Cc: OSL Security
Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP
There you go:
See "FA", Fire All under "SM", Summary mode. No luck so far, IPS is as silent
as the dead see. May be I'm testing it the wrong way?
I'm telnetting to the router to the interface where this IPS is applied in both
directions:
interface FastEthernet0/0
ip address 192.168.1.101 255.255.255.0
ip ips IPS in
ip ips IPS out
zone-member security TELUS-WAN-ZONE
duplex auto
speed auto
R3#show ip ips signature sigid 60001 subid 0
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
60001:0 Y Y A MED 0 1 0 0 0 FA N 75 custom
sig-name: Test Telnet
sig-string-info: My Sig Info
sig-comment: Sig Comment
sig-type: Other
Engine string-tcp params:
min-match-length: 0
regex-string: [cC][oO][nN][fF]
service-ports: 23
direction: to-service
exact-match-offset: 0
max-match-offset: 0
min-match-offset: 0
R3#
From: Kingsley Charles [mailto:[email protected]]
Sent: Thursday, March 03, 2011 10:45 PM
To: Eugene Pefti
Cc: Jerome Dolphin; OSL Security
Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP
Can you configure "fireall" and let me know, if you are still facing the issue.
With regards
Kings
On Fri, Mar 4, 2011 at 11:03 AM, Eugene Pefti
<[email protected]<mailto:[email protected]>> wrote:
Summary Mode: Summarize
Summary Interval: 15
Summary Key: Attacker Address
Specify Global Summary Threshold: No
What does it have to do with it, Kings? The signature didn't fire once.
From: Kingsley Charles
<[email protected]<mailto:[email protected]>>
Date: Fri, 4 Mar 2011 10:47:17 +0530
To: Ivan Lopuhov <[email protected]<mailto:[email protected]>>
Cc: Jerome Dolphin <[email protected]<mailto:[email protected]>>, OSL
Security
<[email protected]<mailto:[email protected]>>
Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP
What is the summary mode configured for the signature?
With regards
Kings
On Fri, Mar 4, 2011 at 2:45 AM, Eugene Pefti
<[email protected]<mailto:[email protected]>> wrote:
Hi guys,
I'm back to my CCIE studies after a lot of lengthy projects.
I was able to reproduce/re-create this custom signature but had to use IPS
module inside ASA firewall and it worked for me. The signature 60003 looks like
this:
signatures 60003 0
sig-description
sig-name Test Telnet
exit
engine string-tcp
regex-string GET
service-ports 80
exit
exit
exit
Basically it fires every time when any browser makes a connection to a web
server and sends GET request to fetch the web page.
I have another problem with IPS and it is IOS IPS. I know it doesn't fall into
CCIE blueprint but just out curiosity and for the sake of knowledge. I'm trying
to show the value of IOS IPS to the client and created almost the same custom
signature:
R3#sh ip ips signature sigid 60001 subid 0
En - possible values are Y, Y*, N, or N*
Y: signature is enabled
N: enabled=false in the signature definition file
*: retired=true in the signature definition file
Cmp - possible values are Y, Ni, Nr, Nf, or No
Y: signature is compiled
Ni: signature not compiled due to invalid or missing parameters
Nr: signature not compiled because it is retired
Nf: signature compile failed
No: signature is obsoleted
Nd: signature is disallowed
Action=(A)lert, (D)eny, (R)eset, Deny-(H)ost, Deny-(F)low
Trait=alert-traits EC=event-count AI=alert-interval
GST=global-summary-threshold SI=summary-interval SM=summary-mode
SW=swap-attacker-victim SFR=sig-fidelity-rating Rel=release
SigID:SubID En Cmp Action Sev Trait EC AI GST SI SM SW SFR Rel
----------- -- ---- ------ --- ----- ---- ---- ----- --- -- -- --- ---
60001:0 Y Y A MED 0 1 0 0 0 FA N 75 custom
sig-name: Test Telnet
sig-string-info: My Sig Info
sig-comment: Sig Comment
sig-type: Other
Engine string-tcp params:
min-match-length: 0
regex-string: [cC][oO][nN][fF]
service-ports: 23
direction: to-service
exact-match-offset: 0
max-match-offset: 0
min-match-offset: 0
The signature is supposed to fire every time someone connects over Telnet to
the router and then issues "conf" command. I do see signatures 2000 and 2004
for ICMP firing when enabled but nothing works for me with the custom signature.
Eugene
From:
[email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Jerome Dolphin
Sent: 02 March 2011 22:20
To: Kingsley Charles
Cc: OSL Security
Subject: Re: [OSL | CCIE_Security] Lab 16 task 3.1 / IPS custom sig / string TCP
Sorry Kings, too late now, the rack rental session has ended - should have
taken a copy of the IPS config before it wrapped up.
On Thu, Mar 3, 2011 at 5:05 PM, Kingsley Charles
<[email protected]<mailto:[email protected]>> wrote:
Can you post your sig config.
With regards
Kings
On Thu, Mar 3, 2011 at 10:03 AM, Vybhav Ramachandran
<[email protected]<mailto:[email protected]>> wrote:
Grr too! Too bad IPS is too expensive to have in one's home lab :)
Can anyone shed light on this?
Cheers,
TacACK
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://www.ipexpert.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
