Configuring IOS Intrusion Prevention System (IPS) using CLI

Cisco IOS IPS requires a specific sequence of actions to download and install a signature package on a staging router, tune and configure the signature set and distribute (copy) the resulting signature database files to a production router community

Creating a directory in flash:

R1#mkdir MyDir Create directory filename [MyDir]? Created dir flash:ipsdir


R1#mkdir flash: Create directory filename []?MyDir Created dir flash:MyDir

to configure the IPS signature storage location to be this directory

R1(config)#ip ips ? config Location of IPS configuration files fail Specify what to do during any failures name Specify an IPS rule notify Specify the notification mechanisms (SDEE or log) for the alarms signature-category Signature Category signature-definition Signature Definition R1(config)#ip ips config ? location Location of IPS configuration files R1(config)#ip ips config location R1(config)#ip ips config location flash:MyDir

Create an IPS rule an name it

R1(config)# ip ips name MyRule

Syslog notification is enabled by default. If logging console is enabled, you see IPS syslog messages

R1(config)# R1(config)#ip ips notify ? log Send events as syslog messages R1(config)#ip ips notify log R1(config)#logging on

Enable the timestamp service for logging, set clock, include stamestampa in logs and configure syslog server

R1#clock set 14:48:00 MAR 03 2011 R1(config)# service timestamps log datetime ? msec Include milliseconds in timestamp R1(config)# service timestamps log datetime msec R1(config)# logging host

IPS database file packaging and distribution
The signature loading and tuning populates the IOS IPS signature database, which is contained in the router's IPS configuration directory as four `.xml' or `.xmz' files that represent the signatures. These files describe the signatures, which categories they belong to, their retirement and enabled/disabled settings, and fidelity value:
On routers running IOS Releases prior to 15.0M Release:

• routername-sigdef-category.xml

• routername-sigdef-default.xml

• routername-sigdef-typedef.xml

• routername-sigdef-delta.xml
On routers running 15.0M/15,1T or later IOS Releases:

• iosips-sigdef-category.xmz

• iosips-sigdef-default.xmz

• iosips-sigdef-typedef.xmz

• iosips-sigdef-delta.xmz
The .xmz file extension has replaced the .xml extension in those releases due to IPS signature update license enforcement and indicates that the file contents are compressed. However, the purpose and function of the file is exactly the same regardless of the extension.
Additionally, the signature database holds two additional files that describe the SEAP configuration, in the event that you have adjusted the Signature Event Action Override values.

Retire the all signature category with the retired true command (all signatures within the signature release). Unretire the IOS_IPS Basic category with the retired false command.

R1(config-ips-category)#category ? all All Categories ios_ips IOS IPS (more sub-categories R1(config-ips-category)#category all R1(config-ips-category-action)# R1(config-ips-category-action)# retired true R1(config-ips-category-action)# exit R1(config-ips-category)#cate ios_ips ? basic Basic R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# retired false R1(config-ips-category-action)# exit R1(config-ips-cateogry)# exit Do you want to accept these changes? [confirm] Applying Category configuration to signatures ... %IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines %IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

IPS inspects only traffic going in or out of the specified interfaces

R1(config)#in f0/0 R1(config-if)#ip ips ? WORD Name of define IPS rule R1(config-if)#ip ips iosips % Incomplete command. R1(config-if)#ip ips MyRule out *??? 03, 15:30:53.3030: %IPS-6-ENGINE_BUILDS_STARTED: 15:30:53 UTC ??? 03 2011 *??? 03, 15:30:53.3030: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines *??? 03, 15:30:53.3030: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned *??? 03, 15:30:53.3030: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 msR1

R1(config)#ip ips signature-definition R1(config-sigdef)#? exit Exit from Signature Definition Mode signature Signature keyword R1(config-sigdef)#signature ? <1-65535> Signature ID value R1(config-sigdef)#signature 2004 ? <0-65535> Signature SubID value R1(config-sigdef)#signature 2004 0 R1(config-sigdef-sig)#status R1(config-sigdef-sig-status)#? enabled Enable Category Signatures exit Exit from status submode no Negate or set default values of a command retired Retire Category Signatures R1(config-sigdef-sig-status)#retired false R1(config-sigdef-sig-status)#enabled true R1(config-sigdef-sig-status)#exi R1(config-sigdef-sig)#? engine Engine exit Exit from Signature Definition Mode status Status R1(config-sigdef-sig)#engine R1(config-sigdef-sig-engine)#? event-action Action exit Exit from engine submode no Negate or set default values of a command R1(config-sigdef-sig-engine)#event-a ? deny-packet-inline Deny Packet produce-alert Produce Alert R1(config-sigdef-sig-engine)#event-a prod R1(config-sigdef-sig-engine)#event-a produce-alert R1(config-sigdef-sig-engine)#event-a R1(config-sigdef-sig-engine)#event-a R1(config-sigdef-sig-engine)#event-action deny R1(config-sigdef-sig-engine)#event-action deny-packet-inline R1(config-sigdef-sig-engine)#exi R1(config-sigdef-sig)#exi R1(config-sigdef)#exi Do you want to accept these changes? [confirm] %IPS-6-ENGINE_BUILDS_STARTED: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines %IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms

show ip ips all - to see IPS configuration status summary

R1(config)#do show ip ips all IPS Signature File Configuration Status Configured Config Locations: flash:MyDir Last signature default load time: Last signature delta load time: Last event action (SEAP) load time: -none- General SEAP Config: Global Deny Timeout: 3600 seconds Global Overrides Status: Enabled Global Filters Status: Enabled IPS Auto Update is not currently configured IPS Syslog and SDEE Notification Status Event notification through syslog is enabled Event notification through SDEE is enabled IPS Signature Status Total Active Signatures: 1 Total Inactive Signatures: 0 IPS Packet Scanning and Interface Status IPS Rule Configuration IPS name MyRule IPS fail closed is disabled IPS deny-action ips-interface is false Fastpath ips is enabled Quick run mode is enabled Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is not set Outgoing IPS rule is iosips IPS Category CLI Configuration: Category all Retire: True Category ios_ips basic Retire: False R1(config)#

mkdir ipsdir
ip ips config location flash:ipsdir
ip ips name iosips
ip ips notify log
clock set 01:20:00 6 january 2009
service timestamps log datetime msec
logging host
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
interface fa0/0
ip ips iosips out
ip ips signature-definition
signature 2004 0
retired false
enabled true
event-action produce-alert
event-action deny-packet-inline