CCNA - Security

R1(config)#ip ips ? config Location of IPS configuration files fail Specify what to do during any failures name Specify an IPS rule notify Specify the notification mechanisms (SDEE or log) for the alarms signature-category Signature Category signature-definition Signature Definition R1(config)#ip ips config ? location Location of IPS configuration files R1(config)#ip ips config location R1(config)#ip ips config location flash:MyDir

Syslog notification is enabled by default. If logging console is enabled, you see IPS syslog messages

Enable the timestamp service for logging, set clock, include stamestampa in logs and configure syslog server

Retire the all signature category with the retired true command (all signatures within the signature release). Unretire the IOS_IPS Basic category with the retired false command.

R1(config-ips-category)#category ? all All Categories ios_ips IOS IPS (more sub-categories R1(config-ips-category)#category all R1(config-ips-category-action)# R1(config-ips-category-action)# retired true R1(config-ips-category-action)# exit R1(config-ips-category)#cate ios_ips ? basic Basic R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# retired false R1(config-ips-category-action)# exit R1(config-ips-cateogry)# exit Do you want to accept these changes? [confirm] Applying Category configuration to signatures ... %IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines %IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

R1(config)#in f0/0 R1(config-if)#ip ips ? WORD Name of define IPS rule R1(config-if)#ip ips iosips % Incomplete command. R1(config-if)#ip ips MyRule out *??? 03, 15:30:53.3030: %IPS-6-ENGINE_BUILDS_STARTED: 15:30:53 UTC ??? 03 2011 *??? 03, 15:30:53.3030: %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines *??? 03, 15:30:53.3030: %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned *??? 03, 15:30:53.3030: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 msR1

R1(config)#ip ips signature-definition R1(config-sigdef)#? exit Exit from Signature Definition Mode signature Signature keyword R1(config-sigdef)#signature ? <1-65535> Signature ID value R1(config-sigdef)#signature 2004 ? <0-65535> Signature SubID value R1(config-sigdef)#signature 2004 0 R1(config-sigdef-sig)#status R1(config-sigdef-sig-status)#? enabled Enable Category Signatures exit Exit from status submode no Negate or set default values of a command retired Retire Category Signatures R1(config-sigdef-sig-status)#retired false R1(config-sigdef-sig-status)#enabled true R1(config-sigdef-sig-status)#exi R1(config-sigdef-sig)#? engine Engine exit Exit from Signature Definition Mode status Status R1(config-sigdef-sig)#engine R1(config-sigdef-sig-engine)#? event-action Action exit Exit from engine submode no Negate or set default values of a command R1(config-sigdef-sig-engine)#event-a ? deny-packet-inline Deny Packet produce-alert Produce Alert R1(config-sigdef-sig-engine)#event-a prod R1(config-sigdef-sig-engine)#event-a produce-alert R1(config-sigdef-sig-engine)#event-a R1(config-sigdef-sig-engine)#event-a R1(config-sigdef-sig-engine)#event-action deny R1(config-sigdef-sig-engine)#event-action deny-packet-inline R1(config-sigdef-sig-engine)#exi R1(config-sigdef-sig)#exi R1(config-sigdef)#exi Do you want to accept these changes? [confirm] %IPS-6-ENGINE_BUILDS_STARTED: %IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines %IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms

R1(config)#do show ip ips all IPS Signature File Configuration Status Configured Config Locations: flash:MyDir Last signature default load time: Last signature delta load time: Last event action (SEAP) load time: -none- General SEAP Config: Global Deny Timeout: 3600 seconds Global Overrides Status: Enabled Global Filters Status: Enabled IPS Auto Update is not currently configured IPS Syslog and SDEE Notification Status Event notification through syslog is enabled Event notification through SDEE is enabled IPS Signature Status Total Active Signatures: 1 Total Inactive Signatures: 0 IPS Packet Scanning and Interface Status IPS Rule Configuration IPS name MyRule IPS fail closed is disabled IPS deny-action ips-interface is false Fastpath ips is enabled Quick run mode is enabled Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is not set Outgoing IPS rule is iosips IPS Category CLI Configuration: Category all Retire: True Category ios_ips basic Retire: False R1(config)#

Configuring IOS Intrusion Prevention System (IPS) using CLI

Cisco IOS IPS requires a specific sequence of actions to download and install a signature package on a staging router, tune and configure the signature set and distribute (copy) the resulting signature database files to a production router community