Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco IPS dropping packets

Reply
Thread Tools

Cisco IPS dropping packets

 
 
BarrySDCA@gmail.com
Guest
Posts: n/a
 
      04-13-2008
I am trying to setup the cisco IPS on the front facing interface of a
3845 router. Every time I enable the IPS, no packets are allowed to
pass through the router. w/out IPS, everything works fine (except
there is no IPS). The moment I enable it, nothing can get through.

I have:

ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf autosave
ip ips name sdm_ips_rule_IPS list IPS

..
..
interface GigabitEthernet0/0
ip address 127.2.2.3 255.255.255.248 <--- edited for the example
ip access-group gigabitethernet0/0_in in
ip access-group sdm_gigabitethernet0/0_out out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip ips sdm_ips_rule_IPS in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
media-type sfp
no mop enabled
crypto map SDM_CMAP_1
crypto ipsec df-bit clear

..
..
..
..
ip access-list extended IPS
remark SDM_ACL Category=1
permit tcp any host 125.2.4.2 eq www <--- just a test host on our
network. www packets are being blocked



If I change the ACL to deny, then everything passes just fine. It's
only when I change the ACL to send packets through the IPS that it
stops cold.

Does anyone have an idea what the problem might be?

thank you,

Barry

 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      04-13-2008
On Apr 12, 9:17 pm, (E-Mail Removed) wrote:
> I am trying to setup the cisco IPS on the front facing interface of a
> 3845 router. Every time I enable the IPS, no packets are allowed to
> pass through the router. w/out IPS, everything works fine (except
> there is no IPS). The moment I enable it, nothing can get through.



Do not know the cause of your issue, however, you should be aware that
Cisco
issued a security advisory regarding the IPS feature

see http://www.cisco.com/warp/public/707...sips.shtml#@ID
 
Reply With Quote
 
 
 
 
BarrySDCA
Guest
Posts: n/a
 
      04-13-2008
On Apr 13, 3:59*am, Merv <(E-Mail Removed)> wrote:
> On Apr 12, 9:17 pm, (E-Mail Removed) wrote:
>
> > I am trying to setup the cisco IPS on the front facing interface of a
> > 3845 router. *Every time I enable the IPS, no packets are allowed to
> > pass through the router. *w/out IPS, everything works fine (except
> > there is no IPS). *The moment I enable it, nothing can get through.

>
> Do not know the cause of your issue, however, you should be aware that
> Cisco
> issued a security advisory regarding the IPS feature
>
> seehttp://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml#@ID


might be why IPS is crashed...thank you for this info.
 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      04-13-2008
On Apr 13, 11:24 am, BarrySDCA <(E-Mail Removed)> wrote:
> On Apr 13, 3:59 am, Merv <(E-Mail Removed)> wrote:
>
> > On Apr 12, 9:17 pm, (E-Mail Removed) wrote:

>
> > > I am trying to setup the cisco IPS on the front facing interface of a
> > > 3845 router. Every time I enable the IPS, no packets are allowed to
> > > pass through the router. w/out IPS, everything works fine (except
> > > there is no IPS). The moment I enable it, nothing can get through.

>
> > Do not know the cause of your issue, however, you should be aware that
> > Cisco
> > issued a security advisory regarding the IPS feature

>
> > seehttp://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml#@ID

>
> might be why IPS is crashed...thank you for this info.



For security vulnerabilities, I believe you can get a newer image from
the Cisco TAC
if you do not have a Smartnet support agreement for the unit under
test

 
Reply With Quote
 
News Reader
Guest
Posts: n/a
 
      04-13-2008
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> I am trying to setup the cisco IPS on the front facing interface of a
> 3845 router. Every time I enable the IPS, no packets are allowed to
> pass through the router. w/out IPS, everything works fine (except
> there is no IPS). The moment I enable it, nothing can get through.
>
> I have:
>
> ip ips sdf location flash://sdmips.sdf
> ip ips sdf location flash://256MB.sdf autosave


Are you allowed to define multiple sdf locations?
How would the router know which to load?

Have you verified your IPS config, and that the signatures have actually
loaded?

sh ip ips configuration
sh ip ips signatures

> ip ips name sdm_ips_rule_IPS list IPS
>
> .
> .
> interface GigabitEthernet0/0
> ip address 127.2.2.3 255.255.255.248 <--- edited for the example
> ip access-group gigabitethernet0/0_in in
> ip access-group sdm_gigabitethernet0/0_out out
> ip verify unicast reverse-path
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip ips sdm_ips_rule_IPS in
> ip virtual-reassembly
> ip route-cache flow
> duplex auto
> speed auto
> media-type sfp
> no mop enabled
> crypto map SDM_CMAP_1
> crypto ipsec df-bit clear
>
> .
> .
> .
> .
> ip access-list extended IPS
> remark SDM_ACL Category=1
> permit tcp any host 125.2.4.2 eq www <--- just a test host on our
> network. www packets are being blocked
>
>
>
> If I change the ACL to deny, then everything passes just fine. It's
> only when I change the ACL to send packets through the IPS that it
> stops cold.
>
> Does anyone have an idea what the problem might be?
>
> thank you,
>
> Barry
>


Best Regards,
News Reader
 
Reply With Quote
 
BarrySDCA
Guest
Posts: n/a
 
      04-14-2008
I configured it w/out the location, so it will load signatures from
the buildin. I know they are loading from the syslog generated. here
are the outputs. thank you for your help. I continue to go in
circles on this...

C3845#sh ip ips config
Configured SDF Locations: none
Builtin signatures are enabled and loaded
Last successful SDF load time: 20:38:21 Pacific Apr 13 2008
IPS fail closed is disabled
IPS deny-action ips-interface is false
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is disabled
Total Active Signatures: 132
Total Inactive Signatures: 0
Signature 1107:0 disable
IPS Rule Configuration
IPS name sdm_ips_rule_IPS
acl list IPS
Interface Configuration
Interface GigabitEthernet0/0
Inbound IPS rule is sdm_ips_rule_IPS
acl list IPS
Outgoing IPS rule is not set

C3845#sh ip ips signatures
Builtin signatures are configured
Builtin signatures are loaded

Cisco SDF release version S46.0

Trend SDF release version V0.0

Action=(A)larm,(D)rop,(R)eset,Deny-(H)ost,Deny-(F)low
*=Marked for Deletion WF=WantFrag
Trait=AlarmTraits
MH=MinHits AI=AlarmInterval
CT=ChokeThreshold
TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr


Signature Micro-Engine: OTHER (3 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
1202:0 Y A HIGH 0 0 0 100 15 FA N Y
S37
1206:0 Y A INFO 0 0 0 100 15 FA N Y
S37
3050:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: STRING.UDP (1 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
4100:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: STRING.TCP (3 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3150:0 Y A INFO 0 1 0 100 15 FA N
S37
3151:0 Y A INFO 0 1 0 100 15 FA N
S37
3152:0 Y A MED 0 1 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.FTP (2 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3153:0 Y A MED 0 0 0 100 15 FA N
S37
3154:0 Y A MED 0 0 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.SMTP (10 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3100:0 Y A MED 0 0 0 100 15 FA N
S37
3101:0 Y A MED 0 0 0 100 15 FA N
S37
3102:0 Y A MED 0 0 0 100 15 FA N
S37
3103:0 Y A INFO 0 0 0 100 15 FA N
S37
3103:1 Y A INFO 0 0 0 100 15 FA N
S37
3104:0 Y A INFO 0 0 0 100 15 FA N
S37
3104:1 Y A INFO 0 0 0 100 15 FA N
S37
3105:0 Y A LOW 0 0 0 100 15 FA N
S37
3106:0 Y A LOW 0 250 0 100 15 FA N
S37
3107:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.RPC (26 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
6100:0 Y A HIGH 0 0 0 100 30 FA N
S37
6100:1 Y A HIGH 0 0 0 100 30 FA N
S37
6101:0 Y A HIGH 0 0 0 100 30 FA N
S37
6101:1 Y A HIGH 0 0 0 100 30 FA N
S37
6102:0 Y A MED 0 0 0 100 30 FA N
S37
6102:1 Y A MED 0 0 0 100 30 FA N
S37
6103:0 Y A INFO 0 0 0 100 30 FA N
S37
6103:1 Y A INFO 0 0 0 100 30 FA N
S37
6150:0 Y A INFO 0 0 0 100 30 FA N
S37
6150:1 Y A INFO 0 0 0 100 30 FA N
S37
6151:0 Y A INFO 0 0 0 100 30 FA N
S37
6151:1 Y A INFO 0 0 0 100 30 FA N
S37
6152:0 Y A INFO 0 0 0 100 30 FA N
S37
6152:1 Y A INFO 0 0 0 100 30 FA N
S37
6153:0 Y A INFO 0 0 0 100 30 FA N
S37
6153:1 Y A INFO 0 0 0 100 30 FA N
S37
6154:0 Y A INFO 0 0 0 100 30 FA N
S37
6154:1 Y A INFO 0 0 0 100 30 FA N
S37
6155:0 Y A LOW 0 0 0 100 30 FA N
S37
6155:1 Y A LOW 0 0 0 100 30 FA N
S37
6175:0 Y A LOW 0 0 0 100 30 FA N
S37
6175:1 Y A LOW 0 0 0 100 30 FA N
S37
6180:0 Y A MED 0 0 0 100 30 FA N
S37
6180:1 Y A MED 0 0 0 100 30 FA N
S37
6190:0 Y A HIGH 0 0 0 100 30 FA N
S37
6190:1 Y A HIGH 0 0 0 100 30 FA N
S37

Signature Micro-Engine: SERVICE.DNS (23 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
6050:0 Y A LOW 0 0 0 100 30 FA N
S37
6050:1 Y A LOW 0 0 0 100 30 FA N
S37
6051:0 Y A INFO 0 0 0 100 30 FA N
S37
6051:1 Y A INFO 0 0 0 100 30 FA N
S37
6052:0 Y A MED 0 0 0 100 30 FA N
S37
6052:1 Y A MED 0 0 0 100 30 FA N
S37
6053:0 Y A INFO 0 0 0 100 30 FA N
S37
6053:1 Y A INFO 0 0 0 100 30 FA N
S37
6054:0 Y A LOW 0 0 0 100 30 FA N
S37
6054:1 Y A LOW 0 0 0 100 30 FA N
S37
6055:0 Y A HIGH 0 0 0 100 30 FA N
S37
6055:1 Y A HIGH 0 0 0 100 30 FA N
S37
6055:2 Y A HIGH 0 0 0 100 30 FA N
S37
6056:0 Y A HIGH 0 0 0 100 30 FA N
S37
6056:1 Y A HIGH 0 0 0 100 30 FA N
S37
6056:2 Y A HIGH 0 0 0 100 30 FA N
S37
6057:0 Y A HIGH 0 0 0 100 30 FA N
S37
6057:1 Y A HIGH 0 0 0 100 30 FA N
S37
6057:2 Y A HIGH 0 0 0 100 30 FA N
S37
6062:0 Y A LOW 0 0 0 100 30 FA N
S37
6062:1 Y A LOW 0 0 0 100 30 FA N
S37
6063:0 Y A INFO 0 0 0 100 30 FA N
S37
6063:1 Y A INFO 0 0 0 100 30 FA N
S37

Signature Micro-Engine: SERVICE.HTTP (24 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3215:0 Y A MED 0 1 0 100 15 FA N
S37
3229:0 Y A HIGH 0 1 0 100 15 FA N
S37
3233:0 Y A HIGH 0 1 0 100 15 FA N
S37
5034:0 Y A HIGH 0 1 0 100 15 FA N
S37
5035:0 Y A HIGH 0 1 0 100 15 FA N
S37
5041:0 Y A HIGH 0 1 0 100 15 FA N
S37
5043:1 Y A HIGH 0 1 0 100 15 FA N
S37
5043:2 Y A HIGH 0 1 0 100 15 FA N
S37
5043:3 Y A HIGH 0 1 0 100 15 FA N
S37
5044:0 Y A HIGH 0 1 0 100 15 FA N
S37
5045:0 Y A HIGH 0 1 0 100 15 FA N
S37
5050:0 Y A HIGH 0 1 0 100 15 FA N
S37
5055:0 Y A HIGH 0 1 0 100 15 FA N
S37
5071:0 Y A HIGH 0 1 0 100 15 FA N
S37
5081:0 Y A MED 0 1 0 100 15 FA N
S37
5090:0 Y A LOW 0 1 0 100 15 FA N
S37
5114:0 Y A MED 0 1 0 100 15 FA N
S37
5114:1 Y A MED 0 1 0 100 15 FA N
S37
5114:2 Y A MED 0 1 0 100 15 FA N
S37
5116:0 Y A HIGH 0 1 0 100 15 FA N
S37
5117:0 Y A HIGH 0 1 0 100 15 FA N
S37
5118:0 Y A HIGH 0 1 0 100 15 FA N
S37
5123:0 Y A HIGH 0 1 0 100 15 FA N
S37
5123:1 Y A HIGH 0 1 0 100 15 FA N
S37

Signature Micro-Engine: ATOMIC.TCP (6 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3038:0 Y A HIGH 0 0 0 100 30 FA N Y
S37
3039:0 Y A HIGH 0 0 0 100 30 FA N Y
S37
3040:0 Y A HIGH 0 0 0 100 30 FA N N
S37
3041:0 Y A HIGH 0 0 0 100 30 FA N N
S37
3042:0 Y A HIGH 0 0 0 100 30 FA N N
S37
3043:0 Y A HIGH 0 0 0 100 30 FA N Y
S37

Signature Micro-Engine: ATOMIC.UDP (7 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
4050:0 Y A LOW 0 0 0 100 30 FA N
S37
4051:1 Y A LOW 0 0 0 100 30 FA N
S37
4051:2 Y A LOW 0 0 0 100 30 FA N
S37
4051:3 Y A LOW 0 0 0 100 30 FA N
S37
4052:1 Y A LOW 0 0 0 100 30 FA N
S37
4052:2 Y A LOW 0 0 0 100 30 FA N
S37
4600:0 Y A MED 0 0 0 100 30 FA N
S37

Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
2000:0 Y A INFO 0 0 0 100 30 FA N
S37
2001:0 Y A INFO 0 0 0 100 30 FA N
S37
2002:0 Y A INFO 0 0 0 100 30 FA N
S37
2003:0 Y A INFO 0 0 0 100 30 FA N
S37
2004:0 Y A INFO 0 0 0 100 30 FA N
S37
2005:0 Y A INFO 0 0 0 100 30 FA N
S37
2006:0 Y A INFO 0 0 0 100 30 FA N
S37
2007:0 Y A INFO 0 0 0 100 30 FA N
S37
2008:0 Y A INFO 0 0 0 100 30 FA N
S37
2009:0 Y A INFO 0 0 0 100 30 FA N
S37
2010:0 Y A INFO 0 0 0 100 30 FA N
S37
2011:0 Y A INFO 0 0 0 100 30 FA N
S37
2012:0 Y A INFO 0 0 0 100 30 FA N
S37
2150:0 Y A INFO 0 0 0 100 30 FA N Y
S37

Signature Micro-Engine: ATOMIC.IPOPTIONS (7 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
1000:0 Y A INFO 0 0 0 100 30 FA N
S37
1001:0 Y A INFO 0 0 0 100 30 FA N
S37
1002:0 Y A INFO 0 0 0 100 30 FA N
S37
1003:0 Y A INFO 0 0 0 100 30 FA N
S37
1004:0 Y A HIGH 0 0 0 100 30 FA N
S37
1005:0 Y A INFO 0 0 0 100 30 FA N
S37
1006:0 Y A HIGH 0 0 0 100 30 FA N
S37

Signature Micro-Engine: ATOMIC.L3.IP (6 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
1101:0 Y A INFO 0 0 0 100 30 FA N
S37
1102:0 Y A HIGH 0 0 0 100 30 FA N
S37
1104:0 Y A HIGH 0 0 0 100 30 FA N
S37
1107:0 N A INFO 0 0 0 100 30 FA N
S37
2151:0 Y A INFO 0 0 0 100 30 FA N
S37
2154:0 Y A HIGH 0 0 0 100 30 FA N Y
S37
Total Active Signatures: 132
Total Inactive Signatures: 0

C3845#



On Apr 13, 9:52*am, News Reader <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > I am trying to setup the cisco IPS on the front facing interface of a
> > 3845 router. *Every time I enable the IPS, no packets are allowed to
> > pass through the router. *w/out IPS, everything works fine (except
> > there is no IPS). *The moment I enable it, nothing can get through.

>
> > I have:

>
> > ip ips sdf location flash://sdmips.sdf
> > ip ips sdf location flash://256MB.sdf autosave

>
> Are you allowed to define multiple sdf locations?
> How would the router know which to load?
>
> Have you verified your IPS config, and that the signatures have actually
> loaded?
>
> sh ip ips configuration
> sh ip ips signatures
>
>
>
>
>
> > ip ips name sdm_ips_rule_IPS list IPS

>
> > .
> > .
> > interface GigabitEthernet0/0
> > *ip address 127.2.2.3 255.255.255.248 *<--- edited for the example
> > *ip access-group gigabitethernet0/0_in in
> > *ip access-group sdm_gigabitethernet0/0_out out
> > *ip verify unicast reverse-path
> > *no ip redirects
> > *no ip unreachables
> > *no ip proxy-arp
> > *ip ips sdm_ips_rule_IPS in
> > *ip virtual-reassembly
> > *ip route-cache flow
> > *duplex auto
> > *speed auto
> > *media-type sfp
> > *no mop enabled
> > *crypto map SDM_CMAP_1
> > *crypto ipsec df-bit clear

>
> > .
> > .
> > .
> > .
> > ip access-list extended IPS
> > *remark SDM_ACL Category=1
> > *permit tcp any host 125.2.4.2 eq www *<--- just a test host on our
> > network. *www packets are being blocked

>
> > If I change the ACL to deny, then everything passes just fine. *It's
> > only when I change the ACL to send packets through the IPS that it
> > stops cold.

>
> > Does anyone have an idea what the problem might be?

>
> > thank you,

>
> > Barry

>
> Best Regards,
> News Reader- Hide quoted text -
>
> - Show quoted text -


 
Reply With Quote
 
BarrySDCA
Guest
Posts: n/a
 
      04-14-2008
I tried that too...I actually deleted the location lines and let it
load from the built in signatures. still going in circles on
this....Here are the outputs. thank you!

C3845#sh ip ips config
Configured SDF Locations: none
Builtin signatures are enabled and loaded
Last successful SDF load time: 20:38:21 Pacific Apr 13 2008
IPS fail closed is disabled
IPS deny-action ips-interface is false
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is disabled
Total Active Signatures: 132
Total Inactive Signatures: 0
Signature 1107:0 disable
IPS Rule Configuration
IPS name sdm_ips_rule_IPS
acl list IPS
Interface Configuration
Interface GigabitEthernet0/0
Inbound IPS rule is sdm_ips_rule_IPS
acl list IPS
Outgoing IPS rule is not set
C3845#sh ip ips signatures
Builtin signatures are configured
Builtin signatures are loaded

Cisco SDF release version S46.0

Trend SDF release version V0.0

Action=(A)larm,(D)rop,(R)eset,Deny-(H)ost,Deny-(F)low
*=Marked for Deletion WF=WantFrag
Trait=AlarmTraits
MH=MinHits AI=AlarmInterval
CT=ChokeThreshold
TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr


Signature Micro-Engine: OTHER (3 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
1202:0 Y A HIGH 0 0 0 100 15 FA N Y
S37
1206:0 Y A INFO 0 0 0 100 15 FA N Y
S37
3050:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: STRING.UDP (1 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
4100:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: STRING.TCP (3 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3150:0 Y A INFO 0 1 0 100 15 FA N
S37
3151:0 Y A INFO 0 1 0 100 15 FA N
S37
3152:0 Y A MED 0 1 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.FTP (2 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3153:0 Y A MED 0 0 0 100 15 FA N
S37
3154:0 Y A MED 0 0 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.SMTP (10 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3100:0 Y A MED 0 0 0 100 15 FA N
S37
3101:0 Y A MED 0 0 0 100 15 FA N
S37
3102:0 Y A MED 0 0 0 100 15 FA N
S37
3103:0 Y A INFO 0 0 0 100 15 FA N
S37
3103:1 Y A INFO 0 0 0 100 15 FA N
S37
3104:0 Y A INFO 0 0 0 100 15 FA N
S37
3104:1 Y A INFO 0 0 0 100 15 FA N
S37
3105:0 Y A LOW 0 0 0 100 15 FA N
S37
3106:0 Y A LOW 0 250 0 100 15 FA N
S37
3107:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.RPC (26 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
6100:0 Y A HIGH 0 0 0 100 30 FA N
S37
6100:1 Y A HIGH 0 0 0 100 30 FA N
S37
6101:0 Y A HIGH 0 0 0 100 30 FA N
S37
6101:1 Y A HIGH 0 0 0 100 30 FA N
S37
6102:0 Y A MED 0 0 0 100 30 FA N
S37
6102:1 Y A MED 0 0 0 100 30 FA N
S37
6103:0 Y A INFO 0 0 0 100 30 FA N
S37
6103:1 Y A INFO 0 0 0 100 30 FA N
S37
6150:0 Y A INFO 0 0 0 100 30 FA N
S37
6150:1 Y A INFO 0 0 0 100 30 FA N
S37
6151:0 Y A INFO 0 0 0 100 30 FA N
S37
6151:1 Y A INFO 0 0 0 100 30 FA N
S37
6152:0 Y A INFO 0 0 0 100 30 FA N
S37
6152:1 Y A INFO 0 0 0 100 30 FA N
S37
6153:0 Y A INFO 0 0 0 100 30 FA N
S37
6153:1 Y A INFO 0 0 0 100 30 FA N
S37
6154:0 Y A INFO 0 0 0 100 30 FA N
S37
6154:1 Y A INFO 0 0 0 100 30 FA N
S37
6155:0 Y A LOW 0 0 0 100 30 FA N
S37
6155:1 Y A LOW 0 0 0 100 30 FA N
S37
6175:0 Y A LOW 0 0 0 100 30 FA N
S37
6175:1 Y A LOW 0 0 0 100 30 FA N
S37
6180:0 Y A MED 0 0 0 100 30 FA N
S37
6180:1 Y A MED 0 0 0 100 30 FA N
S37
6190:0 Y A HIGH 0 0 0 100 30 FA N
S37
--More--
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!

User Access Verification

Username: Ali
Password:
C3845#config t
Enter configuration commands, one per line. End with CNTL/Z.
C3845(config)#ip ips name sdm_ips_rule_IPS list IPS
C3845(config)#int gigabitethernet0/0
C3845(config-if)# ip ips sdm_ips_rule_IPS in
C3845(config-if)# ip virtual-reassembly
C3845(config-if)#^Z
C3845#sh ips config
^
% Invalid input detected at '^' marker.

C3845#sh ip ips config
Configured SDF Locations: none
Builtin signatures are enabled and loaded
Last successful SDF load time: 20:38:21 Pacific Apr 13 2008
IPS fail closed is disabled
IPS deny-action ips-interface is false
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is disabled
Total Active Signatures: 132
Total Inactive Signatures: 0
Signature 1107:0 disable
IPS Rule Configuration
IPS name sdm_ips_rule_IPS
acl list IPS
Interface Configuration
Interface GigabitEthernet0/0
Inbound IPS rule is sdm_ips_rule_IPS
acl list IPS
Outgoing IPS rule is not set
C3845#sh ip ips signatures
Builtin signatures are configured
Builtin signatures are loaded

Cisco SDF release version S46.0

Trend SDF release version V0.0

Action=(A)larm,(D)rop,(R)eset,Deny-(H)ost,Deny-(F)low
*=Marked for Deletion WF=WantFrag
Trait=AlarmTraits
MH=MinHits AI=AlarmInterval
CT=ChokeThreshold
TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr


Signature Micro-Engine: OTHER (3 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
1202:0 Y A HIGH 0 0 0 100 15 FA N Y
S37
1206:0 Y A INFO 0 0 0 100 15 FA N Y
S37
3050:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: STRING.UDP (1 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
4100:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: STRING.TCP (3 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3150:0 Y A INFO 0 1 0 100 15 FA N
S37
3151:0 Y A INFO 0 1 0 100 15 FA N
S37
3152:0 Y A MED 0 1 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.FTP (2 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3153:0 Y A MED 0 0 0 100 15 FA N
S37
3154:0 Y A MED 0 0 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.SMTP (10 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3100:0 Y A MED 0 0 0 100 15 FA N
S37
3101:0 Y A MED 0 0 0 100 15 FA N
S37
3102:0 Y A MED 0 0 0 100 15 FA N
S37
3103:0 Y A INFO 0 0 0 100 15 FA N
S37
3103:1 Y A INFO 0 0 0 100 15 FA N
S37
3104:0 Y A INFO 0 0 0 100 15 FA N
S37
3104:1 Y A INFO 0 0 0 100 15 FA N
S37
3105:0 Y A LOW 0 0 0 100 15 FA N
S37
3106:0 Y A LOW 0 250 0 100 15 FA N
S37
3107:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.RPC (26 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
6100:0 Y A HIGH 0 0 0 100 30 FA N
S37
6100:1 Y A HIGH 0 0 0 100 30 FA N
S37
6101:0 Y A HIGH 0 0 0 100 30 FA N
S37
6101:1 Y A HIGH 0 0 0 100 30 FA N
S37
6102:0 Y A MED 0 0 0 100 30 FA N
S37
6102:1 Y A MED 0 0 0 100 30 FA N
S37
6103:0 Y A INFO 0 0 0 100 30 FA N
S37
6103:1 Y A INFO 0 0 0 100 30 FA N
S37
6150:0 Y A INFO 0 0 0 100 30 FA N
S37
6150:1 Y A INFO 0 0 0 100 30 FA N
S37
6151:0 Y A INFO 0 0 0 100 30 FA N
S37
6151:1 Y A INFO 0 0 0 100 30 FA N
S37
6152:0 Y A INFO 0 0 0 100 30 FA N
S37
6152:1 Y A INFO 0 0 0 100 30 FA N
S37
6153:0 Y A INFO 0 0 0 100 30 FA N
S37
6153:1 Y A INFO 0 0 0 100 30 FA N
S37
6154:0 Y A INFO 0 0 0 100 30 FA N
S37
6154:1 Y A INFO 0 0 0 100 30 FA N
S37
6155:0 Y A LOW 0 0 0 100 30 FA N
S37
6155:1 Y A LOW 0 0 0 100 30 FA N
S37
6175:0 Y A LOW 0 0 0 100 30 FA N
S37
6175:1 Y A LOW 0 0 0 100 30 FA N
S37
6180:0 Y A MED 0 0 0 100 30 FA N
S37
6180:1 Y A MED 0 0 0 100 30 FA N
S37
6190:0 Y A HIGH 0 0 0 100 30 FA N
S37
6190:1 Y A HIGH 0 0 0 100 30 FA N
S37

Signature Micro-Engine: SERVICE.DNS (23 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
6050:0 Y A LOW 0 0 0 100 30 FA N
S37
6050:1 Y A LOW 0 0 0 100 30 FA N
S37
6051:0 Y A INFO 0 0 0 100 30 FA N
S37
6051:1 Y A INFO 0 0 0 100 30 FA N
S37
6052:0 Y A MED 0 0 0 100 30 FA N
S37
6052:1 Y A MED 0 0 0 100 30 FA N
S37
6053:0 Y A INFO 0 0 0 100 30 FA N
S37
6053:1 Y A INFO 0 0 0 100 30 FA N
S37
6054:0 Y A LOW 0 0 0 100 30 FA N
S37
6054:1 Y A LOW 0 0 0 100 30 FA N
S37
6055:0 Y A HIGH 0 0 0 100 30 FA N
S37
6055:1 Y A HIGH 0 0 0 100 30 FA N
S37
6055:2 Y A HIGH 0 0 0 100 30 FA N
S37
6056:0 Y A HIGH 0 0 0 100 30 FA N
S37
6056:1 Y A HIGH 0 0 0 100 30 FA N
S37
6056:2 Y A HIGH 0 0 0 100 30 FA N
S37
6057:0 Y A HIGH 0 0 0 100 30 FA N
S37
6057:1 Y A HIGH 0 0 0 100 30 FA N
S37
6057:2 Y A HIGH 0 0 0 100 30 FA N
S37
6062:0 Y A LOW 0 0 0 100 30 FA N
S37
6062:1 Y A LOW 0 0 0 100 30 FA N
S37
6063:0 Y A INFO 0 0 0 100 30 FA N
S37
6063:1 Y A INFO 0 0 0 100 30 FA N
S37

Signature Micro-Engine: SERVICE.HTTP (24 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3215:0 Y A MED 0 1 0 100 15 FA N
S37
3229:0 Y A HIGH 0 1 0 100 15 FA N
S37
3233:0 Y A HIGH 0 1 0 100 15 FA N
S37
5034:0 Y A HIGH 0 1 0 100 15 FA N
S37
5035:0 Y A HIGH 0 1 0 100 15 FA N
S37
5041:0 Y A HIGH 0 1 0 100 15 FA N
S37
5043:1 Y A HIGH 0 1 0 100 15 FA N
S37
5043:2 Y A HIGH 0 1 0 100 15 FA N
S37
5043:3 Y A HIGH 0 1 0 100 15 FA N
S37
5044:0 Y A HIGH 0 1 0 100 15 FA N
S37
5045:0 Y A HIGH 0 1 0 100 15 FA N
S37
5050:0 Y A HIGH 0 1 0 100 15 FA N
S37
5055:0 Y A HIGH 0 1 0 100 15 FA N
S37
5071:0 Y A HIGH 0 1 0 100 15 FA N
S37
5081:0 Y A MED 0 1 0 100 15 FA N
S37
5090:0 Y A LOW 0 1 0 100 15 FA N
S37
5114:0 Y A MED 0 1 0 100 15 FA N
S37
5114:1 Y A MED 0 1 0 100 15 FA N
S37
5114:2 Y A MED 0 1 0 100 15 FA N
S37
5116:0 Y A HIGH 0 1 0 100 15 FA N
S37
5117:0 Y A HIGH 0 1 0 100 15 FA N
S37
5118:0 Y A HIGH 0 1 0 100 15 FA N
S37
5123:0 Y A HIGH 0 1 0 100 15 FA N
S37
5123:1 Y A HIGH 0 1 0 100 15 FA N
S37

Signature Micro-Engine: ATOMIC.TCP (6 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3038:0 Y A HIGH 0 0 0 100 30 FA N Y
S37
3039:0 Y A HIGH 0 0 0 100 30 FA N Y
S37
3040:0 Y A HIGH 0 0 0 100 30 FA N N
S37
3041:0 Y A HIGH 0 0 0 100 30 FA N N
S37
3042:0 Y A HIGH 0 0 0 100 30 FA N N
S37
3043:0 Y A HIGH 0 0 0 100 30 FA N Y
S37

Signature Micro-Engine: ATOMIC.UDP (7 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
4050:0 Y A LOW 0 0 0 100 30 FA N
S37
4051:1 Y A LOW 0 0 0 100 30 FA N
S37
4051:2 Y A LOW 0 0 0 100 30 FA N
S37
4051:3 Y A LOW 0 0 0 100 30 FA N
S37
4052:1 Y A LOW 0 0 0 100 30 FA N
S37
4052:2 Y A LOW 0 0 0 100 30 FA N
S37
4600:0 Y A MED 0 0 0 100 30 FA N
S37

Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
--More--
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!

User Access Verification

Username: Ali
Password:
C3845#config t
Enter configuration commands, one per line. End with CNTL/Z.
C3845(config)#ip ips name sdm_ips_rule_IPS list IPS
C3845(config)#int gigabitethernet0/0
C3845(config-if)# ip ips sdm_ips_rule_IPS in
C3845(config-if)# ip virtual-reassembly
C3845(config-if)#^Z
C3845#sh ips config
^
% Invalid input detected at '^' marker.

C3845#sh ip ips config
Configured SDF Locations: none
Builtin signatures are enabled and loaded
Last successful SDF load time: 20:38:21 Pacific Apr 13 2008
IPS fail closed is disabled
IPS deny-action ips-interface is false
Fastpath ips is enabled
Quick run mode is enabled
Event notification through syslog is enabled
Event notification through SDEE is disabled
Total Active Signatures: 132
Total Inactive Signatures: 0
Signature 1107:0 disable
IPS Rule Configuration
IPS name sdm_ips_rule_IPS
acl list IPS
Interface Configuration
Interface GigabitEthernet0/0
Inbound IPS rule is sdm_ips_rule_IPS
acl list IPS
Outgoing IPS rule is not set
C3845#sh ip ips signatures
Builtin signatures are configured
Builtin signatures are loaded

Cisco SDF release version S46.0

Trend SDF release version V0.0

Action=(A)larm,(D)rop,(R)eset,Deny-(H)ost,Deny-(F)low
*=Marked for Deletion WF=WantFrag
Trait=AlarmTraits
MH=MinHits AI=AlarmInterval
CT=ChokeThreshold
TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr


Signature Micro-Engine: OTHER (3 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
1202:0 Y A HIGH 0 0 0 100 15 FA N Y
S37
1206:0 Y A INFO 0 0 0 100 15 FA N Y
S37
3050:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: STRING.UDP (1 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
4100:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: STRING.TCP (3 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3150:0 Y A INFO 0 1 0 100 15 FA N
S37
3151:0 Y A INFO 0 1 0 100 15 FA N
S37
3152:0 Y A MED 0 1 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.FTP (2 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3153:0 Y A MED 0 0 0 100 15 FA N
S37
3154:0 Y A MED 0 0 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.SMTP (10 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3100:0 Y A MED 0 0 0 100 15 FA N
S37
3101:0 Y A MED 0 0 0 100 15 FA N
S37
3102:0 Y A MED 0 0 0 100 15 FA N
S37
3103:0 Y A INFO 0 0 0 100 15 FA N
S37
3103:1 Y A INFO 0 0 0 100 15 FA N
S37
3104:0 Y A INFO 0 0 0 100 15 FA N
S37
3104:1 Y A INFO 0 0 0 100 15 FA N
S37
3105:0 Y A LOW 0 0 0 100 15 FA N
S37
3106:0 Y A LOW 0 250 0 100 15 FA N
S37
3107:0 Y A HIGH 0 0 0 100 15 FA N
S37

Signature Micro-Engine: SERVICE.RPC (26 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
6100:0 Y A HIGH 0 0 0 100 30 FA N
S37
6100:1 Y A HIGH 0 0 0 100 30 FA N
S37
6101:0 Y A HIGH 0 0 0 100 30 FA N
S37
6101:1 Y A HIGH 0 0 0 100 30 FA N
S37
6102:0 Y A MED 0 0 0 100 30 FA N
S37
6102:1 Y A MED 0 0 0 100 30 FA N
S37
6103:0 Y A INFO 0 0 0 100 30 FA N
S37
6103:1 Y A INFO 0 0 0 100 30 FA N
S37
6150:0 Y A INFO 0 0 0 100 30 FA N
S37
6150:1 Y A INFO 0 0 0 100 30 FA N
S37
6151:0 Y A INFO 0 0 0 100 30 FA N
S37
6151:1 Y A INFO 0 0 0 100 30 FA N
S37
6152:0 Y A INFO 0 0 0 100 30 FA N
S37
6152:1 Y A INFO 0 0 0 100 30 FA N
S37
6153:0 Y A INFO 0 0 0 100 30 FA N
S37
6153:1 Y A INFO 0 0 0 100 30 FA N
S37
6154:0 Y A INFO 0 0 0 100 30 FA N
S37
6154:1 Y A INFO 0 0 0 100 30 FA N
S37
6155:0 Y A LOW 0 0 0 100 30 FA N
S37
6155:1 Y A LOW 0 0 0 100 30 FA N
S37
6175:0 Y A LOW 0 0 0 100 30 FA N
S37
6175:1 Y A LOW 0 0 0 100 30 FA N
S37
6180:0 Y A MED 0 0 0 100 30 FA N
S37
6180:1 Y A MED 0 0 0 100 30 FA N
S37
6190:0 Y A HIGH 0 0 0 100 30 FA N
S37
6190:1 Y A HIGH 0 0 0 100 30 FA N
S37

Signature Micro-Engine: SERVICE.DNS (23 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
6050:0 Y A LOW 0 0 0 100 30 FA N
S37
6050:1 Y A LOW 0 0 0 100 30 FA N
S37
6051:0 Y A INFO 0 0 0 100 30 FA N
S37
6051:1 Y A INFO 0 0 0 100 30 FA N
S37
6052:0 Y A MED 0 0 0 100 30 FA N
S37
6052:1 Y A MED 0 0 0 100 30 FA N
S37
6053:0 Y A INFO 0 0 0 100 30 FA N
S37
6053:1 Y A INFO 0 0 0 100 30 FA N
S37
6054:0 Y A LOW 0 0 0 100 30 FA N
S37
6054:1 Y A LOW 0 0 0 100 30 FA N
S37
6055:0 Y A HIGH 0 0 0 100 30 FA N
S37
6055:1 Y A HIGH 0 0 0 100 30 FA N
S37
6055:2 Y A HIGH 0 0 0 100 30 FA N
S37
6056:0 Y A HIGH 0 0 0 100 30 FA N
S37
6056:1 Y A HIGH 0 0 0 100 30 FA N
S37
6056:2 Y A HIGH 0 0 0 100 30 FA N
S37
6057:0 Y A HIGH 0 0 0 100 30 FA N
S37
6057:1 Y A HIGH 0 0 0 100 30 FA N
S37
6057:2 Y A HIGH 0 0 0 100 30 FA N
S37
6062:0 Y A LOW 0 0 0 100 30 FA N
S37
6062:1 Y A LOW 0 0 0 100 30 FA N
S37
6063:0 Y A INFO 0 0 0 100 30 FA N
S37
6063:1 Y A INFO 0 0 0 100 30 FA N
S37

Signature Micro-Engine: SERVICE.HTTP (24 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3215:0 Y A MED 0 1 0 100 15 FA N
S37
3229:0 Y A HIGH 0 1 0 100 15 FA N
S37
3233:0 Y A HIGH 0 1 0 100 15 FA N
S37
5034:0 Y A HIGH 0 1 0 100 15 FA N
S37
5035:0 Y A HIGH 0 1 0 100 15 FA N
S37
5041:0 Y A HIGH 0 1 0 100 15 FA N
S37
5043:1 Y A HIGH 0 1 0 100 15 FA N
S37
5043:2 Y A HIGH 0 1 0 100 15 FA N
S37
5043:3 Y A HIGH 0 1 0 100 15 FA N
S37
5044:0 Y A HIGH 0 1 0 100 15 FA N
S37
5045:0 Y A HIGH 0 1 0 100 15 FA N
S37
5050:0 Y A HIGH 0 1 0 100 15 FA N
S37
5055:0 Y A HIGH 0 1 0 100 15 FA N
S37
5071:0 Y A HIGH 0 1 0 100 15 FA N
S37
5081:0 Y A MED 0 1 0 100 15 FA N
S37
5090:0 Y A LOW 0 1 0 100 15 FA N
S37
5114:0 Y A MED 0 1 0 100 15 FA N
S37
5114:1 Y A MED 0 1 0 100 15 FA N
S37
5114:2 Y A MED 0 1 0 100 15 FA N
S37
5116:0 Y A HIGH 0 1 0 100 15 FA N
S37
5117:0 Y A HIGH 0 1 0 100 15 FA N
S37
5118:0 Y A HIGH 0 1 0 100 15 FA N
S37
5123:0 Y A HIGH 0 1 0 100 15 FA N
S37
5123:1 Y A HIGH 0 1 0 100 15 FA N
S37

Signature Micro-Engine: ATOMIC.TCP (6 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
3038:0 Y A HIGH 0 0 0 100 30 FA N Y
S37
3039:0 Y A HIGH 0 0 0 100 30 FA N Y
S37
3040:0 Y A HIGH 0 0 0 100 30 FA N N
S37
3041:0 Y A HIGH 0 0 0 100 30 FA N N
S37
3042:0 Y A HIGH 0 0 0 100 30 FA N N
S37
3043:0 Y A HIGH 0 0 0 100 30 FA N Y
S37

Signature Micro-Engine: ATOMIC.UDP (7 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
4050:0 Y A LOW 0 0 0 100 30 FA N
S37
4051:1 Y A LOW 0 0 0 100 30 FA N
S37
4051:2 Y A LOW 0 0 0 100 30 FA N
S37
4051:3 Y A LOW 0 0 0 100 30 FA N
S37
4052:1 Y A LOW 0 0 0 100 30 FA N
S37
4052:2 Y A LOW 0 0 0 100 30 FA N
S37
4600:0 Y A MED 0 0 0 100 30 FA N
S37

Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
2000:0 Y A INFO 0 0 0 100 30 FA N
S37
2001:0 Y A INFO 0 0 0 100 30 FA N
S37
2002:0 Y A INFO 0 0 0 100 30 FA N
S37
2003:0 Y A INFO 0 0 0 100 30 FA N
S37
2004:0 Y A INFO 0 0 0 100 30 FA N
S37
2005:0 Y A INFO 0 0 0 100 30 FA N
S37
2006:0 Y A INFO 0 0 0 100 30 FA N
S37
2007:0 Y A INFO 0 0 0 100 30 FA N
S37
2008:0 Y A INFO 0 0 0 100 30 FA N
S37
2009:0 Y A INFO 0 0 0 100 30 FA N
S37
2010:0 Y A INFO 0 0 0 100 30 FA N
S37
2011:0 Y A INFO 0 0 0 100 30 FA N
S37
2012:0 Y A INFO 0 0 0 100 30 FA N
S37
2150:0 Y A INFO 0 0 0 100 30 FA N Y
S37

Signature Micro-Engine: ATOMIC.IPOPTIONS (7 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
1000:0 Y A INFO 0 0 0 100 30 FA N
S37
1001:0 Y A INFO 0 0 0 100 30 FA N
S37
1002:0 Y A INFO 0 0 0 100 30 FA N
S37
1003:0 Y A INFO 0 0 0 100 30 FA N
S37
1004:0 Y A HIGH 0 0 0 100 30 FA N
S37
1005:0 Y A INFO 0 0 0 100 30 FA N
S37
1006:0 Y A HIGH 0 0 0 100 30 FA N
S37

Signature Micro-Engine: ATOMIC.L3.IP (6 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
-------
1101:0 Y A INFO 0 0 0 100 30 FA N
S37
1102:0 Y A HIGH 0 0 0 100 30 FA N
S37
1104:0 Y A HIGH 0 0 0 100 30 FA N
S37
1107:0 N A INFO 0 0 0 100 30 FA N
S37
2151:0 Y A INFO 0 0 0 100 30 FA N
S37
2154:0 Y A HIGH 0 0 0 100 30 FA N Y
S37
Total Active Signatures: 132
Total Inactive Signatures: 0

C3845#

On Apr 13, 9:52*am, News Reader <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > I am trying to setup the cisco IPS on the front facing interface of a
> > 3845 router. *Every time I enable the IPS, no packets are allowed to
> > pass through the router. *w/out IPS, everything works fine (except
> > there is no IPS). *The moment I enable it, nothing can get through.

>
> > I have:

>
> > ip ips sdf location flash://sdmips.sdf
> > ip ips sdf location flash://256MB.sdf autosave

>
> Are you allowed to define multiple sdf locations?
> How would the router know which to load?
>
> Have you verified your IPS config, and that the signatures have actually
> loaded?
>
> sh ip ips configuration
> sh ip ips signatures
>
>
>
>
>
> > ip ips name sdm_ips_rule_IPS list IPS

>
> > .
> > .
> > interface GigabitEthernet0/0
> > *ip address 127.2.2.3 255.255.255.248 *<--- edited for the example
> > *ip access-group gigabitethernet0/0_in in
> > *ip access-group sdm_gigabitethernet0/0_out out
> > *ip verify unicast reverse-path
> > *no ip redirects
> > *no ip unreachables
> > *no ip proxy-arp
> > *ip ips sdm_ips_rule_IPS in
> > *ip virtual-reassembly
> > *ip route-cache flow
> > *duplex auto
> > *speed auto
> > *media-type sfp
> > *no mop enabled
> > *crypto map SDM_CMAP_1
> > *crypto ipsec df-bit clear

>
> > .
> > .
> > .
> > .
> > ip access-list extended IPS
> > *remark SDM_ACL Category=1
> > *permit tcp any host 125.2.4.2 eq www *<--- just a test host on our
> > network. *www packets are being blocked

>
> > If I change the ACL to deny, then everything passes just fine. *It's
> > only when I change the ACL to send packets through the IPS that it
> > stops cold.

>
> > Does anyone have an idea what the problem might be?

>
> > thank you,

>
> > Barry

>
> Best Regards,
> News Reader- Hide quoted text -
>
> - Show quoted text -


 
Reply With Quote
 
BarrySDCA
Guest
Posts: n/a
 
      04-14-2008
The problem was tcpintercept and IPS are not compatible. I disabled
tcpintercept and IPS is working again. thank you for your help!

On Apr 13, 9:52*am, News Reader <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > I am trying to setup the cisco IPS on the front facing interface of a
> > 3845 router. *Every time I enable the IPS, no packets are allowed to
> > pass through the router. *w/out IPS, everything works fine (except
> > there is no IPS). *The moment I enable it, nothing can get through.

>
> > I have:

>
> > ip ips sdf location flash://sdmips.sdf
> > ip ips sdf location flash://256MB.sdf autosave

>
> Are you allowed to define multiple sdf locations?
> How would the router know which to load?
>
> Have you verified your IPS config, and that the signatures have actually
> loaded?
>
> sh ip ips configuration
> sh ip ips signatures
>
>
>
>
>
> > ip ips name sdm_ips_rule_IPS list IPS

>
> > .
> > .
> > interface GigabitEthernet0/0
> > *ip address 127.2.2.3 255.255.255.248 *<--- edited for the example
> > *ip access-group gigabitethernet0/0_in in
> > *ip access-group sdm_gigabitethernet0/0_out out
> > *ip verify unicast reverse-path
> > *no ip redirects
> > *no ip unreachables
> > *no ip proxy-arp
> > *ip ips sdm_ips_rule_IPS in
> > *ip virtual-reassembly
> > *ip route-cache flow
> > *duplex auto
> > *speed auto
> > *media-type sfp
> > *no mop enabled
> > *crypto map SDM_CMAP_1
> > *crypto ipsec df-bit clear

>
> > .
> > .
> > .
> > .
> > ip access-list extended IPS
> > *remark SDM_ACL Category=1
> > *permit tcp any host 125.2.4.2 eq www *<--- just a test host on our
> > network. *www packets are being blocked

>
> > If I change the ACL to deny, then everything passes just fine. *It's
> > only when I change the ACL to send packets through the IPS that it
> > stops cold.

>
> > Does anyone have an idea what the problem might be?

>
> > thank you,

>
> > Barry

>
> Best Regards,
> News Reader- Hide quoted text -
>
> - Show quoted text -


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HSRP: virtual IPs without real IPs? Martijn Lievaart Cisco 4 02-15-2012 08:16 AM
Checking IP addresses against lists of IPs, partial IPs, and netmasks. Adam Funk Perl Misc 12 07-05-2005 01:49 PM
Cisco Aironet 350 Wireless Bridge dropping packets Michael Cisco 1 09-08-2004 10:00 AM
ADSL Dropping But not Dropping!! Chris Bales Computer Support 9 08-29-2004 06:25 PM
PIX dropping outbound packets? Rom Lemarchand Cisco 5 08-07-2004 04:17 AM



Advertisments