Cisco IPS dropping packets

Discussion in 'Cisco' started by BarrySDCA@gmail.com, Apr 13, 2008.

  1. Guest

    I am trying to setup the cisco IPS on the front facing interface of a
    3845 router. Every time I enable the IPS, no packets are allowed to
    pass through the router. w/out IPS, everything works fine (except
    there is no IPS). The moment I enable it, nothing can get through.

    I have:

    ip ips sdf location flash://sdmips.sdf
    ip ips sdf location flash://256MB.sdf autosave
    ip ips name sdm_ips_rule_IPS list IPS

    ..
    ..
    interface GigabitEthernet0/0
    ip address 127.2.2.3 255.255.255.248 <--- edited for the example
    ip access-group gigabitethernet0/0_in in
    ip access-group sdm_gigabitethernet0/0_out out
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip ips sdm_ips_rule_IPS in
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    media-type sfp
    no mop enabled
    crypto map SDM_CMAP_1
    crypto ipsec df-bit clear

    ..
    ..
    ..
    ..
    ip access-list extended IPS
    remark SDM_ACL Category=1
    permit tcp any host 125.2.4.2 eq www <--- just a test host on our
    network. www packets are being blocked



    If I change the ACL to deny, then everything passes just fine. It's
    only when I change the ACL to send packets through the IPS that it
    stops cold.

    Does anyone have an idea what the problem might be?

    thank you,

    Barry
     
    , Apr 13, 2008
    #1
    1. Advertising

  2. Merv Guest

    On Apr 12, 9:17 pm, wrote:
    > I am trying to setup the cisco IPS on the front facing interface of a
    > 3845 router. Every time I enable the IPS, no packets are allowed to
    > pass through the router. w/out IPS, everything works fine (except
    > there is no IPS). The moment I enable it, nothing can get through.



    Do not know the cause of your issue, however, you should be aware that
    Cisco
    issued a security advisory regarding the IPS feature

    see http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml#@ID
     
    Merv, Apr 13, 2008
    #2
    1. Advertising

  3. BarrySDCA Guest

    On Apr 13, 3:59 am, Merv <> wrote:
    > On Apr 12, 9:17 pm, wrote:
    >
    > > I am trying to setup the cisco IPS on the front facing interface of a
    > > 3845 router.  Every time I enable the IPS, no packets are allowed to
    > > pass through the router.  w/out IPS, everything works fine (except
    > > there is no IPS).  The moment I enable it, nothing can get through.

    >
    > Do not know the cause of your issue, however, you should be aware that
    > Cisco
    > issued a security advisory regarding the IPS feature
    >
    > seehttp://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml#@ID


    might be why IPS is crashed...thank you for this info.
     
    BarrySDCA, Apr 13, 2008
    #3
  4. Merv Guest

    On Apr 13, 11:24 am, BarrySDCA <> wrote:
    > On Apr 13, 3:59 am, Merv <> wrote:
    >
    > > On Apr 12, 9:17 pm, wrote:

    >
    > > > I am trying to setup the cisco IPS on the front facing interface of a
    > > > 3845 router. Every time I enable the IPS, no packets are allowed to
    > > > pass through the router. w/out IPS, everything works fine (except
    > > > there is no IPS). The moment I enable it, nothing can get through.

    >
    > > Do not know the cause of your issue, however, you should be aware that
    > > Cisco
    > > issued a security advisory regarding the IPS feature

    >
    > > seehttp://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml#@ID

    >
    > might be why IPS is crashed...thank you for this info.



    For security vulnerabilities, I believe you can get a newer image from
    the Cisco TAC
    if you do not have a Smartnet support agreement for the unit under
    test
     
    Merv, Apr 13, 2008
    #4
  5. News Reader Guest

    wrote:
    > I am trying to setup the cisco IPS on the front facing interface of a
    > 3845 router. Every time I enable the IPS, no packets are allowed to
    > pass through the router. w/out IPS, everything works fine (except
    > there is no IPS). The moment I enable it, nothing can get through.
    >
    > I have:
    >
    > ip ips sdf location flash://sdmips.sdf
    > ip ips sdf location flash://256MB.sdf autosave


    Are you allowed to define multiple sdf locations?
    How would the router know which to load?

    Have you verified your IPS config, and that the signatures have actually
    loaded?

    sh ip ips configuration
    sh ip ips signatures

    > ip ips name sdm_ips_rule_IPS list IPS
    >
    > .
    > .
    > interface GigabitEthernet0/0
    > ip address 127.2.2.3 255.255.255.248 <--- edited for the example
    > ip access-group gigabitethernet0/0_in in
    > ip access-group sdm_gigabitethernet0/0_out out
    > ip verify unicast reverse-path
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip ips sdm_ips_rule_IPS in
    > ip virtual-reassembly
    > ip route-cache flow
    > duplex auto
    > speed auto
    > media-type sfp
    > no mop enabled
    > crypto map SDM_CMAP_1
    > crypto ipsec df-bit clear
    >
    > .
    > .
    > .
    > .
    > ip access-list extended IPS
    > remark SDM_ACL Category=1
    > permit tcp any host 125.2.4.2 eq www <--- just a test host on our
    > network. www packets are being blocked
    >
    >
    >
    > If I change the ACL to deny, then everything passes just fine. It's
    > only when I change the ACL to send packets through the IPS that it
    > stops cold.
    >
    > Does anyone have an idea what the problem might be?
    >
    > thank you,
    >
    > Barry
    >


    Best Regards,
    News Reader
     
    News Reader, Apr 13, 2008
    #5
  6. BarrySDCA Guest

    I configured it w/out the location, so it will load signatures from
    the buildin. I know they are loading from the syslog generated. here
    are the outputs. thank you for your help. I continue to go in
    circles on this...

    C3845#sh ip ips config
    Configured SDF Locations: none
    Builtin signatures are enabled and loaded
    Last successful SDF load time: 20:38:21 Pacific Apr 13 2008
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Fastpath ips is enabled
    Quick run mode is enabled
    Event notification through syslog is enabled
    Event notification through SDEE is disabled
    Total Active Signatures: 132
    Total Inactive Signatures: 0
    Signature 1107:0 disable
    IPS Rule Configuration
    IPS name sdm_ips_rule_IPS
    acl list IPS
    Interface Configuration
    Interface GigabitEthernet0/0
    Inbound IPS rule is sdm_ips_rule_IPS
    acl list IPS
    Outgoing IPS rule is not set

    C3845#sh ip ips signatures
    Builtin signatures are configured
    Builtin signatures are loaded

    Cisco SDF release version S46.0

    Trend SDF release version V0.0

    Action=(A)larm,(D)rop,(R)eset,Deny-(H)ost,Deny-(F)low
    *=Marked for Deletion WF=WantFrag
    Trait=AlarmTraits
    MH=MinHits AI=AlarmInterval
    CT=ChokeThreshold
    TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr


    Signature Micro-Engine: OTHER (3 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    1202:0 Y A HIGH 0 0 0 100 15 FA N Y
    S37
    1206:0 Y A INFO 0 0 0 100 15 FA N Y
    S37
    3050:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: STRING.UDP (1 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    4100:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: STRING.TCP (3 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3150:0 Y A INFO 0 1 0 100 15 FA N
    S37
    3151:0 Y A INFO 0 1 0 100 15 FA N
    S37
    3152:0 Y A MED 0 1 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.FTP (2 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3153:0 Y A MED 0 0 0 100 15 FA N
    S37
    3154:0 Y A MED 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.SMTP (10 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3100:0 Y A MED 0 0 0 100 15 FA N
    S37
    3101:0 Y A MED 0 0 0 100 15 FA N
    S37
    3102:0 Y A MED 0 0 0 100 15 FA N
    S37
    3103:0 Y A INFO 0 0 0 100 15 FA N
    S37
    3103:1 Y A INFO 0 0 0 100 15 FA N
    S37
    3104:0 Y A INFO 0 0 0 100 15 FA N
    S37
    3104:1 Y A INFO 0 0 0 100 15 FA N
    S37
    3105:0 Y A LOW 0 0 0 100 15 FA N
    S37
    3106:0 Y A LOW 0 250 0 100 15 FA N
    S37
    3107:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.RPC (26 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    6100:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6100:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6101:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6101:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6102:0 Y A MED 0 0 0 100 30 FA N
    S37
    6102:1 Y A MED 0 0 0 100 30 FA N
    S37
    6103:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6103:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6150:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6150:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6151:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6151:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6152:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6152:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6153:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6153:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6154:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6154:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6155:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6155:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6175:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6175:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6180:0 Y A MED 0 0 0 100 30 FA N
    S37
    6180:1 Y A MED 0 0 0 100 30 FA N
    S37
    6190:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6190:1 Y A HIGH 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: SERVICE.DNS (23 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    6050:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6050:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6051:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6051:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6052:0 Y A MED 0 0 0 100 30 FA N
    S37
    6052:1 Y A MED 0 0 0 100 30 FA N
    S37
    6053:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6053:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6054:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6054:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6055:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6055:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6055:2 Y A HIGH 0 0 0 100 30 FA N
    S37
    6056:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6056:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6056:2 Y A HIGH 0 0 0 100 30 FA N
    S37
    6057:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6057:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6057:2 Y A HIGH 0 0 0 100 30 FA N
    S37
    6062:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6062:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6063:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6063:1 Y A INFO 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: SERVICE.HTTP (24 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3215:0 Y A MED 0 1 0 100 15 FA N
    S37
    3229:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    3233:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5034:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5035:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5041:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5043:1 Y A HIGH 0 1 0 100 15 FA N
    S37
    5043:2 Y A HIGH 0 1 0 100 15 FA N
    S37
    5043:3 Y A HIGH 0 1 0 100 15 FA N
    S37
    5044:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5045:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5050:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5055:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5071:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5081:0 Y A MED 0 1 0 100 15 FA N
    S37
    5090:0 Y A LOW 0 1 0 100 15 FA N
    S37
    5114:0 Y A MED 0 1 0 100 15 FA N
    S37
    5114:1 Y A MED 0 1 0 100 15 FA N
    S37
    5114:2 Y A MED 0 1 0 100 15 FA N
    S37
    5116:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5117:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5118:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5123:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5123:1 Y A HIGH 0 1 0 100 15 FA N
    S37

    Signature Micro-Engine: ATOMIC.TCP (6 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3038:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37
    3039:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37
    3040:0 Y A HIGH 0 0 0 100 30 FA N N
    S37
    3041:0 Y A HIGH 0 0 0 100 30 FA N N
    S37
    3042:0 Y A HIGH 0 0 0 100 30 FA N N
    S37
    3043:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37

    Signature Micro-Engine: ATOMIC.UDP (7 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    4050:0 Y A LOW 0 0 0 100 30 FA N
    S37
    4051:1 Y A LOW 0 0 0 100 30 FA N
    S37
    4051:2 Y A LOW 0 0 0 100 30 FA N
    S37
    4051:3 Y A LOW 0 0 0 100 30 FA N
    S37
    4052:1 Y A LOW 0 0 0 100 30 FA N
    S37
    4052:2 Y A LOW 0 0 0 100 30 FA N
    S37
    4600:0 Y A MED 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    2000:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2001:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2002:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2003:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2004:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2005:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2006:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2007:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2008:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2009:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2010:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2011:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2012:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2150:0 Y A INFO 0 0 0 100 30 FA N Y
    S37

    Signature Micro-Engine: ATOMIC.IPOPTIONS (7 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    1000:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1001:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1002:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1003:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1004:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    1005:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1006:0 Y A HIGH 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: ATOMIC.L3.IP (6 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    1101:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1102:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    1104:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    1107:0 N A INFO 0 0 0 100 30 FA N
    S37
    2151:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2154:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37
    Total Active Signatures: 132
    Total Inactive Signatures: 0

    C3845#



    On Apr 13, 9:52 am, News Reader <> wrote:
    > wrote:
    > > I am trying to setup the cisco IPS on the front facing interface of a
    > > 3845 router.  Every time I enable the IPS, no packets are allowed to
    > > pass through the router.  w/out IPS, everything works fine (except
    > > there is no IPS).  The moment I enable it, nothing can get through.

    >
    > > I have:

    >
    > > ip ips sdf location flash://sdmips.sdf
    > > ip ips sdf location flash://256MB.sdf autosave

    >
    > Are you allowed to define multiple sdf locations?
    > How would the router know which to load?
    >
    > Have you verified your IPS config, and that the signatures have actually
    > loaded?
    >
    > sh ip ips configuration
    > sh ip ips signatures
    >
    >
    >
    >
    >
    > > ip ips name sdm_ips_rule_IPS list IPS

    >
    > > .
    > > .
    > > interface GigabitEthernet0/0
    > >  ip address 127.2.2.3 255.255.255.248  <--- edited for the example
    > >  ip access-group gigabitethernet0/0_in in
    > >  ip access-group sdm_gigabitethernet0/0_out out
    > >  ip verify unicast reverse-path
    > >  no ip redirects
    > >  no ip unreachables
    > >  no ip proxy-arp
    > >  ip ips sdm_ips_rule_IPS in
    > >  ip virtual-reassembly
    > >  ip route-cache flow
    > >  duplex auto
    > >  speed auto
    > >  media-type sfp
    > >  no mop enabled
    > >  crypto map SDM_CMAP_1
    > >  crypto ipsec df-bit clear

    >
    > > .
    > > .
    > > .
    > > .
    > > ip access-list extended IPS
    > >  remark SDM_ACL Category=1
    > >  permit tcp any host 125.2.4.2 eq www  <--- just a test host on our
    > > network.  www packets are being blocked

    >
    > > If I change the ACL to deny, then everything passes just fine.  It's
    > > only when I change the ACL to send packets through the IPS that it
    > > stops cold.

    >
    > > Does anyone have an idea what the problem might be?

    >
    > > thank you,

    >
    > > Barry

    >
    > Best Regards,
    > News Reader- Hide quoted text -
    >
    > - Show quoted text -
     
    BarrySDCA, Apr 14, 2008
    #6
  7. BarrySDCA Guest

    I tried that too...I actually deleted the location lines and let it
    load from the built in signatures. still going in circles on
    this....Here are the outputs. thank you!

    C3845#sh ip ips config
    Configured SDF Locations: none
    Builtin signatures are enabled and loaded
    Last successful SDF load time: 20:38:21 Pacific Apr 13 2008
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Fastpath ips is enabled
    Quick run mode is enabled
    Event notification through syslog is enabled
    Event notification through SDEE is disabled
    Total Active Signatures: 132
    Total Inactive Signatures: 0
    Signature 1107:0 disable
    IPS Rule Configuration
    IPS name sdm_ips_rule_IPS
    acl list IPS
    Interface Configuration
    Interface GigabitEthernet0/0
    Inbound IPS rule is sdm_ips_rule_IPS
    acl list IPS
    Outgoing IPS rule is not set
    C3845#sh ip ips signatures
    Builtin signatures are configured
    Builtin signatures are loaded

    Cisco SDF release version S46.0

    Trend SDF release version V0.0

    Action=(A)larm,(D)rop,(R)eset,Deny-(H)ost,Deny-(F)low
    *=Marked for Deletion WF=WantFrag
    Trait=AlarmTraits
    MH=MinHits AI=AlarmInterval
    CT=ChokeThreshold
    TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr


    Signature Micro-Engine: OTHER (3 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    1202:0 Y A HIGH 0 0 0 100 15 FA N Y
    S37
    1206:0 Y A INFO 0 0 0 100 15 FA N Y
    S37
    3050:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: STRING.UDP (1 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    4100:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: STRING.TCP (3 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3150:0 Y A INFO 0 1 0 100 15 FA N
    S37
    3151:0 Y A INFO 0 1 0 100 15 FA N
    S37
    3152:0 Y A MED 0 1 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.FTP (2 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3153:0 Y A MED 0 0 0 100 15 FA N
    S37
    3154:0 Y A MED 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.SMTP (10 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3100:0 Y A MED 0 0 0 100 15 FA N
    S37
    3101:0 Y A MED 0 0 0 100 15 FA N
    S37
    3102:0 Y A MED 0 0 0 100 15 FA N
    S37
    3103:0 Y A INFO 0 0 0 100 15 FA N
    S37
    3103:1 Y A INFO 0 0 0 100 15 FA N
    S37
    3104:0 Y A INFO 0 0 0 100 15 FA N
    S37
    3104:1 Y A INFO 0 0 0 100 15 FA N
    S37
    3105:0 Y A LOW 0 0 0 100 15 FA N
    S37
    3106:0 Y A LOW 0 250 0 100 15 FA N
    S37
    3107:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.RPC (26 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    6100:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6100:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6101:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6101:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6102:0 Y A MED 0 0 0 100 30 FA N
    S37
    6102:1 Y A MED 0 0 0 100 30 FA N
    S37
    6103:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6103:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6150:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6150:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6151:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6151:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6152:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6152:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6153:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6153:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6154:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6154:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6155:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6155:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6175:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6175:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6180:0 Y A MED 0 0 0 100 30 FA N
    S37
    6180:1 Y A MED 0 0 0 100 30 FA N
    S37
    6190:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    --More--
    Authorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!

    User Access Verification

    Username: Ali
    Password:
    C3845#config t
    Enter configuration commands, one per line. End with CNTL/Z.
    C3845(config)#ip ips name sdm_ips_rule_IPS list IPS
    C3845(config)#int gigabitethernet0/0
    C3845(config-if)# ip ips sdm_ips_rule_IPS in
    C3845(config-if)# ip virtual-reassembly
    C3845(config-if)#^Z
    C3845#sh ips config
    ^
    % Invalid input detected at '^' marker.

    C3845#sh ip ips config
    Configured SDF Locations: none
    Builtin signatures are enabled and loaded
    Last successful SDF load time: 20:38:21 Pacific Apr 13 2008
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Fastpath ips is enabled
    Quick run mode is enabled
    Event notification through syslog is enabled
    Event notification through SDEE is disabled
    Total Active Signatures: 132
    Total Inactive Signatures: 0
    Signature 1107:0 disable
    IPS Rule Configuration
    IPS name sdm_ips_rule_IPS
    acl list IPS
    Interface Configuration
    Interface GigabitEthernet0/0
    Inbound IPS rule is sdm_ips_rule_IPS
    acl list IPS
    Outgoing IPS rule is not set
    C3845#sh ip ips signatures
    Builtin signatures are configured
    Builtin signatures are loaded

    Cisco SDF release version S46.0

    Trend SDF release version V0.0

    Action=(A)larm,(D)rop,(R)eset,Deny-(H)ost,Deny-(F)low
    *=Marked for Deletion WF=WantFrag
    Trait=AlarmTraits
    MH=MinHits AI=AlarmInterval
    CT=ChokeThreshold
    TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr


    Signature Micro-Engine: OTHER (3 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    1202:0 Y A HIGH 0 0 0 100 15 FA N Y
    S37
    1206:0 Y A INFO 0 0 0 100 15 FA N Y
    S37
    3050:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: STRING.UDP (1 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    4100:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: STRING.TCP (3 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3150:0 Y A INFO 0 1 0 100 15 FA N
    S37
    3151:0 Y A INFO 0 1 0 100 15 FA N
    S37
    3152:0 Y A MED 0 1 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.FTP (2 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3153:0 Y A MED 0 0 0 100 15 FA N
    S37
    3154:0 Y A MED 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.SMTP (10 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3100:0 Y A MED 0 0 0 100 15 FA N
    S37
    3101:0 Y A MED 0 0 0 100 15 FA N
    S37
    3102:0 Y A MED 0 0 0 100 15 FA N
    S37
    3103:0 Y A INFO 0 0 0 100 15 FA N
    S37
    3103:1 Y A INFO 0 0 0 100 15 FA N
    S37
    3104:0 Y A INFO 0 0 0 100 15 FA N
    S37
    3104:1 Y A INFO 0 0 0 100 15 FA N
    S37
    3105:0 Y A LOW 0 0 0 100 15 FA N
    S37
    3106:0 Y A LOW 0 250 0 100 15 FA N
    S37
    3107:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.RPC (26 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    6100:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6100:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6101:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6101:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6102:0 Y A MED 0 0 0 100 30 FA N
    S37
    6102:1 Y A MED 0 0 0 100 30 FA N
    S37
    6103:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6103:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6150:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6150:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6151:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6151:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6152:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6152:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6153:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6153:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6154:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6154:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6155:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6155:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6175:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6175:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6180:0 Y A MED 0 0 0 100 30 FA N
    S37
    6180:1 Y A MED 0 0 0 100 30 FA N
    S37
    6190:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6190:1 Y A HIGH 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: SERVICE.DNS (23 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    6050:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6050:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6051:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6051:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6052:0 Y A MED 0 0 0 100 30 FA N
    S37
    6052:1 Y A MED 0 0 0 100 30 FA N
    S37
    6053:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6053:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6054:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6054:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6055:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6055:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6055:2 Y A HIGH 0 0 0 100 30 FA N
    S37
    6056:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6056:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6056:2 Y A HIGH 0 0 0 100 30 FA N
    S37
    6057:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6057:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6057:2 Y A HIGH 0 0 0 100 30 FA N
    S37
    6062:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6062:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6063:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6063:1 Y A INFO 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: SERVICE.HTTP (24 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3215:0 Y A MED 0 1 0 100 15 FA N
    S37
    3229:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    3233:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5034:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5035:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5041:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5043:1 Y A HIGH 0 1 0 100 15 FA N
    S37
    5043:2 Y A HIGH 0 1 0 100 15 FA N
    S37
    5043:3 Y A HIGH 0 1 0 100 15 FA N
    S37
    5044:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5045:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5050:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5055:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5071:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5081:0 Y A MED 0 1 0 100 15 FA N
    S37
    5090:0 Y A LOW 0 1 0 100 15 FA N
    S37
    5114:0 Y A MED 0 1 0 100 15 FA N
    S37
    5114:1 Y A MED 0 1 0 100 15 FA N
    S37
    5114:2 Y A MED 0 1 0 100 15 FA N
    S37
    5116:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5117:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5118:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5123:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5123:1 Y A HIGH 0 1 0 100 15 FA N
    S37

    Signature Micro-Engine: ATOMIC.TCP (6 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3038:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37
    3039:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37
    3040:0 Y A HIGH 0 0 0 100 30 FA N N
    S37
    3041:0 Y A HIGH 0 0 0 100 30 FA N N
    S37
    3042:0 Y A HIGH 0 0 0 100 30 FA N N
    S37
    3043:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37

    Signature Micro-Engine: ATOMIC.UDP (7 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    4050:0 Y A LOW 0 0 0 100 30 FA N
    S37
    4051:1 Y A LOW 0 0 0 100 30 FA N
    S37
    4051:2 Y A LOW 0 0 0 100 30 FA N
    S37
    4051:3 Y A LOW 0 0 0 100 30 FA N
    S37
    4052:1 Y A LOW 0 0 0 100 30 FA N
    S37
    4052:2 Y A LOW 0 0 0 100 30 FA N
    S37
    4600:0 Y A MED 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    --More--
    Authorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!

    User Access Verification

    Username: Ali
    Password:
    C3845#config t
    Enter configuration commands, one per line. End with CNTL/Z.
    C3845(config)#ip ips name sdm_ips_rule_IPS list IPS
    C3845(config)#int gigabitethernet0/0
    C3845(config-if)# ip ips sdm_ips_rule_IPS in
    C3845(config-if)# ip virtual-reassembly
    C3845(config-if)#^Z
    C3845#sh ips config
    ^
    % Invalid input detected at '^' marker.

    C3845#sh ip ips config
    Configured SDF Locations: none
    Builtin signatures are enabled and loaded
    Last successful SDF load time: 20:38:21 Pacific Apr 13 2008
    IPS fail closed is disabled
    IPS deny-action ips-interface is false
    Fastpath ips is enabled
    Quick run mode is enabled
    Event notification through syslog is enabled
    Event notification through SDEE is disabled
    Total Active Signatures: 132
    Total Inactive Signatures: 0
    Signature 1107:0 disable
    IPS Rule Configuration
    IPS name sdm_ips_rule_IPS
    acl list IPS
    Interface Configuration
    Interface GigabitEthernet0/0
    Inbound IPS rule is sdm_ips_rule_IPS
    acl list IPS
    Outgoing IPS rule is not set
    C3845#sh ip ips signatures
    Builtin signatures are configured
    Builtin signatures are loaded

    Cisco SDF release version S46.0

    Trend SDF release version V0.0

    Action=(A)larm,(D)rop,(R)eset,Deny-(H)ost,Deny-(F)low
    *=Marked for Deletion WF=WantFrag
    Trait=AlarmTraits
    MH=MinHits AI=AlarmInterval
    CT=ChokeThreshold
    TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr


    Signature Micro-Engine: OTHER (3 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    1202:0 Y A HIGH 0 0 0 100 15 FA N Y
    S37
    1206:0 Y A INFO 0 0 0 100 15 FA N Y
    S37
    3050:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: STRING.UDP (1 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    4100:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: STRING.TCP (3 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3150:0 Y A INFO 0 1 0 100 15 FA N
    S37
    3151:0 Y A INFO 0 1 0 100 15 FA N
    S37
    3152:0 Y A MED 0 1 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.FTP (2 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3153:0 Y A MED 0 0 0 100 15 FA N
    S37
    3154:0 Y A MED 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.SMTP (10 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3100:0 Y A MED 0 0 0 100 15 FA N
    S37
    3101:0 Y A MED 0 0 0 100 15 FA N
    S37
    3102:0 Y A MED 0 0 0 100 15 FA N
    S37
    3103:0 Y A INFO 0 0 0 100 15 FA N
    S37
    3103:1 Y A INFO 0 0 0 100 15 FA N
    S37
    3104:0 Y A INFO 0 0 0 100 15 FA N
    S37
    3104:1 Y A INFO 0 0 0 100 15 FA N
    S37
    3105:0 Y A LOW 0 0 0 100 15 FA N
    S37
    3106:0 Y A LOW 0 250 0 100 15 FA N
    S37
    3107:0 Y A HIGH 0 0 0 100 15 FA N
    S37

    Signature Micro-Engine: SERVICE.RPC (26 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    6100:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6100:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6101:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6101:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6102:0 Y A MED 0 0 0 100 30 FA N
    S37
    6102:1 Y A MED 0 0 0 100 30 FA N
    S37
    6103:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6103:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6150:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6150:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6151:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6151:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6152:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6152:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6153:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6153:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6154:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6154:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6155:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6155:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6175:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6175:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6180:0 Y A MED 0 0 0 100 30 FA N
    S37
    6180:1 Y A MED 0 0 0 100 30 FA N
    S37
    6190:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6190:1 Y A HIGH 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: SERVICE.DNS (23 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    6050:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6050:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6051:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6051:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6052:0 Y A MED 0 0 0 100 30 FA N
    S37
    6052:1 Y A MED 0 0 0 100 30 FA N
    S37
    6053:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6053:1 Y A INFO 0 0 0 100 30 FA N
    S37
    6054:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6054:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6055:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6055:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6055:2 Y A HIGH 0 0 0 100 30 FA N
    S37
    6056:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6056:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6056:2 Y A HIGH 0 0 0 100 30 FA N
    S37
    6057:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    6057:1 Y A HIGH 0 0 0 100 30 FA N
    S37
    6057:2 Y A HIGH 0 0 0 100 30 FA N
    S37
    6062:0 Y A LOW 0 0 0 100 30 FA N
    S37
    6062:1 Y A LOW 0 0 0 100 30 FA N
    S37
    6063:0 Y A INFO 0 0 0 100 30 FA N
    S37
    6063:1 Y A INFO 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: SERVICE.HTTP (24 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3215:0 Y A MED 0 1 0 100 15 FA N
    S37
    3229:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    3233:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5034:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5035:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5041:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5043:1 Y A HIGH 0 1 0 100 15 FA N
    S37
    5043:2 Y A HIGH 0 1 0 100 15 FA N
    S37
    5043:3 Y A HIGH 0 1 0 100 15 FA N
    S37
    5044:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5045:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5050:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5055:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5071:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5081:0 Y A MED 0 1 0 100 15 FA N
    S37
    5090:0 Y A LOW 0 1 0 100 15 FA N
    S37
    5114:0 Y A MED 0 1 0 100 15 FA N
    S37
    5114:1 Y A MED 0 1 0 100 15 FA N
    S37
    5114:2 Y A MED 0 1 0 100 15 FA N
    S37
    5116:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5117:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5118:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5123:0 Y A HIGH 0 1 0 100 15 FA N
    S37
    5123:1 Y A HIGH 0 1 0 100 15 FA N
    S37

    Signature Micro-Engine: ATOMIC.TCP (6 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    3038:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37
    3039:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37
    3040:0 Y A HIGH 0 0 0 100 30 FA N N
    S37
    3041:0 Y A HIGH 0 0 0 100 30 FA N N
    S37
    3042:0 Y A HIGH 0 0 0 100 30 FA N N
    S37
    3043:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37

    Signature Micro-Engine: ATOMIC.UDP (7 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    4050:0 Y A LOW 0 0 0 100 30 FA N
    S37
    4051:1 Y A LOW 0 0 0 100 30 FA N
    S37
    4051:2 Y A LOW 0 0 0 100 30 FA N
    S37
    4051:3 Y A LOW 0 0 0 100 30 FA N
    S37
    4052:1 Y A LOW 0 0 0 100 30 FA N
    S37
    4052:2 Y A LOW 0 0 0 100 30 FA N
    S37
    4600:0 Y A MED 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    2000:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2001:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2002:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2003:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2004:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2005:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2006:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2007:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2008:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2009:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2010:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2011:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2012:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2150:0 Y A INFO 0 0 0 100 30 FA N Y
    S37

    Signature Micro-Engine: ATOMIC.IPOPTIONS (7 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    1000:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1001:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1002:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1003:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1004:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    1005:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1006:0 Y A HIGH 0 0 0 100 30 FA N
    S37

    Signature Micro-Engine: ATOMIC.L3.IP (6 sigs)
    SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF
    Version
    ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- --
    -------
    1101:0 Y A INFO 0 0 0 100 30 FA N
    S37
    1102:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    1104:0 Y A HIGH 0 0 0 100 30 FA N
    S37
    1107:0 N A INFO 0 0 0 100 30 FA N
    S37
    2151:0 Y A INFO 0 0 0 100 30 FA N
    S37
    2154:0 Y A HIGH 0 0 0 100 30 FA N Y
    S37
    Total Active Signatures: 132
    Total Inactive Signatures: 0

    C3845#

    On Apr 13, 9:52 am, News Reader <> wrote:
    > wrote:
    > > I am trying to setup the cisco IPS on the front facing interface of a
    > > 3845 router.  Every time I enable the IPS, no packets are allowed to
    > > pass through the router.  w/out IPS, everything works fine (except
    > > there is no IPS).  The moment I enable it, nothing can get through.

    >
    > > I have:

    >
    > > ip ips sdf location flash://sdmips.sdf
    > > ip ips sdf location flash://256MB.sdf autosave

    >
    > Are you allowed to define multiple sdf locations?
    > How would the router know which to load?
    >
    > Have you verified your IPS config, and that the signatures have actually
    > loaded?
    >
    > sh ip ips configuration
    > sh ip ips signatures
    >
    >
    >
    >
    >
    > > ip ips name sdm_ips_rule_IPS list IPS

    >
    > > .
    > > .
    > > interface GigabitEthernet0/0
    > >  ip address 127.2.2.3 255.255.255.248  <--- edited for the example
    > >  ip access-group gigabitethernet0/0_in in
    > >  ip access-group sdm_gigabitethernet0/0_out out
    > >  ip verify unicast reverse-path
    > >  no ip redirects
    > >  no ip unreachables
    > >  no ip proxy-arp
    > >  ip ips sdm_ips_rule_IPS in
    > >  ip virtual-reassembly
    > >  ip route-cache flow
    > >  duplex auto
    > >  speed auto
    > >  media-type sfp
    > >  no mop enabled
    > >  crypto map SDM_CMAP_1
    > >  crypto ipsec df-bit clear

    >
    > > .
    > > .
    > > .
    > > .
    > > ip access-list extended IPS
    > >  remark SDM_ACL Category=1
    > >  permit tcp any host 125.2.4.2 eq www  <--- just a test host on our
    > > network.  www packets are being blocked

    >
    > > If I change the ACL to deny, then everything passes just fine.  It's
    > > only when I change the ACL to send packets through the IPS that it
    > > stops cold.

    >
    > > Does anyone have an idea what the problem might be?

    >
    > > thank you,

    >
    > > Barry

    >
    > Best Regards,
    > News Reader- Hide quoted text -
    >
    > - Show quoted text -
     
    BarrySDCA, Apr 14, 2008
    #7
  8. BarrySDCA Guest

    The problem was tcpintercept and IPS are not compatible. I disabled
    tcpintercept and IPS is working again. thank you for your help!

    On Apr 13, 9:52 am, News Reader <> wrote:
    > wrote:
    > > I am trying to setup the cisco IPS on the front facing interface of a
    > > 3845 router.  Every time I enable the IPS, no packets are allowed to
    > > pass through the router.  w/out IPS, everything works fine (except
    > > there is no IPS).  The moment I enable it, nothing can get through.

    >
    > > I have:

    >
    > > ip ips sdf location flash://sdmips.sdf
    > > ip ips sdf location flash://256MB.sdf autosave

    >
    > Are you allowed to define multiple sdf locations?
    > How would the router know which to load?
    >
    > Have you verified your IPS config, and that the signatures have actually
    > loaded?
    >
    > sh ip ips configuration
    > sh ip ips signatures
    >
    >
    >
    >
    >
    > > ip ips name sdm_ips_rule_IPS list IPS

    >
    > > .
    > > .
    > > interface GigabitEthernet0/0
    > >  ip address 127.2.2.3 255.255.255.248  <--- edited for the example
    > >  ip access-group gigabitethernet0/0_in in
    > >  ip access-group sdm_gigabitethernet0/0_out out
    > >  ip verify unicast reverse-path
    > >  no ip redirects
    > >  no ip unreachables
    > >  no ip proxy-arp
    > >  ip ips sdm_ips_rule_IPS in
    > >  ip virtual-reassembly
    > >  ip route-cache flow
    > >  duplex auto
    > >  speed auto
    > >  media-type sfp
    > >  no mop enabled
    > >  crypto map SDM_CMAP_1
    > >  crypto ipsec df-bit clear

    >
    > > .
    > > .
    > > .
    > > .
    > > ip access-list extended IPS
    > >  remark SDM_ACL Category=1
    > >  permit tcp any host 125.2.4.2 eq www  <--- just a test host on our
    > > network.  www packets are being blocked

    >
    > > If I change the ACL to deny, then everything passes just fine.  It's
    > > only when I change the ACL to send packets through the IPS that it
    > > stops cold.

    >
    > > Does anyone have an idea what the problem might be?

    >
    > > thank you,

    >
    > > Barry

    >
    > Best Regards,
    > News Reader- Hide quoted text -
    >
    > - Show quoted text -
     
    BarrySDCA, Apr 14, 2008
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rom Lemarchand

    PIX dropping outbound packets?

    Rom Lemarchand, Aug 4, 2004, in forum: Cisco
    Replies:
    5
    Views:
    3,892
  2. Michael
    Replies:
    1
    Views:
    946
  3. Benny Friedman

    Dropping packets using ping from PIX to LD

    Benny Friedman, Sep 8, 2004, in forum: Cisco
    Replies:
    6
    Views:
    717
    Blair Wright
    Sep 30, 2004
  4. JoJo
    Replies:
    0
    Views:
    521
  5. Martijn Lievaart

    HSRP: virtual IPs without real IPs?

    Martijn Lievaart, Feb 9, 2012, in forum: Cisco
    Replies:
    4
    Views:
    1,176
    Martijn Lievaart
    Feb 15, 2012
Loading...

Share This Page