Page 1
White Paper
Getting Started with Cisco IOS IPS with 5.x Format
Signatures: A Step-by-Step Guide
This guide is divided into two sections: Getting Started with Cisco IOS® IPS and Signature
Tuning.
The first section of the guide provides a detailed step-by-step process using the Cisco IOS
Software command-line interface (CLI) to get started in using the Cisco IOS IPS 5.x format
signatures. It contains the following five steps:
Step 1: Downloading Cisco IOS IPS Files
Step 2: Creating Directory on Flash
Step 3: Configuring Cisco IOS IPS Crypto Key
Step 4: Enabling Cisco IOS IPS
Step 5: Loading Signatures to Cisco IOS IPS
Each step and specific commands are described. The Additional Commands and References
section under each step provides additional information. Example configurations are displayed in a
box below each command.
The second section of the guide provides instructions and examples on advanced options for
signature tuning. Topics include:
Enable/Disable Signatures
Retire/Unretire Signatures
Change Signature Actions
Prerequisites
Before getting started with the above steps, ensure that you have the following:
A Cisco 870, 1800, 2800, or 3800 Series Integrated Services Router
128 MB or more DRAM and at least 2 MB free flash memory
Console or Telnet connectivity to the router
Cisco IOS Software Release 12.4(11)T or later
A valid Cisco.com login username and password
A current Cisco Services for IPS Contract for licensed signature update services
You should be familiar with basic router commands for:
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 12
Exec mode
Configure mode
Exit configure mode
Backup and restore configuration
Page 2
White Paper
References
Cisco IOS Basic Skills:
http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_guide_chapter091
86a0080118cd0.html
Cabling and Setup Quick Start Guide for Cisco 800 Series Access Routers:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/85x87x/857qsg/index.htm
1 Downloading Cisco IOS IPS Files
The first step is to download IOS IPS signature package files and public crypto key from
Cisco.com. These files are required in later steps of configuration.
Step 1.1 Download the required signature files from Cisco.com to your PC.
Ensure that you have a valid Cisco.com username and password.
Cisco.com location:
Files to download:
http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup
IOS-Sxxx-CLI.pkg: Latest signature package; pick the signature package with largest
number in xxx
realm-cisco.pub.key.txt: Public crypto key
Additional Commands and References
Cisco IOS IPS Website:
http://www.cisco.com/go/iosips
2 Creating Directory on Flash
The second step is to create a directory on your router’s flash where you can store the required
signature files and signature configurations.
Step 2.1 To create a directory, enter the following command at the router prompt:
mkdir <directory name>
training#mkdir ipsstore
Create directory filename [ipsstore]?
Created dir flash:ipsstore
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 12
Page 3
White Paper
Additional Commands and References
To verify the contents of the flash, enter the following command at the router prompt:
show flash:
training#show flash:
24576K bytes of processor board System flash (Intel Strataflash)
Directory of flash:/
2 –rwx 17198508 --- -- ---- --:--:-- ----- c870-
advipservicesk9-mz.12.4-11.T1
3 drwx 0 Aug 11 2006 23:16:18 -08:00 ipsstore
23482368 bytes total (6279168 bytes free)
To rename the directory name, use the Rename Directory Command example or the combination
of the Remove Directory Command and Create Directory Command at the router prompt.
Rename the directory (Rename Directory Command):
rename <current name> <new name>
training#rename ipsstore ips
Destination filename [ips]?
OR
First remove the directory (Remove Directory Command):
rmdir <current directory name>
Create the directory again (Create Directory Command):
mkdir <new directory name>
training#rmdir ips
Remove directory filename [ips]?
Delete flash:ips? [confirm]
Removed dir flash:ips
training#mkdir ipsstore
Create directory filename [ipsstore]?
Created dir flash:ipsstore
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 12
Page 4
White Paper
3 Configuring Cisco IOS IPS Crypto Key
The third step is to configure the crypto key used by Cisco IOS IPS. This key is located in the
realm-cisco.pub.key.txt file that was downloaded to the PC from Cisco.com.
Step 3.1 Open the text file and copy the contents of the file
Step 3.2 Enter ‘configure terminal’ to enter Router Configure Mode
Step 3.3 Paste the text file content at the ‘<hostname>(config)#’ prompt
Step 3.4 Enter the show run command at the router prompt to confirm that the crypto key is
configured:
show run (only the crypto key portion of the configuration is shown below)
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
Quit
Step 3.5 Compare the crypto key configuration with the text file to make sure that the key is
correctly configured.
Step 3.6 Save the configuration:
copy running-configure startup-configure
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 12
Page 5
White Paper
Additional Commands and References
If the key is configured incorrectly, you need to remove the crypto key first and then reconfigure it.
To remove the key, enter the following commands in order in Router Configure Mode:
training#configure terminal
training(config)#no crypto key pubkey-chain rsa
training(config-pubkey-chain)#no named-key realm-cisco.pub signature
training(config-pubkey-chain)#exit
training(config)#exit
Verify that the key is removed from the configuration using the following command at the router
prompt:
show run
Configure the key again by following Steps 3.1 through 3.5.
4 Enabling Cisco IOS IPS
The fourth step is to configure Cisco IOS IPS using the following sequence of steps:
Step 4.1 Create a rule name (this will be used on an interface to enable IPS)
ip ips name <rule name>
training#configure terminal
training(config)# ip ips name myips
Step 4.2 Configure IPS signature storage location; the directory name is the directory
“ipsstore” created in Step 2:
ip ips config location flash:<directory name>
training#configure terminal
training(config)#ip ips config location flash:ipsstore
Step 4.3 Enable IPS SDEE event notification:
ip ips notify sdee
training(config)#ip ips notify sdee
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 12
Page 6
Step 4.4 Configure Cisco IOS IPS to use the default basic signature set:
training(config)#ip ips signature-category
training(config-ips-category)# category all
training (config-ips-category-action)# retired true
training (config-ips-category-action)# exit
training(config-ips-category)# category ios_ips basic
training (config-ips-category-action)# retired false
training (config-ips-category-action)# exit
training(config-ips-category)# exit
Do you want to accept these changes? [confirm]y
training(config)#
Step 4.5 Enable IPS rule on the desired interface and direction:
interface <interface name>
White Paper
ip ips <rule name> <in | out>
training(config)#interface vlan 1
training(config-if)#ip ips myips in
training(config-if)#exit
training(config)#exit
training#
Additional Commands and References
Cisco IOS IPS Configuration Guide:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html
5 Loading Signatures to Cisco IOS IPS
The last step is to load the signatures into Cisco IOS IPS. In the following example, we start a
TFTP server on the PC and put the Cisco IOS IPS signature package under the TFTP directory.
Please refer to the Additional Commands and References section for more about TFTP servers
and alternative methods of loading Cisco IOS IPS signatures.
If using a Telnet session, turn on the terminal monitor to view the console output.
training#terminal monitor
Step 5.1 Save your router configuration.
training#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 12
Page 7
White Paper
Step 5.2 Copy the downloaded package (IOS-S259-CLI.pkg) to the TFTP server and load the
signatures from TFTP server to Cisco IOS IPS:
copy tftp://<Server IP address>/IOS-S259-CLI.pkg idconf
training#copy tftp://10.10.10.2/IOS-S259-CLI.pkg idconf
Loading IOS-S259-CLI.pkg from 10.10.10.2 (via Vlan1): !!!
Step 5.3 Verify the version, signatures were loaded, and the active signature count using
the following command:
show ip ips signature count
training#show ip ips signature count
Cisco SDF release version S259.0 —Signature package version
Trend SDF release version V0.0
Signature Micro-Engine: multi-string
Total Signatures: 3
Enabled: 3
Retired: 3
—Skipped
Signature Micro-Engine: normalizer
Total Signatures: 9
Enabled: 8
Retired: 1
Compiled: 8
Total Signatures: 1964
Total Enabled Signatures: 736
Total Retired Signatures: 1625
Total Compiled Signatures: 338 —Total active compiled signatures
Total Signatures with invalid parameters: 1
training#
Additional Commands and References
After Cisco IOS IPS loads the signature package into memory, it starts reading signatures and
attempts to build them according to the configuration. An error message such as:
%IPS-3-INVALID_DIGITAL_SIGNATURE: Invalid Digital Signature found (key not found)
means the public crypto key is invalid. Refer to “Configuring Cisco IOS IPS Crypto Key” (Step 3) to
reconfigure the public crypto key.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 12
Page 8
White Paper
If there is no access to a TFTP server, a USB flash drive could be an alternate way to load the
signature package into Cisco IOS IPS. First, copy the signature package into the USB drive, then
insert the USB flash drive into one of the USB ports on the router. The following message will
show up in the router console:
*Aug 18 06:46:49.554 PST: %USBFLASH-5-CHANGE: usbflash1 has been
inserted!
Now use the copy command to load the signature package from usbflash to Cisco IOS IPS:
training#copy usbflash1:IOS-S261-CLI.pkg idconf
All signatures are by default configured to ‘Alarm’ action only. If you want to configure additional
actions, the following CLI commands are available to change the signature configurations.
training(config)#ip ips signature-category
training(config-ips-category)#category ios_ips basic
training(config-ips-category-action)#event-action deny-packet-inline
training(config-ips-category-action)#event-action reset-tcp-
connection
training(config-ips-category-action)#exit
training(config-ips-category)#exit
Do you want to accept these changes? [confirm]y
000114: *Aug 11 23:53:26.945 PST: Applying Category configuration to
signatures
...
IMPORTANT: Make sure that you accept the changes when prompted. Otherwise, they will not be
saved.
Use the show run command at the router prompt to verify the signature category configuration:
show run
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
event-action deny-packet-inline
event-action reset-tcp-connection
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 12
Page 9
White Paper
In the configured Cisco IOS IPS storage directory, you may find the following files. These files
have a name format of <routername>-sigdef-xxx.xml.
training#cd ipsstore
training#show flash:
24576K bytes of processor board System flash (Intel Strataflash)
Directory of flash:/ipsstore/
4 -rwx 5693 Aug 11 2006 23:41:32 -08:00 training-sigdef-typedef.xml
5 -rwx 21285 Aug 11 2006 23:41:35 -08:00 training-sigdef-category.xml
6 -rwx 172587 Aug 11 2006 23:43:29 -08:00 training-sigdef-default.xml
23482368 bytes total (6076416 bytes free)
training#
These files are stored in a Cisco proprietary compression format and are not editable or viewable
directly. The contents of each file are described below:
training-sigdef-typedef.xml: A file that has all the signature parameter definitions
training-sigdef-category.xml: Has all the signature category information, such as category ios_ips
basic and advanced
training-sigdef-default.xml: Contains all the factory default signature definitions
6 Enable/Disable Signatures
You can use the Cisco IOS Software command-line interface (CLI) to enable or disable one
signature or a group of signatures based on signature categories.
Following are example CLI commands to disable signature 6130/10.
training#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
training(config)#ip ips signature-definition
training(config-sigdef)#signature 6130 10
training(config-sigdef-sig)#status
training(config-sigdef-sig-status)#enabled false
training(config-sigdef-sig-status)#exit
training(config-sigdef-sig)#exit
training(config-sigdef)#exit
Do you want to accept these changes? [confirm]y
training(config)#
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 12
Page 10
White Paper
Here is another example to enable all signatures belonging to signature Cisco IOS IPS basic
category.
training#configure terminal
Enter configuration commands, one per line. End with CNTL/Z
training(config)#ip ips signature-category
training(config-ips-category)# category ios_ips basic
training(config-ips-category-action)#enabled true
training(config-ips-category-action)#exit
training(config-ips-category)#exit
Do you want to accept these changes? [confirm]y
Additional Commands and References
Cisco IOS IPS Configuration Guide:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html
7 Retire/Unretire Signatures
You can use the Cisco IOS Software CLI to retire or unretire one signature or a group of
signatures based on signature categories.
Retiring a signature means Cisco IOS IPS will not compile that signature into memory for
scanning. Unretiring a signature instructs Cisco IOS IPS to compile the signature into memory and
use the signature to scan traffic.
Following are sample CLI commands to retire signature 6130/10.
training#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
training(config)#ip ips signature-definition
training(config-sigdef)#signature 6130 10
training(config-sigdef-sig)#status
training(config-sigdef-sig-status)#retired true
training(config-sigdef-sig-status)#exit
training(config-sigdef-sig)#exit
training(config-sigdef)#exit
Do you want to accept these changes? [confirm]y
training(config)#
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 12
Page 11
White Paper
Here is another example to unretire all signatures belonging to the ios_ips basic category.
training#configure terminal
Enter configuration commands, one per line. End with CNTL/Z
training(config)#ip ips signature-category
training(config-ips-category)# category ios_ips basic
training(config-ips-category-action)#retired false
training(config-ips-category-action)#exit
training(config-ips-category)#exit
Do you want to accept these changes? [confirm]y
Additional Commands and References
Cisco IOS IPS Configuration Guide:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html
8 Change Signature Actions
You can use the Cisco IOS Software CLI to change signature actions for one signature or a
group of signatures based on signature categories.
Following are example CLI commands to change signature action to alert, drop, and reset for
signature 6130/10.
training#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
training(config)#ip ips signature-definition
training(config-sigdef)#signature 6130 10
training(config-sigdef-sig)#engine
training(config-sigdef-sig-engine)#event-action produce-alert
training(config-sigdef-sig-engine)#event-action deny-packet-inline
training(config-sigdef-sig-engine)#event-action reset-tcp-connection
training(config-sigdef-sig-engine)#exit
training(config-sigdef-sig)#exit
training(config-sigdef)#exit
Do you want to accept these changes? [confirm]y
training(config)#
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 12
Page 12
White Paper
Here is another example to change event actions for all signatures belonging to signature Cisco
IOS IPS basic category.
training#configure terminal
Enter configuration commands, one per line. End with CNTL/Z
training(config)#ip ips signature-category
training(config-ips-category)# category ios_ips basic
training(config-ips-category-action)#event-action produce-alert
training(config-ips-category-action)#event-action deny-packet-inline
training(config-ips-category-action)#event-action reset-tcp-
connection
training(config-ips-category-action)#exit
training(config-ips-category)#exit
Do you want to accept these changes? [confirm]y
training(config)#
Additional Commands and References
Cisco IOS IPS Configuration Guide:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html
Printed in USA C11-390389-00 1/07
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 12
Loading...