White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 12

Getting Started with Cisco IOS IPS with 5.x Format Signatures: A Step-by-Step Guide

This guide is divided into two sections: Getting Started with Cisco IOS® IPS and Signature

Tuning.

The first section of the guide provides a detailed step-by-step process using the Cisco IOS

Software command-line interface (CLI) to get started in using the Cisco IOS IPS 5.x format

signatures. It contains the following five steps:

Step 1: Downloading Cisco IOS IPS Files

Step 2: Creating Directory on Flash

Step 3: Configuring Cisco IOS IPS Crypto Key

Step 4: Enabling Cisco IOS IPS

Step 5: Loading Signatures to Cisco IOS IPS

Each step and specific commands are described. The Additional Commands and References

section under each step provides additional information. Example configurations are displayed in a

box below each command.

The second section of the guide provides instructions and examples on advanced options for

signature tuning. Topics include:

� Enable/Disable Signatures

� Retire/Unretire Signatures

� Change Signature Actions

Prerequisites

Before getting started with the above steps, ensure that you have the following:

� A Cisco 870, 1800, 2800, or 3800 Series Integrated Services Router

� 128 MB or more DRAM and at least 2 MB free flash memory

� Console or Telnet connectivity to the router

� Cisco IOS Software Release 12.4(11)T or later

� A valid Cisco.com login username and password

� A current Cisco Services for IPS Contract for licensed signature update services

You should be familiar with basic router commands for:

� Exec mode

� Configure mode

� Exit configure mode

� Backup and restore configuration

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 12

References

Cisco IOS Basic Skills:

http://www.cisco.com/en/US/products/hw/routers/ps380/products_configuration_guide_chapter091

86a0080118cd0.html

Cabling and Setup Quick Start Guide for Cisco 800 Series Access Routers:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/85x87x/857qsg/index.htm

1 Downloading Cisco IOS IPS Files

The first step is to download IOS IPS signature package files and public crypto key from

Cisco.com. These files are required in later steps of configuration.

Step 1.1 Download the required signature files from Cisco.com to your PC.

������� Ensure that you have a valid Cisco.com username and password.

� Cisco.com location: http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup

� Files to download:

IOS-Sxxx-CLI.pkg: Latest signature package; pick the signature package with largest

number in xxx

realm-cisco.pub.key.txt: Public crypto key

Additional Commands and References

Cisco IOS IPS Website: http://www.cisco.com/go/iosips

2 Creating Directory on Flash

The second step is to create a directory on your router’s flash where you can store the required

signature files and signature configurations.

Step 2.1 To create a directory, enter the following command at the router prompt:

mkdir <directory name>

training#mkdir ipsstore

Create directory filename [ipsstore]?

Created dir flash:ipsstore

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 12

Additional Commands and References

To verify the contents of the flash, enter the following command at the router prompt:

show flash:

training#show flash:

24576K bytes of processor board System flash (Intel Strataflash)

Directory of flash:/

2 –rwx 17198508 --- -- ---- --:--:-- ----- c870-

advipservicesk9-mz.12.4-11.T1

3 drwx 0 Aug 11 2006 23:16:18 -08:00 ipsstore

23482368 bytes total (6279168 bytes free)

To rename the directory name, use the Rename Directory Command example or the combination

of the Remove Directory Command and Create Directory Command at the router prompt.

Rename the directory (Rename Directory Command):

rename < current name> <new name>

training#rename ipsstore ips

Destination filename [ips]?

OR

First remove the directory (Remove Directory Command):

rmdir < current directory name>

Create the directory again (Create Directory Command):

mkdir < new directory name>

training#rmdir ips

Remove directory filename [ips]?

Delete flash:ips? [confirm]

Removed dir flash:ips

training#mkdir ipsstore

Create directory filename [ipsstore]?

Created dir flash:ipsstore

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 12

3 Configuring Cisco IOS IPS Crypto Key

The third step is to configure the crypto key used by Cisco IOS IPS. This key is located in the

realm-cisco.pub.key.txt file that was downloaded to the PC from Cisco.com.

Step 3.1 Open the text file and copy the contents o f the file

Step 3.2 Enter ‘configure terminal’ to enter Router Configure Mode

Step 3.3 Paste the text file content at the ‘<hostn ame>(config)#’ prompt

Step 3.4 Enter the show run command at the router p rompt to confirm that the crypto key is

configured:

show run (only the crypto key portion of the configuration is shown below)

crypto key pubkey-chain rsa

named-key realm-cisco.pub signature

key-string

30820122 300D0609 2A864886 F70D0101 01050003 820 10F00 3082010A 02820101

00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06F BA13F 6F12CB5B 4E441F16

17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCD D81D9 43CDABC3 6007D128

B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0E FB624 7E0764BF 3E53053E

5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F 30663 9AC64B93 C0112A35

FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85E AF974 6D9CC8E3 F0B08B85

50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84 DFBA5 7A0AF99E AD768C36

006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 969 3CCBB 551F78D2 892356AE

2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689 782A5 CF31CB6E B4B094D3

F3020301 0001

Quit

Step 3.5 Compare the crypto key configuration with the text file to make sure that the key is

correctly configured.

Step 3.6 Save the configuration:

copy running-configure startup-configure

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 12

Additional Commands and References

If the key is configured incorrectly, you need to remove the crypto key first and then reconfigure it.

To remove the key, enter the following commands in order in Router Configure Mode:

training#configure terminal

training(config)#no crypto key pubkey-chain rsa

training(config-pubkey-chain)#no named-key realm-cisco.pub signature

training(config-pubkey-chain)#exit

training(config)#exit

Verify that the key is removed from the configuration using the following command at the router

prompt:

show run

Configure the key again by following Steps 3.1 through 3.5.

4 Enabling Cisco IOS IPS

The fourth step is to configure Cisco IOS IPS using the following sequence of steps:

Step 4.1 Create a rule name (this will be used on a n interface to enable IPS)

ip ips name < rule name>

training#configure terminal

training(config)# ip ips name myips

Step 4.2 Configure IPS signature storage location; the directory name is the directory

“ipsstore” created in Step 2:

ip ips config location flash:<directory name>

training#configure terminal

training(config)#ip ips config location flash:ipsstore

Step 4.3 Enable IPS SDEE event notification:

ip ips notify sdee

training(config)#ip ips notify sdee

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 12

Step 4.4 Configure Cisco IOS IPS to use the default basic signature set:

training(config)#ip ips signature-category

training(config-ips-category)# category all

training (config-ips-category-action)# retired true

training (config-ips-category-action)# exit

training(config-ips-category)# category ios_ips basic

training (config-ips-category-action)# retired false

training (config-ips-category-action)# exit

training(config-ips-category)# exit

Do you want to accept these changes? [confirm]y

training(config)#

Step 4.5 Enable IPS rule on the desired interface and direction:

interface <interface name>

ip ips <rule name> <in | out>

training(config)#interface vlan 1

training(config-if)#ip ips myips in

training(config-if)#exit

training(config)#exit

training#

Additional Commands and References

Cisco IOS IPS Configuration Guide:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html

5 Loading Signatures to Cisco IOS IPS

The last step is to load the signatures into Cisco IOS IPS. In the following example, we start a

TFTP server on the PC and put the Cisco IOS IPS signature package under the TFTP directory.

Please refer to the Additional Commands and References section for more about TFTP servers

and alternative methods of loading Cisco IOS IPS signatures.

������� If using a Telnet session, turn on the terminal monitor to view the console output.

training#terminal monitor

Step 5.1 Save your router configuration.

training#copy running-config startup-config

Destination filename [startup-config]?

Building configuration...

[OK]

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 12

Step 5.2 Copy the downloaded package (IOS-S259-CLI. pkg) to the TFTP server and load the

signatures from TFTP server to Cisco IOS IPS:

copy tftp://<Server IP address>/ IOS-S259-CLI.pkg idconf

training#copy tftp://10.10.10.2/IOS-S259-CLI.pkg idconf

Loading IOS-S259-CLI.pkg from 10.10.10.2 (via Vlan1): !!!

Step 5.3 Verify the version, signatures were load ed, and the active signature count using

the following command:

show ip ips signature count

training#show ip ips signature count

Cisco SDF release version S259. 0 —Signature package version

Trend SDF release version V0.0

Signature Micro-Engine: multi-string

Total Signatures: 3

Enabled: 3

Retired: 3

—Skipped

Signature Micro-Engine: normalizer

Total Signatures: 9

Enabled: 8

Retired: 1

Compiled: 8

Total Signatures: 1964

Total Enabled Signatures: 736

Total Retired Signatures: 1625

Total Compiled Signatures: 338 —Total active compiled signatures

Total Signatures with invalid parameters: 1

training#

Additional Commands and References

After Cisco IOS IPS loads the signature package into memory, it starts reading signatures and

attempts to build them according to the configuration. An error message such as:

%IPS-3-INVALID_DIGITAL_SIGNATURE: Invalid Digital S ignature found (key not found)

means the public crypto key is invalid. Refer to “Configuring Cisco IOS IPS Crypto Key” (Step 3) to

reconfigure the public crypto key.

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 12

If there is no access to a TFTP server, a USB flash drive could be an alternate way to load the

signature package into Cisco IOS IPS. First, copy the signature package into the USB drive, then

insert the USB flash drive into one of the USB ports on the router. The following message will

show up in the router console:

*Aug 18 06:46:49.554 PST: %USBFLASH-5-CHANGE: usbflash1 has been

inserted!

Now use the copy command to load the signature package from usbflash to Cisco IOS IPS:

training#copy usbflash1:IOS-S261-CLI.pkg idconf

All signatures are by default configured to ‘Alarm’ action only. If you want to configure additional

actions, the following CLI commands are available to change the signature configurations.

training(config)#ip ips signature-category

training(config-ips-category)#category ios_ips basic

training(config-ips-category-action)#event-action deny-packet-inline

training(config-ips-category-action)#event-action reset-tcp-

connection

training(config-ips-category-action)#exit

training(config-ips-category)#exit

Do you want to accept these changes? [confirm]y

000114: *Aug 11 23:53:26.945 PST: Applying Category configuration to

signatures

...

IMPORTANT: Make sure that you accept the changes when prompted. Otherwise, they will not be

saved.

Use the show run command at the router prompt to verify the signature category configuration:

show run

ip ips signature-category

category all

retired true

category ios_ips basic

retired false

event-action deny-packet-inline

event-action reset-tcp-connection

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 12

In the configured Cisco IOS IPS storage directory, you may find the following files. These files

have a name format of <routername>-sigdef-xxx.xml.

training#cd ipsstore

training#show flash:

24576K bytes of processor board System flash (Intel Strataflash)

Directory of flash:/ipsstore/

4 -rwx 5693 Aug 11 2006 23:41:32 -08:00 tr aining-sigdef-typedef.xml

5 -rwx 21285 Aug 11 2006 23:41:35 -08:00 t raining-sigdef-category.xml

6 -rwx 172587 Aug 11 2006 23:43:29 -08:00 training-sigdef-default.xml

23482368 bytes total (6076416 bytes free)

training#

These files are stored in a Cisco proprietary compression format and are not editable or viewable

directly. The contents of each file are described below:

training-sigdef-typedef.xml: A file that has all the signature parameter definitions

training-sigdef-category.xml: Has all the signature category information, such as category ios_ips

basic and advanced

training-sigdef-default.xml: Contains all the factory default signature definitions

6 Enable/Disable Signatures

You can use the Cisco IOS Software command-line interface (CLI) to enable or disable one

signature or a group of signatures based on signature categories.

Following are example CLI commands to disable signature 6130/10.

training#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

training(config)#ip ips signature-definition

training(config-sigdef)#signature 6130 10

training(config-sigdef-sig)#status

training(config-sigdef-sig-status)# enabled false

training(config-sigdef-sig-status)#exit

training(config-sigdef-sig)#exit

training(config-sigdef)#exit

Do you want to accept these changes? [confirm]y

training(config)#

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 12

Here is another example to enable all signatures belonging to signature Cisco IOS IPS basic

category.

training#configure terminal

Enter configuration commands, one per line. End with CNTL/Z

training(config)#ip ips signature-category

training(config-ips-category)# category ios_ips basic

training(config-ips-category-action)# enabled true

training(config-ips-category-action)#exit

training(config-ips-category)#exit

Do you want to accept these changes? [confirm]y

Additional Commands and References

Cisco IOS IPS Configuration Guide:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html

7 Retire/Unretire Signatures

You can use the Cisco IOS Software CLI to retire or unretire one signature or a group of

signatures based on signature categories.

Retiring a signature means Cisco IOS IPS will not compile that signature into memory for

scanning. Unretiring a signature instructs Cisco IOS IPS to compile the signature into memory and

use the signature to scan traffic.

Following are sample CLI commands to retire signature 6130/10.

training#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

training(config)#ip ips signature-definition

training(config-sigdef)#signature 6130 10

training(config-sigdef-sig)#status

training(config-sigdef-sig-status)# retired true

training(config-sigdef-sig-status)#exit

training(config-sigdef-sig)#exit

training(config-sigdef)#exit

Do you want to accept these changes? [confirm]y

training(config)#

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 12

Here is another example to unretire all signatures belonging to the ios_ips basic category.

training#configure terminal

Enter configuration commands, one per line. End with CNTL/Z

training(config)#ip ips signature-category

training(config-ips-category)# category ios_ips basic

training(config-ips-category-action)# retired false

training(config-ips-category-action)#exit

training(config-ips-category)#exit

Do you want to accept these changes? [confirm]y

Additional Commands and References

Cisco IOS IPS Configuration Guide:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html

8 Change Signature Actions

You can use the Cisco IOS Software CLI to change signature actions for one signature or a

group of signatures based on signature categories.

Following are example CLI commands to change signature action to alert, drop, and reset for

signature 6130/10.

training#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

training(config)#ip ips signature-definition

training(config-sigdef)#signature 6130 10

training(config-sigdef-sig)#engine

training(config-sigdef-sig-engine)#event-action produce-alert

training(config-sigdef-sig-engine)#event-action deny-packet-inline

training(config-sigdef-sig-engine)#event-action reset-tcp-connection

training(config-sigdef-sig-engine)#exit

training(config-sigdef-sig)#exit

training(config-sigdef)#exit

Do you want to accept these changes? [confirm]y

training(config)#

White Paper

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 12

Here is another example to change event actions for all signatures belonging to signature Cisco

IOS IPS basic category.

training#configure terminal

Enter configuration commands, one per line. End with CNTL/Z

training(config)#ip ips signature-category

training(config-ips-category)# category ios_ips basic

training(config-ips-category-action)#event-action produce-alert

training(config-ips-category-action)#event-action deny-packet-inline

training(config-ips-category-action)#event-action reset-tcp-

connection

training(config-ips-category-action)#exit

training(config-ips-category)#exit

Do you want to accept these changes? [confirm]y

training(config)#

Additional Commands and References

Cisco IOS IPS Configuration Guide:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a0080747eb0.html

Printed in USA C11-390389-00 1/07