Does outbound ACL work for router generated traffic?
I think this is a similar case. That's why you see only Echo Request
triggered by inbound sensor, but not see any signatures triggered by the
outbound sensor.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
blog: www.ccie1.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/5/16 Sadiq Yakasai <sadiqtanko_at_gmail.com>
> More information, if it helps:
>
> R6#sh run int f0/0
> Building configuration...
>
> Current configuration : 168 bytes
> !
> interface FastEthernet0/0
> ip address 204.12.1.6 255.255.255.0
> ip ips IPS in
> ip ips IPS out
> no ip route-cache cef
> no ip route-cache
> duplex auto
> speed auto
> end
>
> R6#
> R6#
> !
> !
> ip cef
> !
> !
> no ip domain lookup
> ip domain name ccie.com
> ip ips config location flash:/IPS/ retries 1
> ip ips deny-action ips-interface
> ip ips name IPS
> !
> ip ips signature-category
> category ios_ips basic
> retired false
> enabled true
> category all
> retired true
> !
>
>
> R6#debug ip icmp
> ICMP packet debugging is on
> R6#!!!!!!!!!!!!!!!!!!!!!!!!!!!! for terminal traffic !!!!!!!!!!!!!!!!!!!
> R6#
> R6#
> May 16 11:16:07.719: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo
> Request [204.12.1.3:8 -> 204.12.1.6:0] VRF:NONE RiskRating:100
> R6#
> May 16 11:16:07.719: ICMP: echo reply sent, src 204.12.1.6, dst 204.12.1.3
> R6#
> R6#
> R6#
> R6#
> R6#!!!!!!!!!!!!!!!!!!! now for transit traffic!!!!!!!!!!!!!!!!!!!!
> R6#
> R6#
> May 16 11:16:50.257: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:100 ICMP Echo
> Request [204.12.1.3:8 -> 54.1.2.254:0] VRF:NONE RiskRating:100
> May 16 11:16:50.285: %IPS-4-SIGNATURE: Sig:2000 Subsig:0 Sev:100 ICMP Echo
> Reply [54.1.2.254:0 -> 204.12.1.3:8] VRF:NONE RiskRating:100
> R6#
>
>
> On Sun, May 16, 2010 at 11:37 AM, Sadiq Yakasai
<sadiqtanko_at_gmail.com>wrote:
>
>> One interesting point:
>>
>> So I enabled my echo and echo-reply signatures fine (inbound
*and/or*outbound on an interface). And I tested by sending a ping to the box
in
>> question. Only my echo-request signature got triggered. So I thought
>> maybe I am being fast-switched (or process switched) and hence not hitting
>> the engine (for the echo-reply) on the way in/out. I disabled process and
>> cef switching on the interface but still did not work.
>>
>> End of the day, only transit traffic (not terminating on the box
>> itself) was hitting my echo-reply signature.
>>
>> Anybody knows why? Or has better ideas? I dont seem to see whats up here.
>>
>> Thanks as usual.
>>
>> Sadiq
>>
>>
>> On Sun, May 16, 2010 at 11:21 AM, Sadiq Yakasai
<sadiqtanko_at_gmail.com>wrote:
>>
>>> Thanks Adrian and Piotr!
>>>
>>> Thats a well written white paper. I am all sorted now. Although the
>>> documentation of 12.4.T still makes reference to that CLI, which AFAICS,
>>> does not exist on the code :-)
>>>
>>> Sadiq
>>>
>>>
>>> On Sun, May 16, 2010 at 7:19 AM, Piotr Matusiak <pitt2k_at_gmail.com>wrote:
>>>
>>>> Hi Sadiq,
>>>>
>>>> You're looking at wrong document (it's for 12.4). Take a look at:
>>>>
>>>>
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod
_white_paper0900aecd805c4ea8.pdf
>>>>
>>>> HTH,
>>>> --
>>>> Piotr Matusiak
>>>> CCIE #19860 (R&S, Security)
>>>> Technical Instructor
>>>> website: www.MicronicsTraining.com
>>>> blog: www.ccie1.com
>>>>
>>>> �If you can't explain it simply, you don't understand it well enough� -
>>>> Albert Einstein
>>>>
>>>>
>>>> 2010/5/16 Sadiq Yakasai <sadiqtanko_at_gmail.com>
>>>>
>>>>> Hi guys,
>>>>>
>>>>> It seems to me like the documentation says we can load the signature
>>>>> definition file via the command "ip ips sdf location .." , as reported
>>>>> by
>>>>> [1] below, but this seems to be not supported on the box.
>>>>>
>>>>> Well, I went ahead and configured my IPS policy on the router, but as
>>>>> it
>>>>> were, I could not enable the icmp echo and echo-reply signatures (2000
>>>>> and
>>>>> 2004).
>>>>>
>>>>> Any help/pointers would be very helpful.
>>>>>
>>>>> Thanks,
>>>>> Sadiq
>>>>>
>>>>> [1]
>>>>>
>>>>>
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cf
g_ips_external_docbase_0900e4b180de56d7_4container_external_docbase_0900e4b18
0e076b5.html#wp1175461
>>>>>
>>>>> R6(config)#ip ips ?
>>>>> auto-update Auto Update
>>>>> config Location of IPS configuration files
>>>>> deny-action Specify Deny action
>>>>> event-action-rules Event Action Rules (SEAP)
>>>>> fail Specify what to do during any failures
>>>>> name Specify an IPS rule
>>>>> notify Specify the notification mechanisms (SDEE or
>>>>> log)
>>>>> for
>>>>> the alarms
>>>>> signature-category Signature Category
>>>>> signature-definition Signature Definition
>>>>>
>>>>> R6#
>>>>> R6#conf t
>>>>> Enter configuration commands, one per line. End with CNTL/Z.
>>>>> R6(config)#ip ips si
>>>>> R6(config)#ip ips signature-de
>>>>> R6(config)#ip ips signature-definition
>>>>> R6(config-sigdef)#si
>>>>> R6(config-sigdef)#signature 2000 0
>>>>> Unable to locate sig 2000:0
>>>>> R6(config-sigdef)#si
>>>>> R6(config-sigdef)#signature ?
>>>>> <1-65535> Signature ID value
>>>>>
>>>>> R6(config-sigdef)#signature
>>>>> % Incomplete command.
>>>>>
>>>>> R6(config-sigdef)#
>>>>> R6(config-sigdef)#
>>>>> R6(config-sigdef)#end
>>>>> R6#
>>>>> R6#
>>>>> R6#dir
>>>>> May 15 22:57:44.932: %SYS-5-CONFIG_I: Configured from console by
>>>>> console
>>>>> R6#dir
>>>>> Directory of flash:/
>>>>>
>>>>> 1 -rw- 5650 May 8 2010 16:40:48 +00:00 -0
>>>>> 2 -rw- 5650 May 8 2010 17:10:14 +00:00 -1
>>>>> 3 -rw- 5834 May 8 2010 23:02:20 +00:00 -2
>>>>> 4 -rw- 5834 May 8 2010 23:10:14 +00:00 -3
>>>>> 5 -rw- 1823 Feb 22 2007 09:09:30 +00:00 sdmconfig-2811.cfg
>>>>> 13 drw- 0 May 15 2010 22:32:30 +00:00 IPS
>>>>> 6 -rw- 833024 Feb 22 2007 09:10:16 +00:00 es.tar
>>>>> 7 -rw- 1052160 Feb 22 2007 09:10:34 +00:00 common.tar
>>>>> 8 -rw- 1038 Feb 22 2007 09:10:50 +00:00 home.shtml
>>>>> 9 -rw- 102400 Feb 22 2007 09:11:04 +00:00 home.tar
>>>>> *10 -rw- 491213 Feb 22 2007 09:11:22 +00:00 128MB.sdf*
>>>>> 11 -rw- 398305 Feb 22 2007 09:12:04 +00:00
>>>>> sslclient-win-1.1.0.154.pkg
>>>>> 12 -rw- 60324084 Mar 19 2010 11:03:00 +00:00
>>>>> c2800nm-adventerprisek9_sna-mz.124-24.T1.bin
>>>>>
>>>>> 64016384 bytes total (733184 bytes free)
>>>>> R6#
>>>>> R6#sh ver | i IOS
>>>>> Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9_SNA-M),
>>>>> Version
>>>>> 12.4(24)T1, RELEASE SOFTWARE (fc3)
>>>>> R6#
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> CCIE #19963
>>>
>>
>>
>>
>> --
>> CCIE #19963
>>
>
>
>
> --
> CCIE #19963
Blogs and organic groups at http://www.ccie.net
Received on Sun May 16 2010 - 13:35:42 ART