Thanks Kings, that was the same I was thinking and now its confirmed with
your response.. :)
by the way...I think I can delete those files with **sidef**.xml and then
restart again..?
Rack40R2#sh fla
-#- --length-- -----date/time------ path
1 32 Sep 30 2010 09:46:08 +00:00 IOS-CA.ser
2 168 Oct 29 2010 09:50:48 +00:00 IOS-CA.crl
3 2679 Jan 14 2011 19:29:34 +00:00 ip.phdf
4 2748 Sep 25 2008 23:19:34 +00:00 sdmconfig-2811.cfg
5 334531 Feb 6 2011 21:46:18 +00:00 R2-sigdef-default.xml
6 704 Jan 2 2011 20:13:54 +00:00 Rack1R2-sigdef-default.xml
7 1038 Sep 25 2008 23:21:12 +00:00 home.shtml
8 266 Jan 2 2011 21:01:54 +00:00 Rack1R2-sigdef-delta.xml
9 1195 Sep 28 2010 22:51:18 +00:00 IOS-CA_00001.p12
10 32 Jan 26 2011 10:10:06 +00:00 IOSCA.ser
11 415956 Sep 25 2008 23:22:40 +00:00 sslclient-win-1.1.4.176.pkg
12 53131032 Sep 1 2010 23:09:54 +00:00
c2800nm-adventerprisek9-mz.124-15.T12.bin
13 8509 Jan 2 2011 20:48:56 +00:00 Rack1R2-sigdef-typedef.xml
14 38523 Jan 2 2011 20:49:00 +00:00 Rack1R2-sigdef-category.xml
15 304 Jan 2 2011 20:13:54 +00:00 Rack1R2-seap-delta.xml
16 491 Jan 2 2011 20:13:54 +00:00 Rack1R2-seap-typedef.xml
17 255 Feb 6 2011 21:30:20 +00:00 R2-sigdef-delta.xml
18 8509 Feb 6 2011 21:44:30 +00:00 R2-sigdef-typedef.xml
19 38523 Feb 6 2011 21:44:34 +00:00 R2-sigdef-category.xml
20 257 Feb 6 2011 21:30:20 +00:00 R2-seap-delta.xml
21 491 Feb 6 2011 21:30:20 +00:00 R2-seap-typedef.xml
22 189627 Jan 14 2011 17:52:36 +00:00 crashinfo_20110114-175237
23 2447 Jan 14 2011 18:59:12 +00:00 tcp.phdf
24 1115 Jan 14 2011 18:59:34 +00:00 udp.phdf
25 1115 Jan 14 2011 18:59:44 +00:00 n
26 949 Jan 14 2011 19:29:48 +00:00 icmp.phdf
27 206179 Jan 14 2011 19:53:00 +00:00 crashinfo_20110114-195301
28 178283 Jan 14 2011 20:01:40 +00:00 crashinfo_20110114-200141
29 241 Jan 27 2011 09:00:28 +00:00 IOSCA.crl
30 1699 Jan 26 2011 08:49:46 +00:00 IOSCA_00001.p12
31 1667 Jan 26 2011 09:00:28 +00:00 IOSCA_00002.p12
9355264 bytes available (54661120 bytes used)
Rack40R2#
On Sat, Feb 26, 2011 at 6:16 AM, Kingsley Charles <
kingsley.charles_at_gmail.com> wrote:
> That's because the confg location that you configured would have already
> had a sig file stored when the router was previously configured for IPS.
>
> With regards
> KIngs
>
> On Sat, Feb 26, 2011 at 12:07 AM, Pemasiri Devanarayana <
> pemasiri_at_gmail.com> wrote:
>
>> Hi,
>>
>> When I was configuring IOS IPS, I could saw that before I download the
>> signature package file, all the signatures was enabled, I'm wondering how
>> this can be.. , however I have used the same router some time back to do the
>> same lab, but that time it was as expected. Here are the steps I did when
>> configuring IOS IPS.
>>
>> 1) load the cisco public rsa key
>> 2) retired all signature and enabled only the required category
>> 3) configure IOS IPS parameters such as IPS name, config location, notify
>> SDEE etc
>> 4) apply the IOS IPS name to interface (both in and out)
>>
>> then immediately I was able to see the below messages:
>>
>>
>> R2(config)#ip ips no
>> R2(config)#ip ips notify S
>> R2(config)#ip ips notify SDEE
>> R2(config)#ip is
>> R2(config)#ip ip
>> R2(config)#ip ips na
>> R2(config)#ip ips name iosips
>> R2(config)#int fa0/0
>> R2(config-if)#ip ips
>> R2(config-if)#ip ips n
>> R2(config-if)#ip ips n
>> R2(config-if)#ip ips na
>> R2(config-if)#ip ips iosips in
>> R2(config-if)#ip ips iosips in
>> R2(config-if)#ip ips iosips out
>> R2(config-if)#
>> R2(config-if)#exit
>> R2(config)#do sh ip ips sig count
>> Another IPS operation is accessing the signatures.
>> R2(config)#
>> Feb 25 12:41:30.743: %IPS-3-IPS_CONCURRENT_ACCESS: Another IPS operation
>> is accessing the signatures.
>> R2(config)#
>> Feb 25 12:41:47.047: %IPS-6-ENGINE_BUILDS_STARTED: 12:41:47 UTC Feb 25
>> 2011
>> Feb 25 12:41:47.051: %IPS-6-ENGINE_BUILDING: multi-string - 17 signatures
>> - 1 of 13 engines
>> Feb 25 12:41:47.091: %IPS-6-ENGINE_READY: multi-string - build time 40 ms
>> - packets for this engine will be scanned
>> Feb 25 12:41:47.235: %IPS-6-ENGINE_BUILDING: service-http - 721 signatures
>> - 2 of 13 engines
>> Feb 25 12:41:47.983: %IPS-6-ENGINE_READY: service-http - build time 748 ms
>> - packets for this engine will be scanned
>> Feb 25 12:41:48.407: %IPS-6-ENGINE_BUILDING: string-tcp - 1658 signatures
>> - 3 of 13 engines
>> R2(config)#
>> Feb 25 12:41:59.007: %IPS-6-ENGINE_READY: string-tcp - build time 10600 ms
>> - packets for this engine will be scanned
>> Feb 25 12:41:59.271: %IPS-6-ENGINE_BUILDING: string-udp - 78 signatures -
>> 4 of 13 engines
>> Feb 25 12:41:59.351: %IPS-6-ENGINE_READY: string-udp - build time 80 ms -
>> packets for this engine will be scanned
>> Feb 25 12:41:59.367: %IPS-6-ENGINE_BUILDING: state - 34 signatures - 5 of
>> 13 engines
>> Feb 25 12:41:59.387: %IPS-6-ENGINE_READY: state - build time 20 ms -
>> packets for this engine will be scanned
>> Feb 25 12:41:59.451: %IPS-6-ENGINE_BUILDING: atomic-ip - 342 signatures -
>> 6 of 13 engines
>> R2(config)#
>> Feb 25 12:42:00.607: %IPS-6-ENGINE_READY: atomic-ip - build time 1156 ms -
>> packets for this engine will be scanned
>> Feb 25 12:42:00.647: %IPS-6-ENGINE_BUILDING: string-icmp - 3 signatures -
>> 7 of 13 engines
>> Feb 25 12:42:00.647: %IPS-6-ENGINE_READY: string-icmp - build time 0 ms -
>> packets for this engine will be scanned
>> Feb 25 12:42:00.651: %IPS-6-ENGINE_BUILDING: service-ftp - 3 signatures -
>> 8 of 13 engines
>>
>>
>> then I gave the below commands and noticed all the signature are loaded
>> before downloading IOS-S416-CLI.pkg to idconf..
>>
>> R2(config)#do sh ip ips sig count
>>
>> Cisco SDF release version S416.0
>> Trend SDF release version V0.0
>>
>> Signature Micro-Engine: multi-string: Total Signatures 17
>> multi-string enabled signatures: 13
>> multi-string retired signatures: 17
>>
>> Signature Micro-Engine: service-http: Total Signatures 721
>> service-http enabled signatures: 145
>> service-http retired signatures: 715
>> service-http compiled signatures: 6
>> service-http obsoleted signatures: 2
>>
>> Signature Micro-Engine: string-tcp: Total Signatures 1658
>> string-tcp enabled signatures: 650
>> string-tcp retired signatures: 1620
>> string-tcp compiled signatures: 38
>> string-tcp obsoleted signatures: 22
>>
>> Signature Micro-Engine: string-udp: Total Signatures 78
>> string-udp enabled signatures: 2
>> string-udp retired signatures: 75
>> string-udp compiled signatures: 3
>> string-udp obsoleted signatures: 1
>>
>> Signature Micro-Engine: state: Total Signatures 34
>> state enabled signatures: 17
>> state retired signatures: 34
>>
>> Signature Micro-Engine: atomic-ip: Total Signatures 342
>> atomic-ip enabled signatures: 90
>> atomic-ip retired signatures: 338
>> atomic-ip compiled signatures: 4
>>
>> Signature Micro-Engine: string-icmp: Total Signatures 3
>> string-icmp enabled signatures: 0
>> string-icmp retired signatures: 3
>>
>> Signature Micro-Engine: service-ftp: Total Signatures 3
>> service-ftp enabled signatures: 1
>> service-ftp retired signatures: 3
>>
>> Signature Micro-Engine: service-rpc: Total Signatures 76
>> service-rpc enabled signatures: 44
>> service-rpc retired signatures: 76
>>
>> Signature Micro-Engine: service-dns: Total Signatures 39
>> service-dns enabled signatures: 27
>> service-dns retired signatures: 39
>> service-dns obsoleted signatures: 1
>>
>> Signature Micro-Engine: normalizer: Total Signatures 9
>> normalizer enabled signatures: 8
>> normalizer retired signatures: 9
>>
>> Signature Micro-Engine: service-smb-advanced: Total Signatures 49
>> service-smb-advanced enabled signatures: 42
>> service-smb-advanced retired signatures: 49
>>
>> Signature Micro-Engine: service-msrpc: Total Signatures 33
>> service-msrpc enabled signatures: 22
>> service-msrpc retired signatures: 33
>> service-msrpc obsoleted signatures: 1
>>
>> Total Signatures: 3062
>> Total Enabled Signatures: 1061
>> Total Retired Signatures: 3011
>> Total Compiled Signatures: 51
>> Total Obsoleted Signatures: 27
>>
>> My question is how come router load those signature before loading package
>> file to idconf..??? (how ever the same lab I did on the same router some
>> time back,,,)
>>
>> Thanks
Blogs and organic groups at http://www.ccie.net
Received on Sat Feb 26 2011 - 11:53:35 ART
This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART