Configuring IPS Using the Cisco IOS CLI Prepare the Router and TFTP Server Verify the availability of Cisco IOS IPS files Verify or create the IPS directory in router flash R1# show flash R1# mkdir ipsdir R1# delete flash:ipsdir/* R1# dir flash: R1# dir flash:ipsdir Configure the IPS Crypto Key Copy and paste the crypto key file into R1 Apply the contents of the text file to the router. R1(config)# crypto key pubkey-chain rsa R1(config-pubkey-chain)# named-key realm-cisco.pub signature R1(config-pubkey-key)# key-string R1(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101 R1(config-pubkey)#$D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 R1(config-pubkey)#$912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 R1(config-pubkey)#$085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E R1(config-pubkey)#$0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 R1(config-pubkey)#$994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 R1(config-pubkey)#$5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 R1(config-pubkey)#$A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE R1(config-pubkey)#$80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 R1(config-pubkey)# F3020301 0001 R1(config-pubkey)# quit Configure IPS Create an IPS rule R1(config)# ip ips name iosips Configure the IPS Signature storage location in router flash memory. R1(config)# ip ips config location flash:ipsdir Enable IPS SDEE event notification R1(config)# ip http server R1(config)# ip ips notify sdee Enable IPS syslog support R1(config)# ip ips notify log R1# clock set 01:20:00 8 march 2015 R1(config)# service timestamps log datetime msec R1(config)# logging 192.168.1.3 Configure IOS IPS to use one of the pre-defined signature categories. R1(config)# ip ips signature-category R1(config-ips-category)# category all R1(config-ips-category-action)# retired true R1(config-ips-category-action)# exit R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# retired false R1(config-ips-category-action)# exit Do you want to accept these changes? [confirm] Apply the IPS rule to an interface R1(config)# interface serial0/0/0 R1(config-if)# ip ips iosips in R1(config)# interface g0/1 R1(config-if)# ip ips iosips in Load the IOS IPS Signature Package to the Router Download the TFTP server Start the TFTP server on PC-A and verify the IPS file directory Copy the signature package from the TFTP server to the router # copy tftp://192.168.1.3/IOS-S855-CLI.pkg idconf R1# dir flash:ipsdir R1# dir usbflash0: R1# show ip ips signature count R1# show ip ips all Modify the signature R1(config)# ip ips signature-definition R1(config-sigdef)# signature 2004 0 R1(config-sigdef-sig)#status R1(config-sigdef-sig-status)# retired false R1(config-sigdef-sig-status)# enabled true R1(config-sigdef-sig-status)# engine R1(config-sigdef-sig-engine)# event-action produce-alert R1(config-sigdef-sig-engine)# event-action deny-packet-inline R1(config-sigdef-sig-engine)# event-action reset-tcp-connection R1(config-sigdef-sig-engine)# exit R1(config-sigdef-sig)# exit Simulate an Attack nmap -T4 -A -v 10.1.1.2 Observe the syslog messages on R1