dardan:ccna_security:labs:configuring_ips_using_the_cisco

Configuring IPS Using the Cisco IOS CLI

Prepare the Router and TFTP Server 
 Verify the availability of Cisco IOS IPS files
 Verify or create the IPS directory in router flash
  R1# show flash 
  R1# mkdir ipsdir 
  R1# delete flash:ipsdir/*
  R1# dir flash: 
  R1# dir flash:ipsdir 
Configure the IPS Crypto Key
 Copy and paste the crypto key file into R1
 Apply the contents of the text file to the router. 
  R1(config)# crypto key pubkey-chain rsa 
  R1(config-pubkey-chain)# named-key realm-cisco.pub signature 
  R1(config-pubkey-key)# key-string
  
  R1(config-pubkey)#$2A864886 F70D0101 01050003 82010F00 3082010A 02820101      
  R1(config-pubkey)#$D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16      
  R1(config-pubkey)#$912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128      
  R1(config-pubkey)#$085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E      
  R1(config-pubkey)#$0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35      
  R1(config-pubkey)#$994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85      
  R1(config-pubkey)#$5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36      
  R1(config-pubkey)#$A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE      
  R1(config-pubkey)#$80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3      
  R1(config-pubkey)#   F3020301 0001 
  R1(config-pubkey)#  quit 

Configure IPS 
 Create an IPS rule
  R1(config)# ip ips name iosips 
  
 Configure the IPS Signature storage location in router flash memory.
   R1(config)# ip ips config location flash:ipsdir
 Enable IPS SDEE event notification 
   R1(config)# ip http server 
   R1(config)# ip ips notify sdee 
 
 Enable IPS syslog support
   R1(config)# ip ips notify log
   R1# clock set 01:20:00 8 march 2015
   R1(config)# service timestamps log datetime msec
   R1(config)# logging 192.168.1.3
 
 
  Configure IOS IPS to use one of the pre-defined signature categories. 
   R1(config)# ip ips signature-category 
   R1(config-ips-category)# category all 
   R1(config-ips-category-action)# retired true 
   R1(config-ips-category-action)# exit 
   R1(config-ips-category)# category ios_ips basic 
   R1(config-ips-category-action)# retired false 
   R1(config-ips-category-action)# exit
   Do you want to accept these changes? [confirm] <Enter>
  
  Apply the IPS rule to an interface
    R1(config)# interface serial0/0/0 
    R1(config-if)# ip ips iosips in 
    
    R1(config)# interface g0/1 
    R1(config-if)# ip ips iosips in
  
  
  
  Load the IOS IPS Signature Package to the Router 
  Download the TFTP server
  Start the TFTP server on PC-A and verify the IPS file directory
   Copy the signature package from the TFTP server to the router
     # copy tftp://192.168.1.3/IOS-S855-CLI.pkg idconf
     R1# dir flash:ipsdir 
     R1# dir usbflash0:
     R1# show ip ips signature count 
     R1# show ip ips all
  
  Modify the signature
    R1(config)# ip ips signature-definition 
    R1(config-sigdef)# signature 2004 0 
    R1(config-sigdef-sig)#status 
    R1(config-sigdef-sig-status)# retired false 
    R1(config-sigdef-sig-status)# enabled true 
    R1(config-sigdef-sig-status)# engine 
    R1(config-sigdef-sig-engine)# event-action produce-alert 
    R1(config-sigdef-sig-engine)# event-action deny-packet-inline 
    R1(config-sigdef-sig-engine)# event-action reset-tcp-connection 
    R1(config-sigdef-sig-engine)# exit 
    R1(config-sigdef-sig)# exit
  
  Simulate an Attack 
    nmap -T4 -A -v 10.1.1.2
  
  Observe the syslog messages on R1