ch20lev1sec16.html

Configuring Custom Signature and IPS Blocking

Based on Figure 20-12 , and building on the previous Example 20-4, Example 20-8 shows a sample configuration for creating a custom signature and IPS blocking function, thereby enabling a dynamic block request when an intrusion is detected.

A custom signature SIGID 65000 has been created in the STRING.TCP engine that defines traffic for TCP port 23 (Telnet), with an event-action request-block-connection to shun the offending TCP-based session.

The example shows a profile named "myprof" created to provide parameters for the managed device, where blocking is going to be enforced. Basic details such as the IP address, username, password, and communication protocol being used are defined in this profile, and the profile is associated in the managed device list.

The example also shows the exclude list, which defines the sensor IP address to be excluded from the blocking function.

Note that the inline interface parameters have been omitted in this sample output. Refer to Example 20-4 to complete this task.

Example 20-8. Configuring Custom Signature and IPS Blocking

Code View:
IPS# show configuration ! ------------------------------ ! Current configuration last modified Mon Jul 09 12:48:55 2007 ! ------------------------------ ! Version 6.0(1) ! Host: ! Realm Keys key1.0 ! Signature Definition: ! Signature Update S263.0 2006-12-18 ! Virus Update V1.2 2005-11-24 ! ------------------------------ <..> ! ------------------------------ service host network-settings host-ip 172.16.10.1/24,172.16.10.254 host-name IPS telnet-option disabled access-list 172.16.10.0/24 exit exit ! ------------------------------ <..> ! ------------------------------ service network-access general never-block-hosts 172.16.10.1 exit user-profiles myprof enable-password cisco password cisco username cisco exit router-devices 172.16.1.1 communication telnet profile-name myprof block-interfaces Ethernet0/0 in exit response-capabilities block exit exit ! ------------------------------ <..> ! ------------------------------ service signature-definition sig0 signatures 65000 0 sig-description sig-name testing123 exit engine string-tcp event-action request-block-connection regex-string attack service-ports 23 direction to-service exit status enabled true <..>

Tip

For a complete set of IPS Sensor software configuration guides, refer to the following Cisco documentation URLs:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a0080751759.html

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a00807a8a2a.html