Previous Page Next Page

Configuring Custom Signature and IPS Blocking

Based on Figure 20-12, and building on the previous Example 20-4, Example 20-8 shows a sample configuration for creating a custom signature and IPS blocking function, thereby enabling a dynamic block request when an intrusion is detected.

A custom signature SIGID 65000 has been created in the STRING.TCP engine that defines traffic for TCP port 23 (Telnet), with an event-action request-block-connection to shun the offending TCP-based session.

The example shows a profile named "myprof" created to provide parameters for the managed device, where blocking is going to be enforced. Basic details such as the IP address, username, password, and communication protocol being used are defined in this profile, and the profile is associated in the managed device list.

The example also shows the exclude list, which defines the sensor IP address to be excluded from the blocking function.

Note that the inline interface parameters have been omitted in this sample output. Refer to Example 20-4 to complete this task.

Example 20-8. Configuring Custom Signature and IPS Blocking

IPS# show configuration
! ------------------------------
! Current configuration last modified Mon Jul 09 12:48:55 2007
! ------------------------------
! Version 6.0(1)
! Host:
!     Realm Keys          key1.0
! Signature Definition:
!     Signature Update    S263.0   2006-12-18
!     Virus Update        V1.2     2005-11-24
! ------------------------------
<..>
! ------------------------------
service host
network-settings
host-ip 172.16.10.1/24,172.16.10.254
host-name IPS
telnet-option disabled
access-list 172.16.10.0/24
exit
exit
! ------------------------------
<..>
! ------------------------------
service network-access
general
never-block-hosts 172.16.10.1
exit
user-profiles myprof
enable-password cisco
password cisco
username cisco
exit
router-devices 172.16.1.1
communication telnet
profile-name myprof
block-interfaces Ethernet0/0 in
exit
response-capabilities block
exit
exit
! ------------------------------
<..>
! ------------------------------
service signature-definition sig0
signatures 65000 0
sig-description
sig-name testing123
exit
engine string-tcp
event-action request-block-connection
regex-string attack
service-ports 23
direction to-service
exit
status
enabled true
<..>

					  


Previous Page Next Page