Verifying the IOS-IDS Configuration
A alive and well-tested IDS can be actual important for the chain of your business. It ensures all attacks IOS has a signature for are actuality detected and that alerts are beatific to the appropriate place. In this section, we altercate how you can verify and analysis an IOS-based IDS configuration. We will see examples of commands you can use to verify the alive of your IDS. In addition, we attending at how to troubleshoot an IDS configuration. The commands and items we will altercate include:
show ip analysis interfaces
show ip analysis agreement
show ip analysis statistics
show ip analysis affair
show ip analysis alter
clear ip analysis statistics
clear ip analysis agreement
debug commands
show ip analysis interfaces
The appearance ip analysis interfaces EXEC command is acclimated to affectation the interface configuration. Figure 11.5 shows an archetype of the achievement of this command.
Router#show ip analysis interfaces
Interface Configuration
Interface Ethernet1/0
Entering IDS analysis aphorism is idstest
advice accomplishments alarm
advance accomplishments anxiety bead reset
Outgoing IDS analysis aphorism is not set
Figure 11.5: The appearance ip analysis interfaces Command
In Figure 11.5, the analysis aphorism idstest is activated to interface Ethernet1/0 on an entering direction. Back an advisory signature is triggered by assertive activity, the router sends an anxiety to the configured Syslog or Director. Back an advance signature is triggered, an anxiety is sent, the packet is dropped, and in case of a TCP session, the affair is reset. There is no analysis aphorism activated in an outbound direction.
show ip analysis agreement
The appearance ip analysis agreement EXEC command is acclimated to affectation an overview of agreement information. It includes advice not apparent application the appearance running-config command, like the absence ethics of assertive parameters. Figure 11.6 shows an archetype of the achievement of this command.
Router#show ip analysis configuration
Event notification through syslog is enabled
Event notification through Net Director is disabled
Default action(s) for advice signatures is alarm
Default action(s) for advance signatures is anxiety bead reset
Default alpha of recipients for spam signature is 250
PostOffice:HostID:0 OrgID:0 Msg dropped:0
:Curr Accident Buf Size:0 Configured:100
Post Office is not enabled - No admission are active
Audit Aphorism Configuration
Analysis name idstest
advice accomplishments alarm
advance accomplishments anxiety bead reset
Figure 11.6: The appearance ip analysis agreement Command
Figure 11.6 is an archetype of how the achievement of the appearance ip analysis agreement command looks back alone the log notification blazon is acclimated and no PostOffice ambit are configured. As you can see, accident notification through the Director is disabled, and PostOffice communications is not enabled.
Figure 11.7 shows the command achievement of addition IOS-IDS sensor.
Router#show ip analysis agreement
Event notification through syslog is enabled
Event notification through Net Director is enabled
Default action(s) for advice signatures is alarm
Default action(s) for advance signatures is anxiety bead reset
Default alpha of recipients for spam signature is 300
Signature 1107 disable
PostOffice:HostID:1 OrgID:100 Msg dropped:0
:Curr Accident Buf Size:100 Configured:100
Host ID:2, Organization ID:100, SYN pkts sent:1,
ACK pkts sent:2, Heartbeat pkts sent:82, Heartbeat ACK pkts sent:49,
Duplicate ACK pkts received:0, Retransmission:0, Queued pkts:0
ID:1 Dest:172.16.20.2:45000 Loc:172.16.20.1:45000 T:5 S:ESTAB *
Audit Aphorism Configuration
Analysis name idstest
advice accomplishments alarm
advance accomplishments anxiety bead reset
Figure 11.7: The appearance ip analysis agreement Command
The aboriginal affair we see back attractive at Figure 11.7 is that accident notification through Syslog and Director are both enabled. This agency that anniversary time a signature is triggered an anxiety is beatific to both locations. The absence accomplishments for advisory and advance signatures are set and the alpha of recipients for the spam signature has been set to 300. We additionally see that signature 1107 has been disabled.
In the abutting area of output, we acquisition PostOffice settings, the accepted configured notification chain size, and statistics on packets beatific amid the IOS-IDS sensor and the Director. Application this data, you can verify the advice amid the IOS-IDS sensor and the Director. The band catastrophe with the chat ESTAB *tells you that a affair amid IOS-IDS sensor and Director has been established. If you acquisition the chat SYN SENT at the end of this line, it agency the IOS-IDS sensor approved to set up a affair but the Director is not answering, or that the set up of the affair has not yet been completed. Figure 11.8 shows an archetype of the achievement of the appearance ip analysis agreement command in this situation.
Router#show ip analysis agreement
Event notification through syslog is enabled
Event notification through Net Director is enabled
Default action(s) for advice signatures is alarm
Default action(s) for advance signatures is anxiety bead reset
Default alpha of recipients for spam signature is 300
Signature 1107 disable
PostOffice:HostID:1 OrgID:20 Msg dropped:0
:Curr Accident Buf Size:100 Configured:100
Host ID:2, Organization ID:100, SYN pkts sent:573,
ACK pkts sent:0, Heartbeat pkts sent:0, Heartbeat ACK pkts sent:0,
Duplicate ACK pkts received:0, Retransmission:0, Queued pkts:0
ID:1 Dest:172.16.20.2:45000 Loc:172.16.20.1:45000 T:5 S:SYN SENT
Audit Aphorism Configuration
Analysis name idstest
advice accomplishments alarm
advance accomplishments anxiety bead reset
Figure 11.8: The appearance ip analysis agreement Command
The achievement of the appearance ip analysis agreement command ends with the analysis aphorism agreement on the router. In Figure 11.6 through 11.8, we see that an analysis aphorism with the name idstest has been configured on this router, added what accomplishments accept been configured for the advice and advance signatures beneath that rule.
show ip analysis statistics
The appearance ip analysis statistics EXEC command displays the cardinal of packets audited added the cardinal of alarms sent. Figure 11.9 shows an archetype of the achievement of this command.
Router#show ip analysis statistics
Signature analysis statistics [process switch:fast switch]
signature 1101 packets audited: [0:98]
signature 2004 packets audited: [0:11]
signature 3050 packets audited: [145:0]
signature 4050 packets audited: [0:720]
Interfaces configured for analysis 1
Session creations back subsystem startup or aftermost displace 2729
Current affair counts (estab/half-open/terminating) [0:0:0]
Maxever affair counts (estab/half-open/terminating) [0:4:0]
Last affair created 00:09:39
Last accomplishment displace never
Host ID:2, Organization ID:100, SYN pkts sent:218,
ACK pkts sent:3, Heartbeat pkts sent:14085, Heartbeat ACK pkts sent:7114,
Duplicate ACK pkts received:0, Retransmission:0, Queued pkts:0
Figure 11.9: The appearance ip analysis statistics Command
Figure 11.9 shows a cardinal of intrusions detected by IOS-IDS. For instance, signature 3050 has been triggered several times, acceptation a half-open SYN advance has been detected. Further, there are some affair counters and statistics on PostOffice communications.
show ip analysis sessions
The appearance ip analysis sessions EXEC command is acclimated to affectation the accepted sessions on the IOS-IDS sensor. This command can be accessible back troubleshooting or acceptance the alive of the IDS. Figure 11.10 shows the achievement of the command at the moment a user is blockage some POP3 e-mail accounts.
Router#show ip analysis sessions
Established Sessions
Affair 813635E4 (172.16.20.2:4071)=>(192.6.6.40:110) tcp SIS_OPEN
Terminating Sessions
Affair 81363CC8 (172.16.20.2:4070)=>(192.6.196.44:110) tcp SIS_CLOSING
Router#show ip analysis sessions
Terminating Sessions
Affair 81363CC8 (172.16.20.2:4070)=>( 192.6.196.44:110) tcp SIS_CLOSING
Affair 813635E4 (172.16.20.2:4071)=>(192.6.6.40:110) tcp SIS_CLOSING
Figure 11.10: The appearance ip analysis sessions Command
show ip analysis alter
The appearance ip analysis alter EXEC command is acclimated to affectation the alter commands that accept been enabled on the router. An archetype of the achievement of this command is apparent in Figure 11.11.
Router#show ip analysis debug
IDS Abundant Alter debugging is on
IDS TCP Analysis debugging is on
Figure 11.11: The appearance ip analysis alter Command
The aforementioned aftereffect can be accomplished application the appearance alter command, but that will appearance all alter commands enabled on the router, while the appearance ip analysis alter command displays alone the ip analysis alter commands enabled. An archetype of the appearance alter command achievement is apparent in Figure 11.12.
Router#show debug
Generic IP:
IP packet debugging is on for admission account 101
IDS Audit:
IDS Abundant Alter debugging is on
IDS TCP Inspection debugging is on
Figure 11.12: The appearance alter Command
clear ip analysis statistics
The bright ip analysis statistics EXEC command is acclimated to displace statistics on packets that accept been audited and the cardinal of alarms sent. To accomplish this action, blazon the command at the router alert as follows:
Router#clear ip analysis statistics
This command becomes advantageous back troubleshooting an IDS agreement and you appetite to alpha with alpha statistics.
clear ip analysis agreement
The bright ip analysis agreement EXEC command can be acclimated to attenuate IOS-based IDS. The command removes all IDS agreement entries and releases activating assets IDS has in use. To bright the absolute IP analysis configuration, blazon the command at the router alert as follows:
Router#clear ip analysis configuration
Debug Commands
A cardinal of alter commands are accessible to troubleshoot and analysis your IDS configuration. A aggregate of alarms beatific by the sensor and assertive alter commands is actual accessible in testing the affection of your IDS configuration. We saw an archetype of this beforehand in the section, "Responses from the IOS-Based IDS," area we accumulated alarms with the alter ip analysis abundant command. The afterward account shows the accessible ip analysis alter commands in Cisco IOS; the aftermost two commands are new in IOS 12.2.
debug ip analysis abundant The alter ip analysis abundant command enables IDS abundant debugging. Application this command, we see how IDS handles a packet: Does it advanced or bead the packet? In the antecedent section, we saw an archetype of this command in action. It can additionally be acclimated in aggregate with added alter ip analysis commands to get added information.
debug ip analysis ftp-cmd This command enables IDS FTP command and acknowledgment debugging. The achievement of this command shows letters about IDS-audited FTP command and acknowledgment events.
debug ip analysis ftp-token This command enables IDS FTP tokens debugging and is best acclimated in aggregate with the alter ip analysis ftp-cmd command. It enables archetype of the ftp tokens parsed.
debug ip analysis function-trace Application this command enables IDS action trace debugging, and creates a lot of output. The letters displayed chronicle to software functions alleged by IDS.
debug ip analysis icmp The alter ip analysis icmp command enables IDS ICMP packet debugging. The achievement of the command shows ICMP answer requests and replies.
debug ip analysis ip This command enables IDS IP packet debugging
debug ip analysis object-creation Application this command enables IDS Object Creations debugging. The command's achievement shows letters about software altar created by IDS. Object conception refers to the alpha of an IDS-audited session.
debug ip analysis object-deletion The alter ip analysis object-deletion command enables IDS Object Deletions debugging. The command's achievement shows letters about software altar deleted by IDS. Object abatement refers to the closing of IDS-audited sessions.
debug ip analysis rpc This command enables IDS RPC Inspection debugging. The command's achievement shows letters about IDS-audited RPC events, including capacity about RPC packets.
debug ip analysis smtp Application this command enables IDS SMTP Inspection debugging and the achievement shows letters about IDS-audited SMTP events. One of these contest is the analysis for the spam signature, area IDS checks the cardinal of recipients and thereupon permits or denies the message.
debug ip analysis tcp The alter ip analysis command enables IDS TCP Inspection debugging. The command's achievement displays letters about IDS-audited TCP events, including capacity about TCP packets. It shows every ACK and SYN that passes through.
debug ip analysis tftp This command enables IDS TFTP Inspection debugging. The achievement of this command displays letters about IDS-audited TFTP events.
debug ip analysis timers The alter ip analysis timers accident enables the debugging of IDS timer event.
debug ip analysis udp This command enables IDS UDP Inspection debugging. The achievement of this command shows letters about IDS-audited UDP events, including capacity about UDP packets.
debug ip analysis dns Application this command enables IDS DNS Inspection debugging. Achievement of this command displays letters about IDS-audited DNS events.
debug ip analysis http The alter ip analysis http command enables IDS HTTP Inspection debugging. The achievement of this command shows letters about IDS-audited HTTP events.
Warning Use these alter commands with attention on a assembly system. Some of the commands accomplish a lot of achievement and absorb accessible CPU cycles, possibly causing a router to hang.