一、题目环境

实验拓扑

地址规划

实验要点

· Enable IOS IPS.
·启用IOS IPS。
· Configure logging.
·配置日志记录。
· Modify an IPS signature.
·修改IPS签名。
· Verify IPS.
·验证IPS。

二、配置过程

1. On R1, create a directory in flash using the mkdir command. Name the directory ipsdir.
//在R1上，使用mkdir命令在flash中创建一个目录。将目录命名为ipsdir。

R1#mkdir ipsdir
Create directory filename [ipsdir]?
Created dir flash:ipsdir

2. On R1, configure the IPS signature storage location to be the directory you just created.
//在R1上，将IPS签名存储位置配置为刚才创建的目录。

R1(config)#ip ips config location flash:ipsdir

3. On R1, create an IPS rule name using the ip ips name name command in global configuration mode. Name the IPS rule iosips.
//在R1上，在全局配置模式下使用ip IPS name命令创建一个IPS规则名。将IPS规则命名为iosips。

R1(config)#ip ips name iosips

4. Enable syslog if it is not enabled.
//如果没有启用syslog，则启用它。
Enable the timestamp service if it is not enabled.
//如果时间戳服务未启用，则启用它。
Send log messages to the Syslog server at IP address 192.168.1.50.
//将日志消息发送到IP地址为192.168.1.50的Syslog服务器。

R1(config)#ip ips notify log
R1(config)#service timestamps log datetime msec
R1(config)#logging host 192.168.1.50

5. Retire the all signature category with the retired true command (all signatures within the signature release).
//进入签名类别，设置所有类别取消所有作用。
Unretire the IOS_IPS Basic category with the retired false command.
//进入更多子类别，

R1(config)#ip ips signature-category 
R1(config-ips-category)#category all
R1(config-ips-category-action)#retired true
R1(config-ips-category-action)#category ios_ips basic
R1(config-ips-category-action)#retired false
R1(config-ips-category-action)#exit
R1(config-ips-category)#exit
Do you want to accept these changes? [confirm]
Applying Category configuration to signatures ...
%IPS-6-ENGINE_BUILDING: atomic-ip - 288 signatures - 6 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 30 ms - packets for this engine will be scanned

6. Apply the IPS rule to an interface with the ip ips name direction command in interface configuration mode. Apply the rule outbound on the Fa0/0 interface of R1.
//在接口配置模式中将IPS规则应用到带有ip IPS name direction命令的接口。在R1的Fa0/0接口上应用规则出站。

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ips iosips out 
*3? 01, 00:56:27.5656:  %IPS-6-ENGINE_BUILDS_STARTED:  00:56:27 UTC 3? 01 1993
*3? 01, 00:56:27.5656:  %IPS-6-ENGINE_BUILDING: atomic-ip - 3 signatures - 1 of 13 engines
*3? 01, 00:56:27.5656:  %IPS-6-ENGINE_READY: atomic-ip - build time 8 ms - packets for this engine will be scanned
*3? 01, 00:56:27.5656:  %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 8 ms

7. Un-retire the echo request signature (signature 2004, subsig ID 0), enable it and change the signature action to alert, and drop.
//开启请求签名(signature 2004，subsig ID 0)，启用它并将操作更改为警报，然后删除。

R1(config)#ip ips signature-definition
R1(config-sigdef)#signature 2004 0
R1(config-sigdef-sig)#status
R1(config-sigdef-sig-status)#retired false 
R1(config-sigdef-sig-status)#enabled true 
R1(config-sigdef-sig-status)#exit
R1(config-sigdef-sig)#engine 
R1(config-sigdef-sig-engine)#event-action produce-alert 
R1(config-sigdef-sig-engine)#event-action deny-packet-inline 
R1(config-sigdef-sig-engine)#exit
R1(config-sigdef-sig)#exit
R1(config-sigdef)#exit
Do you want to accept these changes? [confirm]
%IPS-6-ENGINE_BUILDS_STARTED:  
%IPS-6-ENGINE_BUILDING: atomic-ip - 303 signatures - 3 of 13 engines
%IPS-6-ENGINE_READY: atomic-ip - build time 480 ms - packets for this engine will be scanned
%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 648 ms

三、验证

此时PCC已经ping不通PCA

查看syslog服务上记录的日志

实验完整配置文档

R1 running-config
Building configuration…

Current configuration : 1125 bytes
!
version 12.4
service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
enable secret 5 $1$mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
ip ips config location flash:ipsdir retries 1
ip ips name iosips
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip ips iosips out
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.0
!
interface Serial0/0/1
no ip address
clock rate 2000000
shutdown
!
interface Vlan1
no ip address
shutdown
!
router eigrp 101
network 10.0.0.0
network 192.168.1.0
no auto-summary
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
logging trap debugging
logging 192.168.1.50
line con 0
password ciscoconpa55
!
line aux 0
!
line vty 0 4
password ciscovtypa55
login
!
!
!
end