My 2620XM has the built-in IPS signatures configured, and a syslog server is running on my computer. I am logging down to debugging (level 7) messages, so it tells me everything. I was getting ICMP Echo Req messages, like 5 in a row, every 5 seconds or so. This is just my next hop at the ISP, so it's normal. If a problem actually occurs, I don't want to have to weed through millions of these messages, nor do I want them filling up my hard drive. So I disabled the signature by first looking at the signature ID and sub-signature ID---my syslog server daemon tells me in the messages, though to get the specific one, you can do this...for ICMP Echo Req...
Edge#sh ip ips signature detail | incl ICMP
Edge#sh ip ips sig det | incl ICMP
Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
Name: ICMP Echo Rply
Name: ICMP Unreachable
Name: ICMP Src Quench
Name: ICMP Redirect
Name: ICMP Echo Req
Name: ICMP Time Exceed
Name: ICMP Param Prob
Name: ICMP Time Req
Name: ICMP Time Rply
Name: ICMP Info Req
Name: ICMP Info Rply
Name: ICMP Addr Msk Req
Name: ICMP Addr Msk Rply
Name: Fragmented ICMP
SigStringInfo: OPACL ICMP Signature
Name: Large ICMP
Edge#sh ip ips signature
<output omitted>
Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
2000:0 Y A INFO 0 0 0 100 30 FA N S37
2001:0 Y A INFO 0 0 0 100 30 FA N S37
2002:0 Y A INFO 0 0 0 100 30 FA N S37
2003:0 Y A INFO 0 0 0 100 30 FA N S37
2004:0 N A INFO 0 0 0 100 30 FA N S37
2005:0 Y A INFO 0 0 0 100 30 FA N S37
2006:0 Y A INFO 0 0 0 100 30 FA N S37
2007:0 Y A INFO 0 0 0 100 30 FA N S37
2008:0 Y A INFO 0 0 0 100 30 FA N S37
2009:0 Y A INFO 0 0 0 100 30 FA N S37
2010:0 Y A INFO 0 0 0 100 30 FA N S37
2011:0 Y A INFO 0 0 0 100 30 FA N S37
2012:0 Y A INFO 0 0 0 100 30 FA N S37
2150:0 Y A INFO 0 0 0 100 30 FA N Y S37
You see that from the first command, it's the 5th one down I want to disable, and the second command shows that it is IPS sig ID 2004, sub sig ID 0. Now to disable it...
Edge#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Edge(config)#ip ips sig 2004 0 disable.
And the messages stop.
Burt
Edge#sh ip ips signature detail | incl ICMP
Edge#sh ip ips sig det | incl ICMP
Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
Name: ICMP Echo Rply
Name: ICMP Unreachable
Name: ICMP Src Quench
Name: ICMP Redirect
Name: ICMP Echo Req
Name: ICMP Time Exceed
Name: ICMP Param Prob
Name: ICMP Time Req
Name: ICMP Time Rply
Name: ICMP Info Req
Name: ICMP Info Rply
Name: ICMP Addr Msk Req
Name: ICMP Addr Msk Rply
Name: Fragmented ICMP
SigStringInfo: OPACL ICMP Signature
Name: Large ICMP
Edge#sh ip ips signature
<output omitted>
Signature Micro-Engine: ATOMIC.ICMP (14 sigs)
SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version
----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- -------
2000:0 Y A INFO 0 0 0 100 30 FA N S37
2001:0 Y A INFO 0 0 0 100 30 FA N S37
2002:0 Y A INFO 0 0 0 100 30 FA N S37
2003:0 Y A INFO 0 0 0 100 30 FA N S37
2004:0 N A INFO 0 0 0 100 30 FA N S37
2005:0 Y A INFO 0 0 0 100 30 FA N S37
2006:0 Y A INFO 0 0 0 100 30 FA N S37
2007:0 Y A INFO 0 0 0 100 30 FA N S37
2008:0 Y A INFO 0 0 0 100 30 FA N S37
2009:0 Y A INFO 0 0 0 100 30 FA N S37
2010:0 Y A INFO 0 0 0 100 30 FA N S37
2011:0 Y A INFO 0 0 0 100 30 FA N S37
2012:0 Y A INFO 0 0 0 100 30 FA N S37
2150:0 Y A INFO 0 0 0 100 30 FA N Y S37
You see that from the first command, it's the 5th one down I want to disable, and the second command shows that it is IPS sig ID 2004, sub sig ID 0. Now to disable it...
Edge#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Edge(config)#ip ips sig 2004 0 disable.
And the messages stop.
Burt
