Cisco IPS - ICMP messages

tolien · 22 Feb 2006 at 14:00

At some point in the past I switched on logging for every ICMP packet through the IPS (every echo request, reply, time-exceeded :eek:

), and now I can't remember how the hell you switch it off

I could disable the subsig with ip ips signature 2004, but that's a bit like cracking a nut with a nuke. I managed to kill it off last night, but since then I've bumped back to defaults and manged to start it again.

Suggestions?

Burbleflop · 22 Feb 2006 at 14:03

Check what debugging you have enabled and look at your access lists. I don't have a Cisco to hand to check though at the moment.

tolien · 22 Feb 2006 at 14:08

None of my access lists have anything ICMP related, and I've tried no debug ip icmp - it's set to off already.
As soon as I enable ip ips internet-out out on Dialer1, I get bombarded with

*Mar 1 00:59:29.407 UTC: %IPS-4-SIGNATURE: Sig:2004 Subsig:0 Sev:2 ICMP Echo Req [80.249.110.123:0 -> [router]:0]

At a rate of at least one a second.

Goliath · 22 Feb 2006 at 14:56

The only thing I can think of is

Code:

no ip ips notify log

but that will turn all your logging off. Are you using any sdf files as well as your ACLs?

tolien · 22 Feb 2006 at 15:16

No additional sdf files.
Currently running this config - ip ips signature 2004 0 disable is doing as a workaround for now.

Chief Wiggum · 22 Feb 2006 at 18:48

i could be wrong, and I probably am! But would this line is your ACL log any ICMP messages?
deny ip 0.0.0.0 0.255.255.255 any log

Feel free to correct, because it's handy for me to know, but it almost looks like a deny any statement - also because ICMP would be flagged by the IP rather than TCP / UDP.

Kev

Burbleflop · 22 Feb 2006 at 19:18

No, you're wong. If the line were 'deny icmp any any log' (or whatever) then it would, but the router doesn't class ICMP as IP traffic.