cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
420
Views
0
Helpful
4
Replies

IOS IDS Signatures

adeelasher
Level 1
Level 1

Dear All

I am new to this IOS IDS think first ofi want to know some document whcih can tell me details about IOS IDS features and implementation.

Secondly,What is the differene between ip audit info and attack signature and why these both cannot be used togather?

third, Is there any web based utility to manage IOS IDS?

four, Is ther any way to download latest signature for IOS IDS.

five, following is my configuration and its blocking all ICMP traffice which is not supposed to be an attack .

I will be really greatful if somebody can tell me does this configuration includes all the signature?

interface Ethernet0/0

ip address 172.1.1.1 255.0.0.0

ip audit first in

ip audit first out

------------------------------------------------

IDS#sh ip audit name first

Audit name first

attack actions alarm drop reset

-------------------------------------------------

Thank you very much in anticipation for your reply.

Regards

4 Replies 4

ywadhavk
Cisco Employee
Cisco Employee

Hi Adeel,

1. This is a good url that explains the entire IOS FW feature set. As you ae specifically interested in IDS, choose the link " Configuring Cisco IOS Firewall Intrusion Detection System "

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htm

2. The IOS IDS signatures (approx. 100 of them now implemented in 12.3) are caterorized into "Info" and "attack" based on there impact.

You can use the info and attack in the same audit rule e.g.

ip audit name audit-name info

ip audit name audit-name attack

This is explained on the url above.

3. There isn't a management utility as such, but you can send the alarms/alerts to the VMS2.2 Security Monitor or to a syslog server.

4. The signature updates are NOT independent of the IOS itself. Thus the sig updates will be upgraded with the upgrade of the IOS.

5. Please refer to the url above for configuration sample and you will get the idea as to how to build the rules.

Let me know if it doesn't work.

Thanks,

yatin

adeelasher
Level 1
Level 1

Thanks buddy that was a great help.

Can you please tell me 2 things

1- The configuration i have, Does that inclue all the available signatures?

2- Why this configuration blocks simple ping packets?

Hi Adeel,

Maybe the ICMP is matching one of these 'attack' nature of the traffic

2150 Fragmented ICMP Traffic (Attack, Atomic)

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field.

2151 Large ICMP Traffic (Attack, Atomic)

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and the IP length is greater than 1024.

2154 Ping of Death Attack (Attack, Atomic)

That's all I could think of without actually seeing the sniffer race for the traffic that you are generating.

Thanks,

yatin

Thank U