07-08-2003 03:57 AM - edited 03-09-2019 03:56 AM
Dear All
I am new to this IOS IDS think first ofi want to know some document whcih can tell me details about IOS IDS features and implementation.
Secondly,What is the differene between ip audit info and attack signature and why these both cannot be used togather?
third, Is there any web based utility to manage IOS IDS?
four, Is ther any way to download latest signature for IOS IDS.
five, following is my configuration and its blocking all ICMP traffice which is not supposed to be an attack .
I will be really greatful if somebody can tell me does this configuration includes all the signature?
interface Ethernet0/0
ip address 172.1.1.1 255.0.0.0
ip audit first in
ip audit first out
------------------------------------------------
IDS#sh ip audit name first
Audit name first
attack actions alarm drop reset
-------------------------------------------------
Thank you very much in anticipation for your reply.
Regards
07-08-2003 06:02 AM
Hi Adeel,
1. This is a good url that explains the entire IOS FW feature set. As you ae specifically interested in IDS, choose the link " Configuring Cisco IOS Firewall Intrusion Detection System "
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/index.htm
2. The IOS IDS signatures (approx. 100 of them now implemented in 12.3) are caterorized into "Info" and "attack" based on there impact.
You can use the info and attack in the same audit rule e.g.
ip audit name audit-name info
ip audit name audit-name attack
This is explained on the url above.
3. There isn't a management utility as such, but you can send the alarms/alerts to the VMS2.2 Security Monitor or to a syslog server.
4. The signature updates are NOT independent of the IOS itself. Thus the sig updates will be upgraded with the upgrade of the IOS.
5. Please refer to the url above for configuration sample and you will get the idea as to how to build the rules.
Let me know if it doesn't work.
Thanks,
yatin
07-08-2003 08:54 AM
Thanks buddy that was a great help.
Can you please tell me 2 things
1- The configuration i have, Does that inclue all the available signatures?
2- Why this configuration blocks simple ping packets?
07-08-2003 11:28 AM
Hi Adeel,
Maybe the ICMP is matching one of these 'attack' nature of the traffic
2150 Fragmented ICMP Traffic (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field.
2151 Large ICMP Traffic (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and the IP length is greater than 1024.
2154 Ping of Death Attack (Attack, Atomic)
That's all I could think of without actually seeing the sniffer race for the traffic that you are generating.
Thanks,
yatin
07-10-2003 03:36 AM
Thank U
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide