09-18-2004 08:17 PM - edited 03-09-2019 08:49 AM
I am new to Cisco routers and have been trying to figure out some things in my config on a 2611. I recently tried to upgrade to a new version and had some problems - the TAC suggested that the different feature sets had something to do with it - this is when I became aware of the IDS in my version of IOS.
I am very familiar with Snort, how does what this is trying to do compare? the previous admin. didn't have the router going to a log or anything, is this IDS actually IPS? what does the router do with what it "detects" if it isn't logging? what is the best resource to find out how best to configure this, is it useful? I think the TAC guy I was working with suggested these lines are for IDS:
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0_1 smtp
ip inspect name Ethernet_0_1 ftp
ip inspect name Ethernet_0_1 tcp
ip inspect name Ethernet_0_1 udp
ip inspect name Ethernet_0_1 cuseeme
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 udp
ip inspect name Ethernet_0_0 cuseeme
ip inspect name Ethernet_0_0 ftp
ip inspect name Ethernet_0_0 h323
ip inspect name Ethernet_0_0 rcmd
ip inspect name Ethernet_0_0 realaudio
ip inspect name Ethernet_0_0 smtp
ip inspect name Ethernet_0_0 streamworks
ip inspect name Ethernet_0_0 vdolive
ip inspect name Ethernet_0_0 sqlnet
ip inspect name Ethernet_0_0 tftp
ip audit notify log
ip audit po max-events 100
Are they defaults of some sort?
Some of this like vdolive, tftp, cuseeme
seem like junk?
Can someone give me some clues?
Thanks.
09-18-2004 10:15 PM
The Cisco IOS Firewall IDS feature identifies 59 of the most common attacks using "signatures" to detect patterns of misuse in network traffic. Note that these signatures can NOT be modified. They come prebuild in the IOS. IOS-IDS is really nothing compared to real IDS (aka snort).
This will help:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm
The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets as they traverse the router's interfaces and acting upon them in a definable fashion. When a packet, or a number of packets in a session, match a signature, the Cisco IOS Firewall IDS may perform the following configurable actions:
AlarmSends an alarm to a syslog server or Cisco Secure IDS Director
DropDrops the packet
ResetResets the TCP connection
09-23-2004 07:34 AM
As of 12.2(16)T, IOS IDS supports 100 signatures and not just 59.
12.3(8)T introduced IOS IPS feature which allows being able to load signatures dynamically.
More details at for IOS IPS at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_8/gt_fwids.htm
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide