cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
414
Views
0
Helpful
2
Replies

IOS IDS?

dan.tesch
Level 1
Level 1

I am new to Cisco routers and have been trying to figure out some things in my config on a 2611. I recently tried to upgrade to a new version and had some problems - the TAC suggested that the different feature sets had something to do with it - this is when I became aware of the IDS in my version of IOS.

I am very familiar with Snort, how does what this is trying to do compare? the previous admin. didn't have the router going to a log or anything, is this IDS actually IPS? what does the router do with what it "detects" if it isn't logging? what is the best resource to find out how best to configure this, is it useful? I think the TAC guy I was working with suggested these lines are for IDS:

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name Ethernet_0_1 smtp

ip inspect name Ethernet_0_1 ftp

ip inspect name Ethernet_0_1 tcp

ip inspect name Ethernet_0_1 udp

ip inspect name Ethernet_0_1 cuseeme

ip inspect name Ethernet_0_0 tcp

ip inspect name Ethernet_0_0 udp

ip inspect name Ethernet_0_0 cuseeme

ip inspect name Ethernet_0_0 ftp

ip inspect name Ethernet_0_0 h323

ip inspect name Ethernet_0_0 rcmd

ip inspect name Ethernet_0_0 realaudio

ip inspect name Ethernet_0_0 smtp

ip inspect name Ethernet_0_0 streamworks

ip inspect name Ethernet_0_0 vdolive

ip inspect name Ethernet_0_0 sqlnet

ip inspect name Ethernet_0_0 tftp

ip audit notify log

ip audit po max-events 100

Are they defaults of some sort?

Some of this like vdolive, tftp, cuseeme

seem like junk?

Can someone give me some clues?

Thanks.

2 Replies 2

jkanclirz
Level 1
Level 1

The Cisco IOS Firewall IDS feature identifies 59 of the most common attacks using "signatures" to detect patterns of misuse in network traffic. Note that these signatures can NOT be modified. They come prebuild in the IOS. IOS-IDS is really nothing compared to real IDS (aka snort).

This will help:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm

The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets as they traverse the router's interfaces and acting upon them in a definable fashion. When a packet, or a number of packets in a session, match a signature, the Cisco IOS Firewall IDS may perform the following configurable actions:

•Alarm—Sends an alarm to a syslog server or Cisco Secure IDS Director

•Drop—Drops the packet

•Reset—Resets the TCP connection

As of 12.2(16)T, IOS IDS supports 100 signatures and not just 59.

12.3(8)T introduced IOS IPS feature which allows being able to load signatures dynamically.

More details at for IOS IPS at:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_8/gt_fwids.htm