I am new to Cisco routers and have been trying to figure out some things in my config on a 2611. I recently tried to upgrade to a new version and had some problems - the TAC suggested that the different feature sets had something to do with it - this is when I became aware of the IDS in my version of IOS.
I am very familiar with Snort, how does what this is trying to do compare? the previous admin. didn't have the router going to a log or anything, is this IDS actually IPS? what does the router do with what it "detects" if it isn't logging? what is the best resource to find out how best to configure this, is it useful? I think the TAC guy I was working with suggested these lines are for IDS:
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0_1 smtp
ip inspect name Ethernet_0_1 ftp
ip inspect name Ethernet_0_1 tcp
ip inspect name Ethernet_0_1 udp
ip inspect name Ethernet_0_1 cuseeme
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 udp
ip inspect name Ethernet_0_0 cuseeme
ip inspect name Ethernet_0_0 ftp
ip inspect name Ethernet_0_0 h323
ip inspect name Ethernet_0_0 rcmd
ip inspect name Ethernet_0_0 realaudio
ip inspect name Ethernet_0_0 smtp
ip inspect name Ethernet_0_0 streamworks
ip inspect name Ethernet_0_0 vdolive
ip inspect name Ethernet_0_0 sqlnet
ip inspect name Ethernet_0_0 tftp
ip audit notify log
ip audit po max-events 100
Are they defaults of some sort?
Some of this like vdolive, tftp, cuseeme
seem like junk?
Can someone give me some clues?
The Cisco IOS Firewall IDS feature identifies 59 of the most common attacks using "signatures" to detect patterns of misuse in network traffic. Note that these signatures can NOT be modified. They come prebuild in the IOS. IOS-IDS is really nothing compared to real IDS (aka snort).
This will help:
The Cisco IOS Firewall IDS acts as an in-line intrusion detection sensor, watching packets as they traverse the router's interfaces and acting upon them in a definable fashion. When a packet, or a number of packets in a session, match a signature, the Cisco IOS Firewall IDS may perform the following configurable actions:
AlarmSends an alarm to a syslog server or Cisco Secure IDS Director
DropDrops the packet
ResetResets the TCP connection
As of 12.2(16)T, IOS IDS supports 100 signatures and not just 59.
12.3(8)T introduced IOS IPS feature which allows being able to load signatures dynamically.
More details at for IOS IPS at: