If Flash is erased, the Attack-drop.sdf file might also be erased. Therefore, if you are copying a Cisco IOS image to Flash and are prompted to erase the contents of Flash before copying the new image, you risk erasing the Attack-drop.sdf file. If this occurs, the router will refer to the built-in signatures within the Cisco IOS image.

It is important to define normal traffic on the network and configure the signatures accordingly to ensure that the IDS reacts to traffic that is truly malicious. If the IPS reacts to normal traffic, the alert is referred to as false positive . A false negative occurs when the IPS incorrectly interprets malicious traffic as normal for the network. To further reduce the number of false positive alerts, it is important to correctly configure the signature thresholds and disable or exclude specific signatures. Disabling a signature turns the signature off completely. When a signature is excluded, it designates specific hosts on the networks that are not inspected for a signature. A signature number identifies all IPS signatures. You can find the signature numbers and explanations at .

Use the ip ips signature command in global configuration mode to attach a policy to a signature. The command syntax is as follows:

ip ips signature signature-id [: sub-signature-id] {delete | disable | list acl-list}

Table 13-6 describes this command syntax.

0 0

Post a comment