Working with Cisco Ios Ips Signatures and Rules

This section describes the steps required to load IPS signatures and create and apply IPS rules. Loading IPS-Based Signatures

The Cisco IOS IPS has two main types of signature definition files:

• IPS SDF (default) Built-in 132 signatures inherited from Cisco IOS Software IDS technology to enable backward-compatibility. These signatures are hard-coded into Cisco IOS Software Release 12.3(8)T or later and set to alarm only for the default action.

• Attack-drop.sdf At the time of this writing, the Attack-drop.sdf file contains 118 high-fidelity IPS signatures. This file is available in Flash on all Cisco IOS IPS-enabled routers shipped with Cisco IOS Software 12.3(8)T or later and can be further modified by adding or deleting signatures based on the network requirements. For a complete number and list of supported signatures in this file, refer to the online documentation for the specific Cisco IOS version.

The command required to load the desired SDF file from a specific location is as follows:

ip ips sdf location url

This command must be used in the global configuration mode. The available url options are local Flash, FTP server, RCP, and TFTP server.

If the router cannot find the file specified in the url , it attempts to load the built-in signature file. To prevent the router from loading the built-in signature file, execute the following command in global configuration mode:

no ip ips sdf built-in

Cisco recommends using the signatures provided in Flash for attack mitigation. If the built-in signatures do not provide adequate protection for a network, you can merge these signatures with Attack-drop.sdf. The copy [/erase ] url ips-sdf command enables you to merge the two files. Table 13-5 briefly describes the command and its options.

0 0

Post a comment