Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Difference between IPS ver4.x and version 5.x

Hi,

can someone please tell me the advantage of IPS version 5.x over the 4.x version?

I assume it is still signature based just like 4.x and still difficult to see whatthe signature is looking for on the fly when you need to do so, just like the SNORT.

the fact that I cannot see what the signature is looking for is bothering us but may be I don't know how it works.

Thx,

Masood

2 REPLIES
Cisco Employee

Re: Difference between IPS ver4.x and version 5.x

IPS version 5.X is signature based like IDS version 4.

Information about the IPS Version 5.1 Sensor Software can be found at http://www.cisco.com/go/ips.

The end of signature updates for IDS 4 version software has passed, please see here for more details.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/prod_eol_notice0900aecd803b6598.html

So you should be using IPS 5.X now.

It would be easier for you to use IDM to check what the signatures look like. The documentation for that is here :

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/index.htm

On the same area, you would see more documentation about what the signatures engine's capabilities are :

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmsgeng.htm

If you are familiar with regular expressions, then you would understand what the signatures are looking for using IDM, for most signatures.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swappa.htm#wp787101

I hope this information helps you.

Gold

Re: Difference between IPS ver4.x and version 5.x

They are both signature based. IPS 4.x is no longer supported by Cisco(no more sig updates), so comparing the two is probably pointless.

You can look at the signatures pretty easily in 5.x. The Cisco documentation about the various settings are not very detailed and some (dare I say many) of the regular expressions are hidden. However, you can look at the signatures and you will probably find them much easier to understand than Snort (mostly because it is a GUI with drop-down boxes, etc).

163
Views
3
Helpful
2
Replies
CreatePlease to create content