05-22-2006 12:59 AM - edited 03-10-2019 03:01 AM
hello
ip audit protected [ip address - ip address]
according to cco it defines a protected address space for IDS, this is from cisco.
An attack signature detects attacks attempted into the protected network, such as denial-of-service attempts or the execution of illegal commands during an FTP session.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm
i have tested IDS today with ICMP flooding, i got alarms for ICMP attack SIG .2050 even without configuring this command.
does anybody know, what exactly this command does?
regards
Louis
05-26-2006 05:49 AM
05-28-2006 11:21 PM
thanks but unfortunately its still not clear for me.
If no addresses are defined as protected, then all addresses are considered outside the protected network.
may i should phrase my question a little bit different
If i am not configuring that command, what kind of attack would not be detected?
06-27-2007 03:23 AM
I assume the "flagged alert" in the command reference means a relict of the Postoffice protocol.
06-27-2007 09:40 AM
You must be using a very old version of IOS in which the IDS feature is using 'ip audit...' command to configure, in these version of IOS, the IDS feature has a fixed number of hardcoded signatures.
IOS IDS/IPS feature has evolved quick a bit, starting 12.3(8)T, it starts support dynamic signatures and is a true inline ips sysstem. Recently, from 12.4(11)T, it supports 5.x signature format which enables ips to support signatures with encrypted parameter values and more functions (But this is not backward compatible w/ previous version).
For more information, please check Cisco.com at http://www.cisco.com/en/US/products/ps6634/products_ios_protocol_group_home.html
Also please check the white paper and Q&A section.
Thanks,
-Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide