Re: IOS IDS question

lkrucker · ‎05-22-2006

hello

ip audit protected [ip address - ip address]

according to cco it defines a protected address space for IDS, this is from cisco.

An attack signature detects attacks attempted into the protected network, such as denial-of-service attempts or the execution of illegal commands during an FTP session.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm

i have tested IDS today with ICMP flooding, i got alarms for ICMP attack SIG .2050 even without configuring this command.

does anybody know, what exactly this command does?

regards

Louis

irisrios · ‎05-26-2006

Try this link

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf19.html#wp1072958

lkrucker · ‎05-28-2006

thanks but unfortunately its still not clear for me.

If no addresses are defined as protected, then all addresses are considered outside the protected network.

may i should phrase my question a little bit different

If i am not configuring that command, what kind of attack would not be detected?

herbert.aichhorn · ‎06-27-2007

I assume the "flagged alert" in the command reference means a relict of the Postoffice protocol.

ymzhang · ‎06-27-2007

You must be using a very old version of IOS in which the IDS feature is using 'ip audit...' command to configure, in these version of IOS, the IDS feature has a fixed number of hardcoded signatures.

IOS IDS/IPS feature has evolved quick a bit, starting 12.3(8)T, it starts support dynamic signatures and is a true inline ips sysstem. Recently, from 12.4(11)T, it supports 5.x signature format which enables ips to support signatures with encrypted parameter values and more functions (But this is not backward compatible w/ previous version).

For more information, please check Cisco.com at http://www.cisco.com/en/US/products/ps6634/products_ios_protocol_group_home.html

Also please check the white paper and Q&A section.

Thanks,

-Chris