IDS Signatures on IOS-FW

cpalayoor · ‎09-25-2003

Hi there,

I have some very basic questions on the IDS feature available with the Cisco IOS based firewall and would appreciate it if someone could help me out.

1) Is it possible to create your own signatures on the above feature set and if so could you direct me to the appropriate documentation.

2) I have read in a book that the IOS firewall comes with 59 signatures. Can I update this to include more signatures (from the Cisco site).

Thanks in advance

CP

gfullage · ‎09-28-2003

IOS-based IDS is very limited in its features. You can't add your own signatures. The sigs are inbuilt within the IOS code, so no modifications can be made or new ones added.

Up till 12.2(15)T it only had 59 signatures, in this release we came out with an additional 42 sigs making the current total 101. This is still far short of the 900-odd a true IDS sensor will look for, but basically the router CPU just isn't built to compare so many packets with so many signatures.

See http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122y/122yu11/ft_fwids.htm for the new sigs in 12.2(15)T.

See http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm for the IOS-IDS docs.

cpalayoor · ‎09-29-2003

Hi,

Thanks for the input.

I guess I will have to look at setting up snort on a linux boz instead as the Cisco IDS solutions are way too expensive.

Regards

CP