Use the ip audit command to override the IDS
signature defaults
. First create a
policy with the ip audit name command, and then apply the
policy to an interface with the ip audit interface
command.
There are two variations of the ip audit
name command, are ip audit name info and
ip audit name attack. The ip audit name
info command is used to create policies for signatures classified as
informational. All informational signatures, except those disabled or excluded
by the ip audit signature command, become part of the
policy. The ip audit name attack command performs the same
function for signatures classified as attack signatures.
The ip
audit name command also allows the administrator to specify actions
to be taken when a signature is triggered. If a policy is defined without
actions, the default actions take effect. The default action for both attack
and info signatures is alarm.
The no ip audit name
command can be used to remove an audit policy. The show ip audit
name command displays audit policies. Use the no ip audit
interface command to remove a policy from an interface. Use the
show ip audit interface command to display the interface
configuration.
The next step is to apply the policy to an interface with
the ip audit interface command. In the example in Figure
, the
policy outside_policy is being applied to the outside interface.
To
exclude a signature from auditing, use the ip audit signature
disable command. The no ip audit signature
command is used to re-enable a signature, and the show ip audit
signature command displays disabled signatures
.
Several show ip audit commands are provided to view the
current configuration. The show ip audit count command is
especially useful for viewed the signatures that have received a hit or
match.
Lab
Exercise: Configure Intrusion Prevention on the PIX Security Appliance
In
this lab exercise, students will configure the use of Cisco Intrusion
Prevention System (IPS) information and attack signatures using both ADSM and
CLI.