This topic describes the procedure used to install the Cisco IOS
IPS.
Use this procedure to install the latest Cisco IOS IPS signatures
on a router for the first time. This procedure allows the administrator to load
the default, built-in signatures or the attack-drop.sdf file, but not both
. To merge the
two signature files, the administrator must load the default, built-in
signatures as described in this procedure. Then, the default signatures can be
merged with the attack-drop.sdf file.
Step 1 Create a
named IPS rule that will be applied to an interface later
.
Step 2 Attach the policy
to a given signature if desired
.
Step 3 At this point, interface configuration mode is
entered for the interface where the Cisco IOS IPS will be
implemented.
router(config)# interface fastethernet
0/1
Step 4 The ip ips ips-name
{in | out} command applies an IPS rule at an interface
. This command
automatically loads the signatures and builds the signature
engines.
 |
NOTE:
Whenever signatures are replaced or merged, the router prompt is
suspended while the signature engines for the newly added or merged signatures
are being built. The router prompt will be available again after the engines
are built. Depending on the platform and how many signatures are being loaded,
building the engine can take up to several seconds. It is recommended that
logging messages are enabled to monitor the engine building status.
|
Upgrade to the latest SDF
An important part of IPS is
keeping up with the latest attack signatures. The attack signatures in the
router should be kept up to date with the latest IPS signature file,
attack-drop.sdf
.
Support for ip auditCommands
The
latest IPS image will read and convert all commands that begin with the words
ip audit to ip ips. For example, the
ip ips notify command replaces the ip audit
notify command. If the ip audit notify command
is part of an existing configuration, the IPS will interpret it as the
ip ips notify command. Although IPS will accept the
audit keyword, it will generate the ips
keyword when the configuration is shown. Also, if the help character
(?) is issued, the CLI will display the
ips keyword instead of the audit
keyword, and the Tab key used for command completion will not recognize the
audit keyword.