Configure IDS policies

Use the ip audit command to override the IDS signature defaults . First create a policy with the ip audit name command, and then apply the policy to an interface with the ip audit interface command.

There are two variations of the ip audit name command, are ip audit name info and ip audit name attack . The ip audit name info command is used to create policies for signatures classified as informational. All informational signatures, except those disabled or excluded by the ip audit signature command, become part of the policy. The ip audit name attack command performs the same function for signatures classified as attack signatures.

The ip audit name command also allows the administrator to specify actions to be taken when a signature is triggered. If a policy is defined without actions, the default actions take effect. The default action for both attack and info signatures is alarm.

The no ip audit name command can be used to remove an audit policy. The show ip audit name command displays audit policies. Use the no ip audit interface command to remove a policy from an interface. Use the show ip audit interface command to display the interface configuration.

The next step is to apply the policy to an interface with the ip audit interface command. In the example in Figure , the policy outside_policy is being applied to the outside interface.

To exclude a signature from auditing, use the ip audit signature disable command. The no ip audit signature command is used to re-enable a signature, and the show ip audit signature command displays disabled signatures .

Several show ip audit commands are provided to view the current configuration. The show ip audit count command is especially useful for viewed the signatures that have received a hit or match.

Lab Activity

Lab Exercise: Configure Intrusion Prevention on the PIX Security Appliance

In this lab exercise, students will configure the use of Cisco Intrusion Prevention System (IPS) information and attack signatures using both ADSM and CLI.

Lab Activity

e-Lab Activity: Configure PIX Security Appliance Message Output to a Syslog Server

In this activity, the student will demonstrate how to configure message output to a Syslog server.

Resources

Resource: Getting Started with the AIP-SSM