Cisco IOS Intrusion Prevention System
Cisco IOS IPS signatures

The Cisco IOS IPS now identifies more than 700 of the most common attacks using signatures to detect patterns of misuse in network traffic. The intrusion prevention signatures were chosen from a broad cross-section of intrusion prevention signatures. The signatures represent severe breaches of security and the most common network attacks and information-gathering scans.

Signatures
As of Release 12.3(8)T, Cisco IOS IPS has 132 built-in signatures available in the Cisco IOS Software image. The built-in signatures are hard-coded into the Cisco IOS Software image for backward compatibility. Each signature can be set to send an alarm, drop the connection, or reset the connection . Each action is enabled on a per-signature basis. Each signature has an action assigned by default, based on the severity of the signature.

Additionally, Cisco IOS IPS has the ability to download IPS signatures without the need for a Cisco IOS Software image update . At the time of this writing, Cisco IOS IPS supports more than 740 signatures. Typically, new signatures are released every two weeks, with emergency signature updates posted as needed. The signatures are posted to Cisco.com at the web link below. A valid CCO login is required to access the site.

The Nimda virus, for example, can be detected by loading and enabling signatures shown in Figure .

The Signature Definition File
The signature definition file (SDF) is integral to Cisco IOS IPS. The SDF is an Extensible Markup Language (XML) file with a definition of each signature along with relevant configurable actions. Cisco IOS IPS reads in the SDF, parses the XML, and populates its internal tables with the information necessary to detect each signature. The SDF contains the signature definition and configuration. Actions such as alarm, drop, or reset can be selected for individual signatures within the SDF. The SDF can be modified so the router will only detect specific signatures. As a result, it can contain all or a subset of the signatures supported in Cisco IOS IPS. The administrator specifies the location of the SDF. The SDF can reside on the local Flash file system, this is the recommended option, or on a remote server. Remote servers can be accessed via TFTP, FTP, Secure Copy Protocol (SCP), or Remote Copy Protocol (RCP). After signatures are loaded and complied onto a router running Cisco IOS IPS, the IPS can begin detecting the new signatures immediately.

Signature Micro-engines
Cisco IOS IPS uses signature micro-engines (SMEs) to load the SDF and scan signatures. Each engine categorizes a group of signatures, and each signature detects patterns of misuse in network traffic. For example, all HTTP signatures are grouped under the HTTP engine. Currently, Cisco IOS IPS supports more than 740 signatures. These signatures are part of the common set of signatures that Cisco IDS sensors support, helping to ensure that all Cisco products use a common resource and are available for download from Cisco.com.

Signatures contained within the SDF are handled by a variety of SMEs. The SDF typically contains signature definitions for multiple engines. The SME typically corresponds to the protocol in which the signature occurs and looks for malicious activity in that protocol. A packet is processed by several SMEs. Each SME scans for various conditions that can lead to a signature pattern match. When an SME scans the packets, it extracts certain values, searching for patterns within the packet via the regular expression engine.

attack-drop.sdf
The attack-drop.sdf file is available in flash on all Cisco access routers that are shipped with Cisco IOS Release 12.3(8)T or later. The attack-drop.sdf file can then be loaded directly from flash into the Cisco IOS IPS system. If flash is erased, the attack-drop.sdf file may also be erased. This may happen when erasing the contents of flash memory before copying a new Cisco IOS image to flash. If this occurs, the router will refer to the built-in signatures within the Cisco IOS image. The attack-drop.sdf file can also be downloaded onto the router from the weblink below.


Web Links