Cisco IOS Intrusion Prevention System
Install the Cisco IOS IPS

This topic describes the procedure used to install the Cisco IOS IPS.

Use this procedure to install the latest Cisco IOS IPS signatures on a router for the first time. This procedure allows the administrator to load the default, built-in signatures or the attack-drop.sdf file, but not both . To merge the two signature files, the administrator must load the default, built-in signatures as described in this procedure. Then, the default signatures can be merged with the attack-drop.sdf file.

Step 1 Create a named IPS rule that will be applied to an interface later .
Step 2 Attach the policy to a given signature if desired .
Step 3 At this point, interface configuration mode is entered for the interface where the Cisco IOS IPS will be implemented.

router(config)# interface fastethernet 0/1

Step 4 The ip ips ips-name {in | out} command applies an IPS rule at an interface . This command automatically loads the signatures and builds the signature engines.
NOTE:

Whenever signatures are replaced or merged, the router prompt is suspended while the signature engines for the newly added or merged signatures are being built. The router prompt will be available again after the engines are built. Depending on the platform and how many signatures are being loaded, building the engine can take up to several seconds. It is recommended that logging messages are enabled to monitor the engine building status.

Upgrade to the latest SDF
An important part of IPS is keeping up with the latest attack signatures. The attack signatures in the router should be kept up to date with the latest IPS signature file, attack-drop.sdf .

Support for ip auditCommands
The latest IPS image will read and convert all commands that begin with the words ip audit to ip ips. For example, the ip ips notify command replaces the ip audit notify command. If the ip audit notify command is part of an existing configuration, the IPS will interpret it as the ip ips notify command. Although IPS will accept the audit keyword, it will generate the ips keyword when the configuration is shown. Also, if the help character (?) is issued, the CLI will display the ips keyword instead of the audit keyword, and the Tab key used for command completion will not recognize the audit keyword.