Hi,
in short, the "ip audit" command, available since IOS 12.0(5)T was
based on Cisco IDS 3.x code (old!). IOS implemented a fixed
number of IDS signatured (initially 59, then enhanced by 42 more
signatures since 12.2T). The feature used cisco's proprietary
Post Office Protocol for event communication with IDS Director. The
configuration only supported two signature categories:
attack and info. This stuff is the same as the ip audit feature found
in PIX OS, though they support a bit different sets of signatures.
The feature itself is pretty much out of date and deprecated. You can
read about it here:
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfids.html
just to get the feeling of history.
With IOS release 12.3(8)T Cisco introduced IDS code 4.x into IOS and
called this Cisco IPS, replacing "ip audit" with "ip ips" syntax.
The IPS was now supporting SDEE instead of legacy POP and implemented
4.x signature engines as. A total of 132 built-in signature
was supported. In addition to the built-in sigs, you were able to load
an external SDF (Sig. definition file, and XML file in 4.x
format) with additional patterns, that were *dynamically* compiled.
The number of signatures available to IOS was much less compared
to the list available to hardware appliances. For more info, look here:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_fwids.html
Recently, with the IOS release 12.4(11)T Cisco IOS now supports IPS
5.x engines. There are no more hardcoded signatures
in the IOS itself. A new v5.x signature packages are now required
(different from the old SDF files). One remarkable feature
is that every package contains the SAME list of signatures as a
regular hardware IPS (big!). The IOS is supposed to load and compile
all new signatures dynamically. Due to the huge number of sigs, you
have to retire most of them, prior to starting the compilation
process. The configuration syntax has changed slightly, as now all IPS
configuration is stored in the flash memory, and the process
becomes similar to configuring a hardware IPS (still, pretty limited
in functionality). More about it here:
HTH
-- Petr Lapukhov, petr_at_INE.com CCIE #16379 (R&S/Security/SP/Voice) Internetwork Expert, Inc. http://www.INE.com Toll Free: 877-224-8987 Outside US: 775-826-4344 2009/5/3 Sadiq Yakasai <sadiqtanko_at_gmail.com>: > HI Guys, > > Been trying to get my head around these 2 features. So whats the difference > and limitations of either? > > Any information would be helpful. > > Thanks in advance, > Sadiq > > -- > CCIE #19963 > > > Blogs and organic groups at http://www.ccie.net > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html Blogs and organic groups at http://www.ccie.netReceived on Mon May 04 2009 - 01:03:30 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:41 ART