Thanks Petr! This is very informative!
Sadiq
On Sun, May 3, 2009 at 10:03 PM, Petr Lapukhov
<petr_at_internetworkexpert.com>wrote:
> Hi,
>
> in short, the "ip audit" command, available since IOS 12.0(5)T was
> based on Cisco IDS 3.x code (old!). IOS implemented a fixed
> number of IDS signatured (initially 59, then enhanced by 42 more
> signatures since 12.2T). The feature used cisco's proprietary
> Post Office Protocol for event communication with IDS Director. The
> configuration only supported two signature categories:
> attack and info. This stuff is the same as the ip audit feature found
> in PIX OS, though they support a bit different sets of signatures.
> The feature itself is pretty much out of date and deprecated. You can
> read about it here:
>
>
> http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfids.html
>
> just to get the feeling of history.
>
> With IOS release 12.3(8)T Cisco introduced IDS code 4.x into IOS and
> called this Cisco IPS, replacing "ip audit" with "ip ips" syntax.
> The IPS was now supporting SDEE instead of legacy POP and implemented
> 4.x signature engines as. A total of 132 built-in signature
> was supported. In addition to the built-in sigs, you were able to load
> an external SDF (Sig. definition file, and XML file in 4.x
> format) with additional patterns, that were *dynamically* compiled.
> The number of signatures available to IOS was much less compared
> to the list available to hardware appliances. For more info, look here:
>
>
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_fwids.html
>
> Recently, with the IOS release 12.4(11)T Cisco IOS now supports IPS
> 5.x engines. There are no more hardcoded signatures
> in the IOS itself. A new v5.x signature packages are now required
> (different from the old SDF files). One remarkable feature
> is that every package contains the SAME list of signatures as a
> regular hardware IPS (big!). The IOS is supposed to load and compile
> all new signatures dynamically. Due to the huge number of sigs, you
> have to retire most of them, prior to starting the compilation
> process. The configuration syntax has changed slightly, as now all IPS
> configuration is stored in the flash memory, and the process
> becomes similar to configuring a hardware IPS (still, pretty limited
> in functionality). More about it here:
>
>
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.pdf
>
> HTH
> --
> Petr Lapukhov, petr_at_INE.com
> CCIE #16379 (R&S/Security/SP/Voice)
>
> Internetwork Expert, Inc.
> http://www.INE.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
> 2009/5/3 Sadiq Yakasai <sadiqtanko_at_gmail.com>:
> > HI Guys,
> >
> > Been trying to get my head around these 2 features. So whats the
> difference
> > and limitations of either?
> >
> > Any information would be helpful.
> >
> > Thanks in advance,
> > Sadiq
> >
> > --
> > CCIE #19963
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
-- CCIE #19963 Blogs and organic groups at http://www.ccie.netReceived on Sat May 09 2009 - 13:14:27 ART
This archive was generated by hypermail 2.2.0 : Mon Jun 01 2009 - 07:04:42 ART