Cisco IOS Intrusion Prevention System (IPS)

Cisco IOS Intrusion Prevention System FAQ

  • Viewing Options

  • PDF (230.1 KB)
  • Feedback
Q.    What is the difference between the Cisco IOS ® Intrusion Prevention System (IPS) and Cisco ® IPS sensors?
A.     Cisco IOS IPS acts as an inline intrusion prevention sensor that can be enabled in Cisco IOS Software router platforms with security feature images. Cisco IPS sensors are dedicated, standalone IPS platforms that run on the Cisco IPS 4200 Series Sensor appliances and the Advanced Inspection and Prevention Security Services Modules (AIP-SSM) on the Cisco ASA 5500 Series security appliances.
Q.    What is the IPS subsystem version? How can I find it?
A.     The IPS subsystem version is a number used to keep track of Cisco IOS IPS feature changes. You can use the command show subsys name ips to show the detailed Cisco IOS IPS subsystem version.
Q.    Where can I download Cisco IPS Sensor Software Versions 5.x and 6.x format signature files for Cisco IOS IPS in Cisco IOS Software Release 12.4(11)T and later?
A.     You can download Cisco IPS 5.x and 6.x format signature files for Cisco IOS IPS from at:.
Users can also access this link from the Cisco Software Download page by clicking Security > Network Security > Integrated Threat Control > Cisco IOS Intrusion Prevention System Feature Software.
Q.    What are the basic and advanced signature sets?
A.     Cisco IPS signature packages contain a file that classifies signatures into various categories like OS vulnerability signatures or Windows vulnerability signatures. A signature may belong to more than one category. Two of those categories are intended especially for IOS IPS use: ios_ips basic category and ios_ips advanced category. Those categories serve as a recommended set of signatures to use with IOS IPS features. Users can add signatures to, or remove them from, those sets after unretiring one of those IOS-specific category signatures as described in detail at Getting Started with Cisco IOS IPS.
Q.    How many events are stored in the Cisco Security Device Event Exchange (SDEE)?
A.     Cisco SDEE is an application-level communications protocol that is used to exchange IPS messages between IPS clients and IPS servers. Cisco SDEE is always running, but it does not receive and process events from the IPS unless Cisco SDEE notification is enabled. If it is not enabled and a client sends a request, Cisco SDEE responds with a fault response message, indicating that notification is not enabled. When Cisco SDEE notification is enabled (by using the ip ips notify sdee command), by default, 200 events can be stored in the event buffer, whose size can be increased to hold a maximum of 1000 events. When Cisco SDEE notification is disabled, all stored events are lost. A new buffer is allocated when the notifications are re-enabled.
Q.    Does Cisco IOS IPS have fail-open capability?
A.     Yes. By default, Cisco IOS IPS has fail-open capability. It can be turned off by using the command ip ips fail closed. "Fail closed" implies dropping the packet. If fail closed is not turned on, the packet passes unscanned.
Q.    What happens if a signature does not load?
A.     If a particular signature does not load, Cisco IOS IPS cannot scan for that signature, but it continues to scan for all other loaded signatures.
Q.    Should IPS be configured for incoming and outgoing directions?
A.     Cisco IOS IPS can be deployed in both the incoming and the outgoing directions on an interface. The direction depends on the needs of your individual network and the traffic you want to scan.
Q.    Do I see alarms on a console?
A.     When Cisco IOS IPS triggers a signature, you will be able to see alerts on the console if “logging console” has been configured. Additionally, if syslog has been turned on, you will see alerts on the syslog server. Cisco SDEE should be enabled if you wish to see alerts. They can be received on Cisco Configuration Professional and Cisco IPS Manager Express (IME).
Q.    How do I change an action on a signature in Cisco IOS IPS?
A.     Cisco IOS IPS in Cisco IOS Software Release 12.4(11)T2 or later supports signature action configuration using the command-line interface (CLI), Cisco Configuration Professional, or Cisco Security Manager management applications. For details on CLI use, please refer to the Cisco IOS IPS configuration guide.
Q.    Can I configure IOS IPS on Cisco IOS Software releases earlier than 12.4(11)T or on any Cisco IOS Mainline release?
A.     No more signature updates are posted in the signature format used by Cisco IOS Software releases prior to 12.4(11)T; any Cisco IOS 12.4 release; and releases earlier than Mainline releases. Cisco therefore strongly recommends against configuring and using IOS IPS on routers running those IOS Software releases. We recommend that customers upgrade their router software to IOS Software Release 12.4(15)T9 or 15.0(1)M or later before turning on and configuring the IOS IPS feature as described in Getting Started with Cisco IOS IPS.
Q.    Can I load and scan simultaneously for all the signatures supported by IOS IPS?
A.     No. Cisco IOS IPS can load only a user-configurable subset of the signatures it supports at any given time. Increasing the available memory will allow loading more signatures at the same time, but even with the maximum amount of memory supported on a particular router model, it is not possible to load all the signatures simultaneously due to the limited size of scanning tables per each signature engine. Warning: Attempting to load all supported IOS IPS signatures at the same time may result in high CPU and memory usage, degraded performance, and a system crash.
Q.    How do I see which signatures are loaded?
A.     The following command on the router will display the loaded signatures: show ip ips signatures. Loaded (unretired) signatures will show with a “Y’ in the “Cmp” column of the command output. Additionally, the IPS Signatures GUI in Cisco Configuration Professional or Cisco Security Manager can show which signatures are loaded (unretired) on the router.
Q.    How do I see the signature release version that is loaded on the router?
A.     Use the following command: show ip ips signatures to display the signature release version on the first line of the command output. Example: Cisco SDF release version S379.0. The term “SDF” stands for signature definition file and refers to the IPS signature package loaded onto the router.
Q.    How can signatures be tuned?
A.     Starting from Cisco IOS Software Release 12.4(11)T2, you can tune signatures using Cisco IOS CLI commands, the Cisco Configuration Professional application (for a single router), or the Cisco Security Manager application (for multiple routers). Cisco does not recommend use of the IOS IPS feature with IOS releases earlier than 12.4(11)T2, any Cisco IOS 12.4 release, or any release earlier than Mainline releases.
Q.    Can I still use the Security Device Manager (SDM) application to configure IOS IPS and tune signatures on a router?
A.     The SDM application supports IOS releases up to 12.4(15)T2 only. For later releases, the Cisco Configuration Professional application needs to be used.
Q.    What is the difference between active (unretired) and enabled signatures?
A.     If a signature is active (unretired), it is loaded on the router memory, and packets are scanned against it. When an active (unretired) signature is enabled and then triggered by a matching packet (or packet flow), it takes an appropriate action. If an active (unretired) signature is disabled, no action is taken even if it is triggered.
Q.    What does “inactive” mean on an engine?
A.     An inactive (retired) signature is not scanned for. A disabled signature is scanned for, but no action is taken even if it is triggered by a matching packet or flow.
Q.    Does Cisco offer any support for IPS Signature licensing?
A.     Yes. Subscriptions for signature updates require a license (contract) that you can include in the Cisco SMARTnet services contract for an additional cost. Starting with Cisco IOS 15.0(1)M, a valid IPS Subscription license on the router will be required to load newly released IPS signatures on the Cisco 88x, 89x, 19xx, 29xx and 39xx platforms. To obtain and install this license, you need to purchase the Cisco Services for IPS contract relevant to the router model as well as the type and level of the desired SMARTnet deliverables. For more information, visit the Cisco Services for IPS page.
Q.    How is Cisco Configuration Professional different from the Cisco Security Manager?
A.     Cisco Configuration Professional is a single-device management tool. Using it, one can configure IOS IPS or any other feature on one router at a time using the GUI provided by the application. Cisco Security Manager is a “network level” management application. Using it, you can deploy a single IPS policy or configuration, or multiple ones, across multiple Cisco IOS IPS devices. For more information, visit How to Use CCP to Configure IOS IPS and How to Use CSM 3.1 to Configure IOS IPS.
Q.    How I can load a new signature package onto my router?
A.     You can download the latest signature package created for IOS IPS use into a local FTP or TFTP server through CLI from at You can use any FTP or TFTP server application running on your PC. You can then use the copy <Signature-package-file-name> idconf CLI command on the router to load the signature package to the router.
Q.    What is the best way to configure Cisco IOS IPS with a firewall?
A.     When configuring Cisco IOS IPS with a Cisco IOS Firewall, tune the inspection threshold values to best suit your network use. These inspection threshold values are used by both the Cisco IOS IPS and Cisco IOS Firewall features. Refer to the Cisco IOS IPS Deployment Guide for information about how to understand and tune these threshold values.
Q.    What is the effect on performance?
A.     Signatures in the IOS Basic and Advanced categories are tested for performance impact, and those that increase CPU use significantly are not included in those sets. However, when additional signatures are loaded, one or more of those added signatures may cause CPU spikes and thus significantly drop packet throughput with IPS features. Adding a few signatures at a time and checking CPU use after each time should help identifying bad-performing signatures that should not be loaded There is no linear correlation between the number of signatures loaded and their relative performance impact, although as more signatures are loaded, the probability of loading one or more bad-performance signatures increases.
Q.    How much memory is consumed when deploying Cisco IOS IPS?
A.     As soon as Cisco IOS IPS is deployed on the interface, the signatures are compiled. The compilation process is highly CPU-intensive while the signatures are being compiled. Compilation can last up to 2 minutes, depending on the number of signatures being compiled. The number of signatures that can be loaded on a router is dependent on available (free) memory.
Q.    What happens if the connections start dropping with no signature (firing) during TCP SYN flood protection?
A.     Signature 3050 prevents half-open TCP SYN attacks. If 3050 is disabled, TCP resets are sent.
Q.    How does fragmentation work with Cisco IOS IPS?
A.     Signatures with IDs 1201 to 1208 are set to detect fragmentation. They drop fragments for the IP address. Virtual Fragment Reassembly (VFR) and Cisco IOS IPS overlap in this capability.
Q.    Is Cisco IOS IPS supported on older platforms such as the Cisco 1700 and 2600 Series Routers?
A.     Cisco IOS IPS in Cisco IOS Software Release 12.4(11)T2 and later T-train releases requires at least 128 MB of memory installed on the router. Cisco does not recommend using IOS IPS on those older platforms even with 128 MB memory due to limited signature coverage and CPU constraints.
Q.    What are signature microengines and signature categories?
A.     A signature microengine (SME) is a component of Cisco IOS IPS that supports signatures in a certain category. Each engine is customized for the protocol and fields it is designed to inspect, and it defines a set of legal parameters that have allowable ranges or sets of values. The SMEs look for malicious activity in a specific protocol. Signatures can be defined for any of the supported SMEs using the parameters offered by that microengine. Packets are scanned by the microengines that understand the respective protocols contained in the packet.
Q.    Does each signature category have the same effect on performance?
A.     No. Each signature category defines a different set of signatures, and they are designed to search and examine different portions of the packets. The deeper a signature has to look into a packet, the more processing it needs. Generally, STRING.TCP engine signatures need more processing time than the other engines.
Q.    Does each signature, signature category, or engine consume a similar amount of memory?
A.     No. Different signatures and engines consume different amounts of memory. Memory consumed depends on the particular set (combination) of signatures loaded on the router at a given time. There is no linear or other type of mathematical relation between the number of signatures loaded and the amount of memory consumed by them. A set of 100 signatures may consume more memory than another set of 150 signatures that contain simpler signatures. There is no way to guess the exact memory consumption by a particular set of selected (unretired) signatures before they are loaded (compiled) on the router. Typically, STRING.TCP engine signatures are more memory intensive than the other engine signatures.
Q.    What tools can be used to update the signature files on routers?
A.     IPS signature packages can be updated with Cisco Configuration Professional 1.x or Cisco Security Manager 3.1 or later, or using the router CLI.
Q.    Are Cisco IOS IPS signature updates synchronized with the signature updates for Cisco IPS appliances or modules?
A.     Signature updates on Cisco IOS Software routers are not always synchronized with the updates for Cisco IPS sensors or modules. However, IOS signature update packages are usually posted within a few days after the posting of updates for IPS sensors and modules.
Q.    How do I know if a new signature is supported on the routers?
A.     The easiest way to find out if a new signature is supported on the routers is to load a signature package released at the same time or after that signature was first released by Cisco IPS Signature Team. To find out the release date for a Cisco signature, you can go to, choose the Signatures radio button, enter the signature ID in the Keyword(s) box and click the Search button below. Once the loading of the package containing the signature is completed, you can type the CLI command show ip ips signature sigid <signature-ID> subid <signature-subid> on the router. If any detailed information is displayed about the signature by that command, then the signature is supported by IOS IPS. Otherwise, the router will display “Unable to locate Sig<signature-ID>:<signature-subid>” Note that that signature must be unretired (showing a “Y” in the “Cmp” column of the output) and enabled (showing a “Y” in the “En” column of the output) to scan for matching traffic and take an action when triggered. Note that only a subset of those signatures can be loaded and scanned for at the same time, depending on the available memory. Cisco recommends the IPS customers subscribe to IPS Active Update bulletins to receive notifications on the new Cisco IPS signature releases.
Q.    What are the differences between the Cisco IPS Advanced Integration Module (IPS AIM), Cisco IPS Network Module (IPS NM), and Cisco IOS IPS?
A.     The Cisco IPS AIM for the Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers (ISR) is an internal security service module that provides dedicated CPU and memory to offload inline and promiscuous intrusion prevention processing. The Cisco IPS NM for the Cisco 2811, 2821, 2851 and 38x5 ISR and the Cisco 2911, 2921, 2951 and 39x5 ISR - Generation 2 (ISR G2) is an external network module that serves the same purpose with higher performance. Both modules run the latest Cisco IPS 7.x (dedicated) sensor software to provide feature parity with Cisco IPS 4200 Series Sensors and Cisco ASA 5500 Series Adaptive Security Appliances. The main differences between Cisco IOS IPS and the Cisco IPS AIM/NM follow:

   The Cisco IPS AIM/NM offloads IPS processing from the main router CPU and memory. Hence, it can support all Cisco IPS signatures unretired by default simultaneously. Cisco IOS IPS runs on the router’s own CPU and memory and can load only a user configurable subset of supported signatures at a given time.

   The Cisco IPS AIM/NM also provides advanced IPS features such as zero-day attack protection and meta event signatures (across multiple sessions) that are not available in Cisco IOS IPS.

Q.    Can Cisco IOS IPS and the Cisco IPS AIM/NM be used together?
A.     No. Cisco IOS IPS and the Cisco IPS AIM/NM cannot be used together. Cisco IOS IPS must be disabled when the AIM IPS or the Network Module Enhanced (NME) IPS is installed.
Q.    What platforms support Cisco IOS IPS?
A.     The Cisco 87x, 88x, 89x, 18xx, 28xx, 38x5, 72xx, and 7301 routers, and the Cisco SR 520 Secure Router support Cisco IOS IPS. Starting with IOS 15.0(1)M, the next-generation ISR G2, namely, the 1921, 1941, 1941W, 29xx, and 39x5 routers, also support IOS IPS when deployed with a Security Feature license.
Q.    Does IOS IPS support multicast traffic?
A.     No.

For More Information

For more information about Cisco IOS IPS, visit