In Cisco IOS® Software T-Train Releases prior to 12.4(11)T Release, and in all Cisco IOS Software 12.4 Mainline Releases, IPS signature selection is done by loading an XML file onto the router. This file contains a detailed description of each "selected" signature in Cisco IPS Sensor Software 4.x signature format, and is called "signature definition file" (SDF). The latest version of SDFs that contain complete sets of IPS signatures supported in Cisco IPS Sensor Software 4.x format and SDFs that contain Cisco recommended Basic and Advanced protection signature sets (in files 128MB.sdf and 256MB.sdf, respectively) can be found at and downloaded from Cisco IOS IPS SDFs in Cisco IPS Sensor Software 4.x signature format. (Requires Log In)
Note: Cisco will not provide any updates for signatures in Cisco IPS Sensor Software 4.x format after May 2008. Cisco IOS IPS users are strongly recommended to upgrade their router image to Cisco IOS Software 12.4(11)T2 or later releases at their earliest convenience.
Provisioning, loading, customization, and deployment of attack signatures for Cisco IOS IPS in Cisco IOS® Software T-Train Releases prior to 12.4(11)T Release and in all 12.4 Mainline Releases may be done using Cisco Router and Security Device Manager (SDM) v2.3 for a small number of routers and Cisco Security Manager (CSM) 3.01 for deployments with 10 or more routers. For more information, refer to the Configuring Cisco IOS IPS Using SDM or CLI or Configuring Cisco IOS IPS Using IPSMC2.2 guides.
Upon detecting an attack signature, the Cisco IOS IPS feature can send a syslog message or an alarm in Secure Device Event Exchange (SDEE) format. Cisco SDM v2.3 may be used to monitor events generated by a single router and Cisco IPS Event Monitor may be used to monitor IPS events generated by up to five routers.
For monitoring events from more than five routers, Cisco highly recommends the Cisco Security Monitoring, Analysis, and Response System (MARS) appliance for network-wide monitoring and correlation of IPS alarms, although any compatible monitoring application or device may be used. Cisco Security MARS also supports automated tuning of IPS signatures on Cisco IOS routers, based on correlation of those alarms and threat mitigation rules defined for this purpose.
More information on CLI-based configuration of Cisco IOS IPS in the releases discussed in this document can be found in the Configuration Guide for Cisco IOS IPS in 12.4(9)T or earlier Releases. For a list of signatures supported by Cisco IOS IPS in Cisco IOS Software Release 12.4(9)T or earlier T-Train releases and in all 12.4 Mainline releases, see the Cisco IPS Sensor Software 4.x Format Signatures Supported by Cisco IOS IPS white paper.