44-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 44 Configuring IOS IPS Routers
Overview of Cisco IOS IPS Configuration
Step 3 Syslog is configured for IPS notifications by default. If you want to use SDEE for notifications, enable
SDEE:
router# configure terminal
router(config)# ip ips notify sdee
Step 4 Select a signature category to compile. For detailed information, see Selecting a Signature Category for
Cisco IOS IPS, page 44-6.
Selecting a Signature Category for Cisco IOS IPS
Cisco IPS appliances and Cisco IOS IPS with IPS 5.x format signatures operate with signature
categories. All signatures are grouped into categories; the categories are hierarchical. An individual
signature can belong to more than one category. Top-level categories help to define general types of
signatures. Subcategories exist beneath each top-level signature category. (For a list of supported
top-level categories, use your router CLI help (?) with the category command.)
Router memory and resource constraints prevent a router from loading all Cisco IOS IPS signatures.
Thus, it is recommended that you load only a selected set of signatures that are defined by the categories.
Because the categories are applied in a “top-down” order, you should first retire all signatures, followed
by “unretiring” specific categories. Retiring signatures enables the router to load information for all
signatures, but the router does not build the parallel scanning data structure.
Retired signatures are not scanned by Cisco IOS IPS, so they do not fire alarms. If a signature is
irrelevant to your network or if you want to save router memory, you should retire signatures, as
appropriate.
Security Manager does not manage the signature category command. You cannot configure it directly
with a policy. However, you can configure the FlexConfig policy to include a FlexConfig object that
configures the command. There is a pre-defined object, IOS_IPS_SIGNATURE_CATEGORY, that you
can use. If you want to configure a different category than basic, make a copy of the object and edit it.
For information on how to use FlexConfigs, see Chapter7, “Managing FlexConfigs”.
Tip If you do not use the category command to select a subset of IPS signatures that the device will attempt
to compile, Security Manager will configure the category command to enable the IOS IPS Basic category
to prevent the device resources from being overloaded. You can change the category manually on the
device to select another set of signatures to compile. We recommend that you configure the category
before adding the device to Security Manager; however, this is not possible if you add the device through
manual definition.
The following example shows how to first retire all signatures, then to configure the basic category and
unretire the basic signatures:
Router> enable
Router# configure terminal
Router(config)# ip ips signature-category
Router(config-ips-category)# category all
Router(config-ips-category-action)# retired true
Router(config-ips-category-action)# exit
Router(config-ips-category)# category ios_ips basic
Router(config-ips-category-action)# retired false
Router(config-ips-category-action)# exit