The previous commands configured global parameters, but to configured an IDS policy, you must create a named IDS policy. The named IDS policy is then applied to an interface to activate both the global IDS policies and the named IDS policies that you have configured. The commands for creating a named IDS policy are similar to the commands that you use to create global policies for both information signatures and attack signatures. The only difference with a named policy is that you configure a name that is used with a policy that gets applied to an interface. The commands to create a named policy for information and attack signatures are Router(config)# ip audit name audit-name info action [alarm] [drop] [reset] Router(config)# ip audit name audit-name attack action [alarm] [drop] [reset] To create an IDS policy that is named SECUR for information signatures with the actions of alarm and reset, use the following command: Router(config)# ip audit name SECUR info action alarm reset To create an IDS policy that is named SECUR for attack signatures, with the actions of drop and reset, use the following command: Router(config)# ip audit name SECUR attack action drop reset Applying an IDS Inspection RuleOnce you create a named IDS policy, you must apply that policy to an interface to activate the IDS services. The command is simply to apply the policy to an interface. First enter interface configuration mode and then use the following command: Router(config-if)# ip audit audit-name [in out] To apply the SECUR policy to inbound traffic, simply issue the following command: Router(config-if)# ip audit SECUR in Figure 6.5 shows how to configure an IDS policy and how to apply the policy to an interface. Figure 6.5. Creation of IDS policy.
Configuring Exclusions for IDS InspectionAs mentioned previously, you should disable signatures for protocols and applications that are not running on your network. Disabling signatures for unused protocols and applications will enhance IDS performance and decrease CPU utilization associated with IDS services. |