a specific service.

Port scan: An attacker scans all ports or all well-known ports in an attempt to find services running.

TCP SYN flooding: An attacker tries to compromise the availability of a server to serve legitimate sessions. The aim is to make the server run out of resources.

These are examples of exploit signatures in the application layer:

When hackers attempt to penetrate a particular network, the hackers often need to learn as much information as possible about the network before launching attacks. An example of how an attacker learns information is a Domain Name System (DNS) query, which reveals information such as who owns a particular domain and what addresses have been assigned to that domain.
Malicious code that operates at the application layer including worms, viruses, Trojan horses, adware, and malware.

Figure presents the signature ID, name, and description of common signatures.

Content 6.5 Configuring Cisco IOS IPS 6.5.1 Cisco IOS IPS Signature Definition Files (SDF) The Cisco IOS IPS acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures. When the IPS detects suspicious activity, the IPS responds before network security can be compromised. It then logs the event through syslog or Security Device Event Exchange (SDEE) protocol. SDEE is an application level communication protocol that is used to exchange IPS messages between IPS clients and IPS servers. SDEE provides a secure communication path using Secure Socket Layer (SSL) (Secure HTTP [HTTPS]). SDEE replaced the Post Office Protocol (POP) on Cisco IOS routers. Cisco IOS IPS offers configuration flexibility by providing these two functions:

The administrator can load the built-in signature database (available in the Cisco IOS image itself), load a specific signature database file (sdf), or even merge different databases to extend the protection scope.
Individual signatures can be disabled or tuned in case of false positives.

Figure summarizes these points. Downloading Signatures from Cisco.com
Cisco SDFs are updated and posted to Cisco.com on a regular basis. Thus, customers can download signatures that help protect networks from the latest known network attacks. Figure shows examples of downloadable signature definition files. Multiple definition sources are available, such as the default, built-in signatures that are shipped with the routers, or the SDF files named 64MB.sdf, 128MB.sdf, and 256MB.sdf. The files differ in the number of configured signatures. The administrator should select the appropriate SDF file based on the amount of RAM memory in the router.

Content 6.5 Configuring Cisco IOS IPS 6.5.2 Cisco IOS IPS Alarms When a signature is matched, the IPS responds in real time, before network security can be compromised and then logs the event through Cisco IOS syslog messages or SDEE. You can configure IPS to choose the appropriate response to various threats. Figure describes the configurable actions that the Cisco IOS IPS Alarms feature provides. When packets in a session match a signature, IPS can take any of these actions, as appropriate:

Send an alarm to a syslog server or a centralized management interface. This action is typically combined with other preventive actions.
Drop the packet. This action is effective for all IP protocols and does not affect any legitimate user if the source IP address was spoofed.
Reset the connection. This action works only for TCP sessions.

Note
The sensor sends TCP restore (RST) to both communication endpoints and spoofs the source IP address in those TCP RST packets. For example, if Endpoint A and Endpoint B were communicating via TCP, the sensor sends RST to Endpoint A pretending to be Endpoint B, and to Endpoint B pretending to be Endpoint A.

Block traffic from the source IP address of the attacker for a specified amount of time. This action imposes a penalty on the attacker IP address.
Block traffic on the connection on which the signature was seen for a specified amount of time. This action imposes a penalty on the attacker session.

Cisco IOS IPS Alarm Considerations
You can configure a combination of actions when a signature is triggered. Typically, you combine an alert with some preventive action, such as packet drop. Figure describes the considerations when configuring the Cisco IOS IPS Alarm feature, one of the considerations when implementing signatures. Cisco IOS IPS can report IPS intrusion alerts either using syslog or SDEE. SDEE is more secure and therefore recommended, because SDEE uses HTTPS to exchange data. Cisco IOS routers use SDEE to report IPS events to the SDM. Note
Although SDM provides secure communications, SDM monitoring capabilities are limited in that SDM is not a real-time monitoring tool and does not offer advanced filtering and correlation features. For a fully functional monitoring solution, deploy other Cisco tools, such as Cisco Security Monitoring, Analysis, and Response system (CS-MARS) or CiscoWorks Monitoring Center for Security, which is a component of the VPN/Security Management Solution. When implementing a Cisco IOS-based IPS, you should consider the following:

With IP address blocking, you may block a legitimate user whose address was spoofed by an attacker. This method is recommended in environments where IP spoofing is unlikely.
With connection blocking, a potential connectivity disruption in case of address spoofing is less likely. This is the case because establishing a bidirectional session using a spoofed IP address is difficult because return traffic typically never reaches the attacker. The disadvantage of connection blocking is that the hacker can use other protocols or ports to attack the target.

Content 6.5 Configuring Cisco IOS IPS 6.5.3 Configuring Cisco IOS IPS Cisco IOS IPS Configuration Steps
To set up Cisco IOS IPS, you need to configure basic IPS settings and, optionally, use the enhanced settings. Figure describes the steps you use to configure the Cisco IOS IPS feature. There are four basic configuration steps:

Specify the SDF to load the signatures from.
Configure a failure parameter that defines whether to block or forward traffic if signature microengines (SMEs) are not operational.
Create an IPS rule and, optionally, combine the rule with an access control list (ACL) for traffic filtering purposes.
Apply the IPS rule to an interface.

These are the enhanced configuration steps:

Merge two or more SDFs to increase the signature coverage.
Delete, disable, or filter individual signatures.
Reapply the IPS rule to an interface for the changes to take effect.

When you are finished these steps, verify the IPS configuration and operations. Basic IOS IPS Configuration
Figure shows an example of a simple Cisco IOS IPS configuration. The default command ip ips sdf builtin does not appear in this IPS configuration example because the configuration specifies the default built-in SDF. This file contains 100 signatures, and with sub-signatures, the total number of signatures is 132. The keyword builtin is the default option of the ip ips sdf command. The command ip ips fail closed instructs the router to drop all traffic if any of the SMEs that should scan the data are not available. This command has no other parameters. If the SMEs are unavailable and you want to forward the packets without scanning, use the no ip ips fail closed command. The command ip ips name SECURIPS is used to create an IPS rule. The IPS rule can be combined with an ACL. In this example, SECURIPS is combined with ACL 100. This optional standard or extended ACL filters