help fine-tuning new signatures

Unanswered Question
Jul 23rd, 2008
User Badges:

Could anyone please help. I recently installed a PIX 5520 with AIP-SSM-10. I can manage the sensor just fine and am using "configuring Cisco IPS using CLI 6.0" as a reference. I recently downloaded new signatures as sig1 on my sensor. when I enable the sensors and put them in non-blocking mode after an hour they are blocking half of my users to the INternet. How do I fine-tune the 50K new signatures? Are there any really good examples and references you might know about?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
blasmoreno Wed, 07/23/2008 - 06:25
User Badges:

correction on my part. I installed a new ASA 5520 :-)

delawarecity Thu, 07/24/2008 - 10:18
User Badges:

You should be able to quickly locate which signatures are causing problems by using either the ASDM or IPS Express Manager. If you dont have either of these programs go to Cisco's site and download them.

You can use the event viewer in either program and look for signatues which have actions of blocking or dropping packets from your internal users. You should then be able to tune only the signatures causing problems.

Also, when you download the new signatues, look at the txt document that is released with it. It should list any new signatures as well as any changes to old signatures.

blasmoreno Thu, 07/24/2008 - 11:27
User Badges:

Thanks very much, I will give that a go. I also read that the sensor should be in learning mode for a few days. What is your opinion and have you had any luck with that?


This Discussion