cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
421
Views
0
Helpful
3
Replies

help fine-tuning new signatures

blasmoreno
Level 1
Level 1

Could anyone please help. I recently installed a PIX 5520 with AIP-SSM-10. I can manage the sensor just fine and am using "configuring Cisco IPS using CLI 6.0" as a reference. I recently downloaded new signatures as sig1 on my sensor. when I enable the sensors and put them in non-blocking mode after an hour they are blocking half of my users to the INternet. How do I fine-tune the 50K new signatures? Are there any really good examples and references you might know about?

3 Replies 3

blasmoreno
Level 1
Level 1

correction on my part. I installed a new ASA 5520 :-)

delawarecity
Level 1
Level 1

You should be able to quickly locate which signatures are causing problems by using either the ASDM or IPS Express Manager. If you dont have either of these programs go to Cisco's site and download them.

You can use the event viewer in either program and look for signatues which have actions of blocking or dropping packets from your internal users. You should then be able to tune only the signatures causing problems.

Also, when you download the new signatues, look at the txt document that is released with it. It should list any new signatures as well as any changes to old signatures.

Thanks very much, I will give that a go. I also read that the sensor should be in learning mode for a few days. What is your opinion and have you had any luck with that?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: