Is there a good guide on configuring the IPS?

Unanswered Question
Jul 23rd, 2008
User Badges:

I "denied" IDs 1109/0, 1109/1, 1109/2, 1109/3, all Cisco IOS Interface DOS. The above was configured in the IDM>Configuration>Policies>Signature Definitions>sig0)>Active Signatures. Denying the above denied all Internet activity. How do I know which signatures to deny without bringing down necessary services?


2. Non of the Adware/Spyware signatures are marked as Deny in default configuration. Will Denying the above effecting network?

IDM>Configuration>Policies>Signature Definitions>sig>Adware/Spyware

3. Of the 3018 Viruses/Worms/Trojans signatures, only 3 have been configured by default to be denied. Common sense would dictate to deny all packets with above signatures. Would denying above packets effect the network or Internet connection?

Is there any good handbook/resource on configuring the IPS?

Thanks.

Said

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Wed, 07/23/2008 - 14:34
User Badges:
  • Blue, 1500 points or more

I don't know of a good resource.


I think you will find that people use different approaches to this depending on their tolerance for false positives and denying legitimate traffic. I work at a largish financial company, and I wouldn't dare enable a drop/deny action unless I knew it had a zero false positive rate. My assumption is simple...all signatures have false positives unless I can prove otherwise;-)

Actions

This Discussion