AIP SSM and VIrtual Sensors

Answered Question
Oct 8th, 2008

I am just setting up an AIP SSM module in an ASA 5520 with a single security context.

Do I need to configure virtual sensors in this instance? or can I just use the default VS0? In the IPS documentation it says "You cannot change the signature definition, event action rules, or anomaly detection policies." for the default virtual sensor (VS0) which is the only virtual sensore I have.

Can anybody clarify what that means? Does it in any way restrict the usefulness of the IPS if I do not configure a seperate VS?

Thanks very much.

I have this problem too.
0 votes
Correct Answer by marcabal about 8 years 2 months ago

A single virual sensor vs0 is fine, especially when monitoring only a single security context.

The statement about not changing signature definition, event actions rules, or anomaly detection policies can be a little misleading.

What it is trying to say is that you can't create whole new polcies sig1, rules1, and ad1 and try to apply them to vs0. The default vs0 has to use sig0, rules0, and ad0.

If you created a new vs1, then you could apply new policies like sig1, rules1, and ad1 to that new vs1.

It does NOT mean that you can't make config changes within sig0, rules0, and ad0.

So feel free to make config changes to sig0, rules0 and ad0 to fine tune how your vs0 should handle the traffic.

It is just the Names of the policies that can't be changed when using vs0.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
marcabal Wed, 10/08/2008 - 05:19

A single virual sensor vs0 is fine, especially when monitoring only a single security context.

The statement about not changing signature definition, event actions rules, or anomaly detection policies can be a little misleading.

What it is trying to say is that you can't create whole new polcies sig1, rules1, and ad1 and try to apply them to vs0. The default vs0 has to use sig0, rules0, and ad0.

If you created a new vs1, then you could apply new policies like sig1, rules1, and ad1 to that new vs1.

It does NOT mean that you can't make config changes within sig0, rules0, and ad0.

So feel free to make config changes to sig0, rules0 and ad0 to fine tune how your vs0 should handle the traffic.

It is just the Names of the policies that can't be changed when using vs0.

ricey Wed, 10/08/2008 - 05:35

Marcabal,

Thanks very much for clarifying that.

Actions

This Discussion