Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
2
Replies

Simple signatures question!!!

Go to solution
rodrigo.cisco
Level 4
Level 4

‎12-29-2008 06:20 AM - edited ‎03-10-2019 04:26 AM

Hi Cisco team,

I have a simple question to do for you. Why most signatures per default is disable? Have any explanation? Why are obsoletes? What signature I should enable and what signature I should disable?

You could help me, please?

regards,

Rodrigo Alves

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rmeans
Level 3
Level 3

‎12-31-2008 09:22 AM

My thoughts in no order.

signatures set to disable by default

a. Some signatures are for vulnerabilities that are very old. The signatures would only be needed in rare instances. Setting the signature to default can save the IPS resources.

b. The quality of a signature may not be very high. If the signature is enabled, a lot of false positives might be generated thus creating frustration for the admin.

I could continue but I think you get the idea.

Which signatures should be enabled?

The signatures that meet your environmental needs should be enabled. If you are an all Windows shop, you don't need Unix oriented signatures. In addition, you should enable signatures that match your organizations security policies.

I would start with the signatures Cisco has enabled by default. As you feel comfortable the alerts, tune false positives and correct problems, enable more signatures.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rmeans
Level 3
Level 3

‎12-31-2008 09:22 AM

My thoughts in no order.

signatures set to disable by default

a. Some signatures are for vulnerabilities that are very old. The signatures would only be needed in rare instances. Setting the signature to default can save the IPS resources.

b. The quality of a signature may not be very high. If the signature is enabled, a lot of false positives might be generated thus creating frustration for the admin.

I could continue but I think you get the idea.

Which signatures should be enabled?

The signatures that meet your environmental needs should be enabled. If you are an all Windows shop, you don't need Unix oriented signatures. In addition, you should enable signatures that match your organizations security policies.

I would start with the signatures Cisco has enabled by default. As you feel comfortable the alerts, tune false positives and correct problems, enable more signatures.

0 Helpful

Go to solution
rodrigo.cisco
Level 4
Level 4
In response to rmeans

‎01-08-2009 07:30 PM

Tks a lot for you answer!!! Help so much.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card