How to enable IDSM-2 Signature through GUI

Unanswered Question
Jul 22nd, 2009

Hi Guys,

We are using IDSM-2 module in cisco 6509 chassis.I believe that only the default signatures were enabled on it at the time of implmentation.Now when I monitor

it (I use cisco IDM as the GUI to access IDSM-2) like after 6 months I could find that it has a bulk of sigantures on it which are not enabled.Could you

please guide me how to enable these sigantures on IDSM with out increasing the load on it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Mon, 07/27/2009 - 08:05

Welcome to the world of tuning your sensor.

First thing you should know is that all signautres were not ment to be enabled simultainously. Some signatures are appropriate for your envioment and some are not (say you run a Lunix only shop). Some signatures have such a high false positive rate that they are essentially useless. Some signatures are actionable (meaning you can do somthing about it) others are not (like scans and recon sigs). You need to define what your goals of having a IPS are:

To generate pretty reports for management?

To investigate all your high severity events to clean up your infected hosts?

To "set it and forget it"?

Your goals will drive you toward an appropriate set of signatures and actions you wish enabled. As always, whatch your sensor load when you make changes, you don't want to overload that thing and start missing packets.

Actions

This Discussion