How to deploy custom signatures to a group of IPS using CSM

Unanswered Question
Sep 20th, 2009
User Badges:

Hi folks,

I started scratching my head after realizing that I need to have a custom set of signatures trimmed to fit the clients requirement. Let's assume I disabled and retired not needed signatures and tuned others, making one staging IPS trimmed and ready to fire only those relevant signatures. Now my question is about how to deploy this prepared signatures to other live IPS sensors? And the most important question. Is there a mechanism that keeps those previously deployed signatures after signatures update from Cisco site ?


Eugene

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Mon, 09/21/2009 - 08:14
User Badges:
  • Gold, 750 points or more

Yes, CSM has this feature.

Edit the signatures on one sensor, including you custom sigs. Then make a Policy from that sensor's signature setting. This policy can be applied to any of your other sensors in CSM.

New and changed signature updates should not alter your custom (non-default) signature settings. (but rarely they do when Cisco messes up, so keep track of your current settings somwhere safe)

zheka_pefti Wed, 10/21/2009 - 11:48
User Badges:

Hi Hermes,

I was away for some other assignments and projects and didn't have a chance to try what you suggested.


If you don't mind can you please provide your comments and details on how to do it.


1) I'm editing signatures through CSM, changing their alert actions, number of counts and so on to suit the client's environment. By the way I have to change the Source Policy from Default to Local to do it, haven't I ?


2) How will I "make a Policy from that sensor's signature setting" ? Should I right-click on the Signatures (see attached printscreen called Signatures tuning1.jpg) or go to Policy View and create a new signature policy similar to the printscreen Signatures tuning2.jpg ?


3) When I assign the sensor to this newly created IPS Signatures Shared Policy I end up with a warning. How should I proceed ? See Signatures tuning3.jpg



zheka_pefti Wed, 10/21/2009 - 12:04
User Badges:

And there's one more thing I'd like to clear, turns out there's no way to apply license to the sensor from CSM. Should it be only done from IME or IDM? What's the purpose of CSM if there's no way to do such a routine task?

rhermes Wed, 10/21/2009 - 12:39
User Badges:
  • Gold, 750 points or more

CSM can automaticly push sensor licenses to sensors;

go to Tools > Administration > Licenses

(after you configure CSM with your CCO credentials) go to the IPS Tab and hit the "Update Selected via CCO" button.

zheka_pefti Wed, 10/21/2009 - 12:54
User Badges:

Hm...

Thanks a lot!!!

I'm under the impression that Cisco intentionally hid it. It's so far away from the eyes of the beholder ;)

And I actually was there but didn't see the tab with IPS.

zheka_pefti Wed, 10/21/2009 - 14:17
User Badges:

Any luck on my previous question regarding signatures customization ?

Actions

This Discussion