Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
6
Replies

How to deploy custom signatures to a group of IPS using CSM

zheka_pefti
Level 2
Level 2

‎09-20-2009 11:28 PM - edited ‎03-10-2019 04:46 AM

Hi folks,

I started scratching my head after realizing that I need to have a custom set of signatures trimmed to fit the clients requirement. Let's assume I disabled and retired not needed signatures and tuned others, making one staging IPS trimmed and ready to fire only those relevant signatures. Now my question is about how to deploy this prepared signatures to other live IPS sensors? And the most important question. Is there a mechanism that keeps those previously deployed signatures after signatures update from Cisco site ?

Eugene

Labels:
0 Helpful
6 Replies 6

rhermes
Level 7
Level 7

‎09-21-2009 08:14 AM

Yes, CSM has this feature.

Edit the signatures on one sensor, including you custom sigs. Then make a Policy from that sensor's signature setting. This policy can be applied to any of your other sensors in CSM.

New and changed signature updates should not alter your custom (non-default) signature settings. (but rarely they do when Cisco messes up, so keep track of your current settings somwhere safe)

0 Helpful

zheka_pefti
Level 2
Level 2
In response to rhermes

‎10-21-2009 11:48 AM

Hi Hermes,

I was away for some other assignments and projects and didn't have a chance to try what you suggested.

If you don't mind can you please provide your comments and details on how to do it.

1) I'm editing signatures through CSM, changing their alert actions, number of counts and so on to suit the client's environment. By the way I have to change the Source Policy from Default to Local to do it, haven't I ?

2) How will I "make a Policy from that sensor's signature setting" ? Should I right-click on the Signatures (see attached printscreen called Signatures tuning1.jpg) or go to Policy View and create a new signature policy similar to the printscreen Signatures tuning2.jpg ?

3) When I assign the sensor to this newly created IPS Signatures Shared Policy I end up with a warning. How should I proceed ? See Signatures tuning3.jpg

Preview file
178 KB
0 Helpful

zheka_pefti
Level 2
Level 2
In response to zheka_pefti

‎10-21-2009 12:04 PM

And there's one more thing I'd like to clear, turns out there's no way to apply license to the sensor from CSM. Should it be only done from IME or IDM? What's the purpose of CSM if there's no way to do such a routine task?

0 Helpful

rhermes
Level 7
Level 7
In response to zheka_pefti

‎10-21-2009 12:39 PM

CSM can automaticly push sensor licenses to sensors;

go to Tools > Administration > Licenses

(after you configure CSM with your CCO credentials) go to the IPS Tab and hit the "Update Selected via CCO" button.

0 Helpful

zheka_pefti
Level 2
Level 2
In response to rhermes

‎10-21-2009 12:54 PM

Hm...

Thanks a lot!!!

I'm under the impression that Cisco intentionally hid it. It's so far away from the eyes of the beholder ;)

And I actually was there but didn't see the tab with IPS.

0 Helpful

zheka_pefti
Level 2
Level 2
In response to zheka_pefti

‎10-21-2009 02:17 PM

Any luck on my previous question regarding signatures customization ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card