Preventing or stopping attack with no signature or disabled signature

Answered Question
Dec 9th, 2013
User Badges:

Hi IPS Expert,


Our IPS is still set as signature based and anomaly detection is not enabled.

Is there a guideline that you can recommend to address to stop/prevent attack with no signature or disabled signature.

I understand that if the signature is not enabled, it will not also create event or alert.

This means we will not have a clue when to stop.


Regards,

Jhun                

Correct Answer by rhermes about 3 years 8 months ago

Jhun -


There are several reasons why a signature may be disabled by default, but usually they are not active for good reason.


Signatures have a natural lifespan, they are created, tuned to detect variants of the initial attack/vulnerability. Later in their life, once the vulnerability has been mostly fixed or patched, they may be disabled. Finally once they become old enough to have little use at all they get retired.


Other reasons a signature may be disabled is that the signature results in a high false positive rate. If you have someone performing analysis on the events that your IPS generates, you will be wasting their time and talent with non-productive signature events. This is the most common reason a signature gets disabled in an active sensor.


The final reason you may want a signature (or family of signatures) disabled is they do not violate you security policy. If your organization allows peer to peer file sharing, they you would not need signatures to stop that activity.



- Bob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
rhermes Wed, 12/11/2013 - 17:10
User Badges:
  • Gold, 750 points or more

Jhun -


There are several reasons why a signature may be disabled by default, but usually they are not active for good reason.


Signatures have a natural lifespan, they are created, tuned to detect variants of the initial attack/vulnerability. Later in their life, once the vulnerability has been mostly fixed or patched, they may be disabled. Finally once they become old enough to have little use at all they get retired.


Other reasons a signature may be disabled is that the signature results in a high false positive rate. If you have someone performing analysis on the events that your IPS generates, you will be wasting their time and talent with non-productive signature events. This is the most common reason a signature gets disabled in an active sensor.


The final reason you may want a signature (or family of signatures) disabled is they do not violate you security policy. If your organization allows peer to peer file sharing, they you would not need signatures to stop that activity.



- Bob

ebanzuel23 Wed, 12/11/2013 - 22:13
User Badges:

Thanks Bob,


This is very informative.

This means that I will need to rely on CISCO's evaluation of signature.


I am just worried that if there are attack without signature yet something like a zero day, we really want to know what will be the better approach.


Regards,

Jhun

Actions

This Discussion