Hi IPS Expert,
Our IPS is still set as signature based and anomaly detection is not enabled.
Is there a guideline that you can recommend to address to stop/prevent attack with no signature or disabled signature.
I understand that if the signature is not enabled, it will not also create event or alert.
This means we will not have a clue when to stop.
There are several reasons why a signature may be disabled by default, but usually they are not active for good reason.
Signatures have a natural lifespan, they are created, tuned to detect variants of the initial attack/vulnerability. Later in their life, once the vulnerability has been mostly fixed or patched, they may be disabled. Finally once they become old enough to have little use at all they get retired.
Other reasons a signature may be disabled is that the signature results in a high false positive rate. If you have someone performing analysis on the events that your IPS generates, you will be wasting their time and talent with non-productive signature events. This is the most common reason a signature gets disabled in an active sensor.
The final reason you may want a signature (or family of signatures) disabled is they do not violate you security policy. If your organization allows peer to peer file sharing, they you would not need signatures to stop that activity.