Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Which School of thought for sig defaults.

Unanswered Question
Sep 25th, 2006
User Badges:

Just wanted to get an idea of what others thought about signatures that are enabled by default with an action.

In our environment we've already seen a few false positives but we have all signatures set for "alert only" for now. We got hit by the ASA normalizer and the MSS Exceeded event so I wanted to make sure we didn't get hit when we enabled the AIP-SSMs.

Having signatures enbled with actions set in theory gives more immediate protection, but it stops us from being able to run auto updates effectively because we prefer to test signatures for false positives for a few days at least before configuring for drop/reset.

So in my case I'd like to see any drop/block/reset actions set on by default. That would allow me to update my signatures via SCP on a timely basis and not have to be here to turn off any actions.

Am I the lone minority on this and how do others handle sig updates? We are a small team and anything we can automate is a hughe plus.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
norriscr1 Wed, 10/04/2006 - 06:52
User Badges:

Yes that's what we're already doing. My question was more in terms of how other fealt about the fact that some signatures come enabled with actions specified.

We use SCP to do the updates but then I have to go diable actions until we're comfortable that their won't be and fasle positives that interfere with valid traffic. Having to do that adds another manual step.

In essesnce the steps are

1. Manual download of updates from Cisco onto SCP/FTP server.

2. Automatic scheduled update to our 2 AIP-SSMs.

3. Manual retuning of signatures.

So in essence we don't gain much/anything from the scheduled auto updates. If we have a dozen IPS sensors then the auto update would be a time saver but for us there's little value.

Just wanted to know if others had the same view.



This Discussion