While working on tunning an IPS 4240 for one of my customers, he told me he'd heard of a Best Practices document on tunning the IPS. More on how to tune the appliance, the document talks about which signatures should be enabled, and the best action to configure for these. I've searched for about two weeks now, but have had no luck.
Have you ran accross such doc? Do you know of any other info source that can assist with "official" info about signatures/actions to enable on a sensor according to Cisco's experience?
Re: Best Practices document on tunning an IPS 4240
I have not seen a best practices document. We've been using Cisco IDS/IPS since we bought our first 4230 a few years back. We have found that the smart approach for us, when installing IDS into a new network or installing a new IDS into an existing network, is to leave signatures "on" and "produce alert" for the first few weeks, and verify after watching traffic.
Generally, if the bulk of traffic triggering a particular signature is obviously false-positive, for whatever reason, we will disable that signature as it's unreliable. If only a small amount is false-positive, and the bulk of it is legitimate badguy traffic, we will apply overrides as necessary, and block host/tcp reset on the rest.
We have actually written our own interface which works on the IDS Event Viewer software provided by Cisco -- Cisco's software puts all the events into a MySQL database, and we've written our own PHP-based interface to that database, with hooks added for automated and semi-automated reporting to netblock owners. This interface helps the decisionmaking process.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :