Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Common practice in Signature Tuning

Hi,

I wonder if any one knows or would recommend, what signature(s) to tune when a customer asks for signature tuning. There is roughly  3000+ signatures, so which one to start with, and is there a common/best practice for signature tuning.

Appreciate your expertise.

Mike

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Common practice in Signature Tuning

Mike, I wish I had a easy answer for you, but like most things in life it takes hard work.

Signature tuning is somthing that should occur after an analysis is made of the event.

You can start by picking your heavy hitters and look into why those events are fireing.

Ask youself, are these events that I want to see? Are they REAL intrusions of are they false positivies? Are they actionable?

You can then disable signatures that provide no value to you, turn down the severity of those that you can;t do anything about but still want to know about (say scanning for example) and build filters for hosts you know are triggering signatures you want to keep active (like if you were running an vulneribility scanner in your network).

After time you would havea set of signatures and filters that matched the enviroment the sensor was placed in.

It's hard work, and you have to look at your packet captures to see what is happening, but this is how signatures are tuned.

- Bob

3 REPLIES
Gold

Re: Common practice in Signature Tuning

Mike, I wish I had a easy answer for you, but like most things in life it takes hard work.

Signature tuning is somthing that should occur after an analysis is made of the event.

You can start by picking your heavy hitters and look into why those events are fireing.

Ask youself, are these events that I want to see? Are they REAL intrusions of are they false positivies? Are they actionable?

You can then disable signatures that provide no value to you, turn down the severity of those that you can;t do anything about but still want to know about (say scanning for example) and build filters for hosts you know are triggering signatures you want to keep active (like if you were running an vulneribility scanner in your network).

After time you would havea set of signatures and filters that matched the enviroment the sensor was placed in.

It's hard work, and you have to look at your packet captures to see what is happening, but this is how signatures are tuned.

- Bob

Community Member

Re: Common practice in Signature Tuning

Thanks Bob,

you really made it easy. The problem is when I am visiting the customer to do the installation,configuration, signature update/image upgrade and signature tuning in one single visit.

Anyway, what you have said is very helpful.

Mike

Community Member

Re: Common practice in Signature Tuning

> do the   installation, configuration, signature update/image upgrade and signature  tuning in one single visit.

In that case, you might want to let the customer know that there are limits on what can be done, and how effective it will be, in such a limited time frame.  Like Bob said, it does take hard work, but it also takes time.  The network has to be monitored and traffic patterns have to be baselined before any effective tuning can be done.  That being said ...

If limited to one visit, I would do a phone conference with the customer a few days or weeks ahead of the installation.  I would try to determine what kinds of traffic, events, or attack types they are particularly concerned about.

  • Do they want to catch/stop traffic like P2P, IM, etc?
    • If so, I would activate the signature for the more popular clients/protocols for each one.  Bittorrent, utorrent, emule, Yahoo IM, AIM, MSN and so on.  If not, deactivate or retire those signatures so they're not using up resources.
  • any history of virus/worm problems?
    • Activate any related signatures available to catch any remaining infections, or re-infections
  • Are they concerned about spyware internally?
    • Have them ID which ones they've seen, then activate related sigs.
  • What OS(es) do they run on their workstations?  What about servers?
    • If they're not running OSX or Linux, deactivate many of those signatures.  Not running Windows Servers internally?  Great, that eliminates many sigs!
  • Offer to send them a (short) list of other recommended high risk signatures to consider, especially any that are resource intensive on the sensor.

There are many other questions that can be asked ahead of time that can help.  Even if it's not 100% perfect, you can walk in the door with a pre-tuned policy that points them in the right direction.  They just need to be prepared for the work that's going to follow.

634
Views
5
Helpful
3
Replies
CreatePlease to create content