Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Disabling 1330

It seems that 1330 and other normalizer sigs are causing Cicso (and myself) some grief (as evident in CSCsc37875). I am wondering if I can just disable 1330 and all the subs entirely. I am seeing this sig (1330/14 in particular) fire alot. I set the action to either produce an alert or do nothing at all (no packet mod or denying or dropping) so I don't see the point of keeping 1330 enabled.

1 REPLY
Cisco Employee

Re: Disabling 1330

Some of the 1330 signatures have additional internal functions, like queueing fragments for reassembly, so just turning them off is not recommended...in the extreme case you may just render your IPS into a wire.

The following tunings were included as part of the S248 signature update and represent our suggested "minimal interference" settings that still let the IPS do its job.

Normalizer Neutering

SIGID.SUBSIG ACTION

1308 Disable

1311 Produce Alert ON, Deny_XXX OFF

1330.3 "

1330.4 "

1330.11 "

1330.14 "

1330.15 Disable

1330.16 Produce Alert ON, Deny_XXX OFF

HTML sort of killed the formatting...all lines with " are supposed to mean "same as above".

Obviously "Produce Alert" is up to you, but we think that these signatures, if firing, warrant some research into the cause. Removing the Deny_whatever actions will keep the signature from interferring with the packets, yet still leave its other functionality enabled.

Scott

181
Views
0
Helpful
1
Replies
CreatePlease to create content