Global correlation / reputation filtering in monitoring mode

mhellman · ‎01-27-2012

We use Cisco appliances primarily in monitoring mode. We'd like to use the IPS reputation filtering / global correlation to alert us when we have connections to "bad" IP addresses (e.g. botnet, etc). Is it even possible to use either of these features for this purpose? According the the following document is appears there may not be alerts for packets denied before signature analysis. Surely that can't be???

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_collaboration.html#wp1067283

"Note This feature only applies to global correlation inspection where the traffic is allowed if no specific signature is matched. It does not apply to reputation filtering where the packet is denied before signature analysis, and no alerts are generated when packets are denied by reputation filtering. "

mhellman · ‎01-27-2012

Just listened to the techtalk on global correlation. about 16 minutes in...."we do not send events just to keep the load quiet". Can someone from Cisco please confirm that this completely naive and poorly engineered facet of the solution still works this way? I'm sorry to sound like an arse, but I am so completely frustrated with the value we get out of these appliances. Apparently, the ASA botnet functionality can do what we want, but not the stand alone IPS appliance....come on Cisco.