12-12-2006 04:37 PM - edited 03-10-2019 03:22 AM
Recently I installed the latest IPS update & noticed all signatures show alarm action only. I thought sdf "action" were pre set by Cisco.
Should any sigs be changed to reset or drop?
How do you determine which sigs to change?
Should an ACL be used with IPS?
Regards
12-12-2006 05:39 PM
You're right. Almost all IPS signatures are set to trigger log or alarm only, except for some critical signatures that by default, drop/deny the traffic in.
Normal practise is to monitor your IPS log for at least 1 or 2 days. Review the log for type of violations/misuse. Check for false positive sign as well, as some might not be a real threats.
Once confirmed, you may now start to change the actions for the relevant signatures to either drop/reset. Reset is effective for TCP sessions (between attacker & victim host) only.
Bear in mind, you need to constantly monitor the IPS log for new/missing violations. Frequent review of logs and security postures are highly recommended by Cisco.
Read the SAFE Blueprint for details:
Using ACL is good as it can work in tandem with IPS where you only allow certain/known source addresses/services to come in. IPS, in turn, will provide deep packet inspection to ensure no malicious content is flowing into your network/servers from that permitted external/source addresses
HTH
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide