Re: IPS features

hanna.petersson · ‎01-11-2006

Hi, I just got my ASA 5520 firewall with (ASA SSM-20 module), and would be grateful if anyone could inform me about these questions concerning IPS features.

1. in the signature configuration of aip-ssm most signatures are set with action “produce alert” even virus, why? I suppose that I have to go trough all signatures and set the action to, for example “deny packet inline” for virus.

2. With an update of the signatures will the changes be lost or unchanged?

3. will the configuration example below include all the signature features and at the same time protect against vpn traffic (outside->inside)

access-list IPS permit ip any any

access-group IPS in interface inside

access-group IPS in interface outside

class-map my-ips-class

match access-list IPS

policy-map my-ids-policy

class my-ips-class

ips promiscuous fail-close

service-policy my-ids-policy global

/Regards

wong34539 · ‎01-17-2006

Normally, the action "produce-alert" writes the event to the Event Store as an alert. In this scenario, a virus signature is set with action "produce-alert".So, when a virus matching with the configured signature is detected by the sensor, it looks at the corresponding signature action and performs accordingly. In this case, the signature action is " produce-alert", this means that the sensor writes this virus event to the event store as an alert.This will help in identifying the virus at its arrival and also produces alert so that precautionary steps can be taken.

If you have any further doubts, the following document will completely clarify all your doubts:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df97.html#wp1040176