IPS // some signatures can't be disabled (id > 50000)
I recently did an IPS-Installation and CSM-Integration at a customer, where I had the situation that I couldn't disable or modify some of the signatures via CSM. Specifically the problem occured with some signatures with signature-ids in the area of 50000.
One example for this behaviour is the signature # 50010 (WORM_SOBER). While the specific options are greyed-out in CSM, it seems to be possible to do it via IDM. Does anyone have a good explanation for this, or could it be a bug? Those signatures seem to be different from the other signatures, as I also could not find them on Security Center at CCO (http://tools.cisco.com/security/center/search.x?search=Signature).
Re: IPS // some signatures can't be disabled (id > 50000)
The signatures in the 50,000 range of Signature IDs were generated by Trend. They are part of the "V1.4" set of signatures you see in the "show version" output.
These were supposed to be controlled by Cisco ICS, and so during CSM development it was decided to not have CSM manage them in order to prevent conflicts between Cisco ICS and CSM.
This is because CSM saves sensor configuration in it's own database and would get out of sync with the sensor if Cisco ICS made changes.
IDM, on the other hand, does not save it't own copy of the sensor configuration. Instead it always read the configuration directly from the sensor. So any changes by Cisco ICS can be seen and managed by IDM. So IDM does have the capability to modify configuration for these signatures.
However, things have changes since Cisco ICS and CSM were originally released.
Cisco ICS is now End Of Sale, and no new V signatures are being created:
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...