Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPS Tuning and deployment

I have a question for you who are already using the IPS signatures to block traffic. When you started setting up these signatures what guidlines did you use? I'm trying to develop a strategy for my company's activating of signatures.

New Member

Re: IPS Tuning and deployment

Good question... We run with the default sigs activated by cisco, with exception to the "spyware" sigs which are turned off by default. We enable those and set the action to deny-packet. The issue that you will most likly run into is assigning actions to the sigs. By default all sigs are set to "produce alert". So the sensor will do nothing but tell you about the events. I encourage you to look into how the "Risk Ratings" and "Event action overides" work. If you can get that to work well then you do not have to assign actions to each sig. Instead you can tell the sensor that if the RR is between 92-100 add a "deny-packet" action.

It takes a while to get it all figured out.

Hope this helps