I have a question for you who are already using the IPS signatures to block traffic. When you started setting up these signatures what guidlines did you use? I'm trying to develop a strategy for my company's activating of signatures.
Good question... We run with the default sigs activated by cisco, with exception to the "spyware" sigs which are turned off by default. We enable those and set the action to deny-packet. The issue that you will most likly run into is assigning actions to the sigs. By default all sigs are set to "produce alert". So the sensor will do nothing but tell you about the events. I encourage you to look into how the "Risk Ratings" and "Event action overides" work. If you can get that to work well then you do not have to assign actions to each sig. Instead you can tell the sensor that if the RR is between 92-100 add a "deny-packet" action.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...