Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Manual Signature Problem

Hi,

I had created a signature on my IDS. Even though I have deleted it and it does not appear in the configuration, keeps generating the events in the event viewer.

How can I stop this.

Thanks

Salil

2 REPLIES
Cisco Employee

Re: Manual Signature Problem

Hi,

Since you say it is IDS, I would assume you are talkign about version 4.X.

If you are using IDM, please make sure you have applied and saved the configuration deletion you have done.

Also, confirm the event information if it is the signature that you have created that is actually firing.

You can also go to the sensor itslef, login as cisco, and do show events to see the events there, and obtain the details of the alerts.

If it is still your signature that is firing, try refreshing your idm, and editing the signature again.

Hope this helps you.

Cisco Employee

Re: Manual Signature Problem

A configuration that is in place when a new connection is made is attached to that connection in the database. That configuration will be in effect as long as that connection exists. If a new configuration is sent, that new configuration will be applied to new connections. The definition of "connection" depends on the circumstances of the signature. A connection can be defined as Machine A is talking to Machine B or vice versa. It can also be defined as Machine A is talking to Machine B on port b. It depends on what the configuration element is configuring.

FYI, We have a shortcut for talking about these connections. AxBx is Machine A talking to Machine B. AxBb is Machine A talking to Machine B on port b. AaBb is the full quad, SourceIP,SourcePort,DestIP,DestPort. You'll see these abbreviations in the signature parameters for storage keys and summarizations.

Don't know if this will explain *your* situation, but this topic comes up every once in a while....

As the ultimate "is in it there or not" resolution, reboot the sensor...wipes the connection database clean. We have an outstanding enhancement request to make a widget to allow you to flush the database from IDM or something.

Scott

133
Views
0
Helpful
2
Replies
CreatePlease login to create content