Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Preventing or stopping attack with no signature or disabled signature

Hi IPS Expert,

Our IPS is still set as signature based and anomaly detection is not enabled.

Is there a guideline that you can recommend to address to stop/prevent attack with no signature or disabled signature.

I understand that if the signature is not enabled, it will not also create event or alert.

This means we will not have a clue when to stop.

Regards,

Jhun                

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Preventing or stopping attack with no signature or disabled sign

Jhun -

There are several reasons why a signature may be disabled by default, but usually they are not active for good reason.

Signatures have a natural lifespan, they are created, tuned to detect variants of the initial attack/vulnerability. Later in their life, once the vulnerability has been mostly fixed or patched, they may be disabled. Finally once they become old enough to have little use at all they get retired.

Other reasons a signature may be disabled is that the signature results in a high false positive rate. If you have someone performing analysis on the events that your IPS generates, you will be wasting their time and talent with non-productive signature events. This is the most common reason a signature gets disabled in an active sensor.

The final reason you may want a signature (or family of signatures) disabled is they do not violate you security policy. If your organization allows peer to peer file sharing, they you would not need signatures to stop that activity.

- Bob

2 REPLIES
Gold

Preventing or stopping attack with no signature or disabled sign

Jhun -

There are several reasons why a signature may be disabled by default, but usually they are not active for good reason.

Signatures have a natural lifespan, they are created, tuned to detect variants of the initial attack/vulnerability. Later in their life, once the vulnerability has been mostly fixed or patched, they may be disabled. Finally once they become old enough to have little use at all they get retired.

Other reasons a signature may be disabled is that the signature results in a high false positive rate. If you have someone performing analysis on the events that your IPS generates, you will be wasting their time and talent with non-productive signature events. This is the most common reason a signature gets disabled in an active sensor.

The final reason you may want a signature (or family of signatures) disabled is they do not violate you security policy. If your organization allows peer to peer file sharing, they you would not need signatures to stop that activity.

- Bob

Community Member

Preventing or stopping attack with no signature or disabled sign

Thanks Bob,

This is very informative.

This means that I will need to rely on CISCO's evaluation of signature.

I am just worried that if there are attack without signature yet something like a zero day, we really want to know what will be the better approach.

Regards,

Jhun

802
Views
0
Helpful
2
Replies
CreatePlease to create content