Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1264
Views
0
Helpful
2
Replies

Preventing or stopping attack with no signature or disabled signature

Go to solution
ebanzuel23
Level 1
Level 1

‎12-09-2013 01:14 AM - edited ‎03-10-2019 06:06 AM

Hi IPS Expert,

Our IPS is still set as signature based and anomaly detection is not enabled.

Is there a guideline that you can recommend to address to stop/prevent attack with no signature or disabled signature.

I understand that if the signature is not enabled, it will not also create event or alert.

This means we will not have a clue when to stop.

Regards,

Jhun                

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rhermes
Level 7
Level 7

‎12-11-2013 05:10 PM

Jhun -

There are several reasons why a signature may be disabled by default, but usually they are not active for good reason.

Signatures have a natural lifespan, they are created, tuned to detect variants of the initial attack/vulnerability. Later in their life, once the vulnerability has been mostly fixed or patched, they may be disabled. Finally once they become old enough to have little use at all they get retired.

Other reasons a signature may be disabled is that the signature results in a high false positive rate. If you have someone performing analysis on the events that your IPS generates, you will be wasting their time and talent with non-productive signature events. This is the most common reason a signature gets disabled in an active sensor.

The final reason you may want a signature (or family of signatures) disabled is they do not violate you security policy. If your organization allows peer to peer file sharing, they you would not need signatures to stop that activity.

- Bob

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rhermes
Level 7
Level 7

‎12-11-2013 05:10 PM

Jhun -

There are several reasons why a signature may be disabled by default, but usually they are not active for good reason.

Signatures have a natural lifespan, they are created, tuned to detect variants of the initial attack/vulnerability. Later in their life, once the vulnerability has been mostly fixed or patched, they may be disabled. Finally once they become old enough to have little use at all they get retired.

Other reasons a signature may be disabled is that the signature results in a high false positive rate. If you have someone performing analysis on the events that your IPS generates, you will be wasting their time and talent with non-productive signature events. This is the most common reason a signature gets disabled in an active sensor.

The final reason you may want a signature (or family of signatures) disabled is they do not violate you security policy. If your organization allows peer to peer file sharing, they you would not need signatures to stop that activity.

- Bob

0 Helpful

Go to solution
ebanzuel23
Level 1
Level 1
In response to rhermes

‎12-11-2013 10:13 PM

Thanks Bob,

This is very informative.

This means that I will need to rely on CISCO's evaluation of signature.

I am just worried that if there are attack without signature yet something like a zero day, we really want to know what will be the better approach.

Regards,

Jhun

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card