Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
0
Helpful
1
Replies

S623 disables 3030-0 and 2100-0

murphy.brandon
Level 1
Level 1

‎02-03-2012 01:18 PM - edited ‎03-10-2019 05:36 AM

I noticed today that the S623 release includes the retiring of signatures 3030-0 (TCP Syn sweep) and 2100-0 (ICMP Echo sweep).  I find it interesting that Cisco has opted to have these signatures disabled by default.  I figure it is part of the recent "clean up" effort around the default signatures, but it seems that these two signatures could be pretty useful in some cases. 

Does anyone happen to have some insight as to why this choice was made? 

Labels:
0 Helpful
1 Reply 1

wsulym
Cisco Employee
Cisco Employee

‎02-07-2012 08:14 AM

Yes, both of these signatures are either a low or informational severity, which by default will be getting retired. Agreed that it *could* be useful in *some* cases - but it will all depend on where you placed the IPS, what kind and how much traffic it's seeing... are the thresholds set on the signatures to low or too high, maybe they're just right - but that all depends on your specific situation.

We aren't deleting the signature, it's still there, and if you need or want it, you can activate it. But to get value of of that signature, you will ned to understand your network and traffic patterns and flows, then tune the signature to appropriate thresholds so that it's providing actual value to you.

A whitepaper and video blog post (basically the same material as the whitepaper) have recently been made available to provide more detail to what the default configuration will look like, and how we're making retirement decisions.

It is located in the Documentation and Training tab under “White Papers”

http://tools.cisco.com/security/center/ipshome.x?i=62#~DocumentationTraining

The video link is included in the whitepaper as well.

The direct link to the video is http://blogs.cisco.com/security/cisco-ips-signature-retirement-and-the-default-configuration .

The direct link to the WP is as follows: http://www.cisco.com/web/about/security/intelligence/01_30_IPS-SigRet.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card