Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

S623 disables 3030-0 and 2100-0

I noticed today that the S623 release includes the retiring of signatures 3030-0 (TCP Syn sweep) and 2100-0 (ICMP Echo sweep).  I find it interesting that Cisco has opted to have these signatures disabled by default.  I figure it is part of the recent "clean up" effort around the default signatures, but it seems that these two signatures could be pretty useful in some cases. 

Does anyone happen to have some insight as to why this choice was made? 

1 REPLY
Cisco Employee

S623 disables 3030-0 and 2100-0

Yes, both of these signatures are either a low or informational severity, which by default will be getting retired. Agreed that it *could* be useful in *some* cases - but it will all depend on where you placed the IPS, what kind and how much traffic it's seeing... are the thresholds set on the signatures to low or too high, maybe they're just right - but that all depends on your specific situation.

We aren't deleting the signature, it's still there, and if you need or want it, you can activate it. But to get value of of that signature, you will ned to understand your network and traffic patterns and flows, then tune the signature to appropriate thresholds so that it's providing actual value to you.

A whitepaper and video blog post (basically the same material as the whitepaper) have recently been made available to provide more detail to what the default configuration will look like, and how we're making retirement decisions.

It is located in the Documentation and Training tab under “White Papers”

http://tools.cisco.com/security/center/ipshome.x?i=62#~DocumentationTraining

The video link is included in the whitepaper as well.

The direct link to the video is http://blogs.cisco.com/security/cisco-ips-signature-retirement-and-the-default-configuration .

The direct link to the WP is as follows: http://www.cisco.com/web/about/security/intelligence/01_30_IPS-SigRet.html

436
Views
0
Helpful
1
Replies
CreatePlease login to create content