I'm wondering if anyone has a good set of signatures to setup to automatically block/deny. Right now, we have a couple of IPS units, and we have all signatures set to not block.
What I need is a set of signatures that is safe for a service provider to use. We host many websites and FTP sites and want to be sure we don't automatically block any signatures that have a victim port of 80 or 443.
I'm also looking for a way to list all signatures with a severity of 'high', and a victim port not equal to 80 or 443.
One thing you could do is set up Event Action Overrides. This is what I have done:
1) I defined my DMZ space, Internal space and Internet space. I gave all of those variable names.
2) Go into your Target Value Ratings and define your DMZ and Internal space as HIGH. This automatically bumps up the Risk Rating (RR) on signatures as they fire on these items.
2a) I defined my firewall as Medium rating, just due to the fact that any traffic to it will be blocked easily enough.
3) Go in to your Event Action Overrides and set certain actions dependent on Risk Rating. I have DENY ATTACKER INLINE set to RR 100 and DENY CONNECTION INLINE set to RR 90-99. As well as a few others, logging attacker/victim pairs, reseting TCP connections and producing verbose alerts.
4) This step is important. In order to ensure that your IDS will not do a "service block", in that it will not block your webservers if it detects them as being 'attackers', go into Event Action Filter. For all signature ranges, with attacker address of the DMZ and Internal address space you gave earlier, click "Deny attacker inline". This will REMOVE those actions from firing on your selection criteria, and ensure you're not going to accidentally shut off services. You will also want to do this for the Firewall IP address if you are doing Hide NATting behind it, otherwise you will kill your internal clients internet connectivity.
That's pretty much the best way I could come up with to do some automatical intrusion prevention, while not shooting myself in the foot. It's all about those Event Action Rules and risk ratings. Tweaking the individual signatures themselves is extremely daunting, plus they would just get changed back with each new release.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :