Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Set of signatures to Block or Deny in IPS

I'm wondering if anyone has a good set of signatures to setup to automatically block/deny. Right now, we have a couple of IPS units, and we have all signatures set to not block.

What I need is a set of signatures that is safe for a service provider to use. We host many websites and FTP sites and want to be sure we don't automatically block any signatures that have a victim port of 80 or 443.

I'm also looking for a way to list all signatures with a severity of 'high', and a victim port not equal to 80 or 443.

Any help would be appreciated.


- Erik

New Member

Re: Set of signatures to Block or Deny in IPS

One thing you could do is set up Event Action Overrides. This is what I have done:

1) I defined my DMZ space, Internal space and Internet space. I gave all of those variable names.

2) Go into your Target Value Ratings and define your DMZ and Internal space as HIGH. This automatically bumps up the Risk Rating (RR) on signatures as they fire on these items.

2a) I defined my firewall as Medium rating, just due to the fact that any traffic to it will be blocked easily enough.

3) Go in to your Event Action Overrides and set certain actions dependent on Risk Rating. I have DENY ATTACKER INLINE set to RR 100 and DENY CONNECTION INLINE set to RR 90-99. As well as a few others, logging attacker/victim pairs, reseting TCP connections and producing verbose alerts.

4) This step is important. In order to ensure that your IDS will not do a "service block", in that it will not block your webservers if it detects them as being 'attackers', go into Event Action Filter. For all signature ranges, with attacker address of the DMZ and Internal address space you gave earlier, click "Deny attacker inline". This will REMOVE those actions from firing on your selection criteria, and ensure you're not going to accidentally shut off services. You will also want to do this for the Firewall IP address if you are doing Hide NATting behind it, otherwise you will kill your internal clients internet connectivity.

That's pretty much the best way I could come up with to do some automatical intrusion prevention, while not shooting myself in the foot. It's all about those Event Action Rules and risk ratings. Tweaking the individual signatures themselves is extremely daunting, plus they would just get changed back with each new release.

CreatePlease login to create content