Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Signature 50000

I have a IPS 4215, version 5.1(1), I wish the explanation this signature 50000: Outbreak Prevention Signature.

It's necessary to block it? Which is the most appropriate action in the IPS? The signature show many connections to me to my server external mail.


Cisco Employee

Re: Signature 50000

Signature 50000.0, 50000.1, and 50000.2 should be left defaulted in your setup...which is disabled.

They are used by the Cisco Incident Control Server (CICS) system to apply what is called an OpACL. An OpACL is a coarse-grain filter on ICMP, UDP, or TCP (see the 3 subsigs, one per protocol) packets. It is used by the Outbreak Prevention service to filter traffic on ports being used by a worm for propagation, communication, etc.... They will be tuned by the CICS when it recieves notification of an outbreak. This service is an extra feature that you can purchase; it is otherwise disabled and has no effect on the sensor.

If you had the service and an outbreak was declared, the system would be triggered to tune the appropriate 50000 sub signature to block traffic on the propgation channels while a fine-grained, higher fidelity signature (an OpSig) was developed and automatically deployed to your sensor. At that time, the coarse-grained OpACL would be disabled.

The purpose here being an extremely fast (minutes)response while a more time consuming(hours), better response is developed.

CreatePlease to create content