"Events are reporting by default, out of the box."
some are anyway;-) By default, 863 signatures are disabled and not retired....do you know why? Should they be enabled?
455 signatures are disabled and retired...do you know why? Should they be disabled and retired (Cisco says yes and most probably should be)?
If my math is correct, the combination of disabled and disabled/retired signatures accounts for over half of all signatures on the sensor.
I assume this IPS is actually being used inline and you're wanting to know what to block and what not. None of ours are inline, but it seems based on the astronomical number of false positives that I get that watching the sensor for a week or two might be a good idea before changing any of the actions.
You hit the nail right on the head. I have a product which appears to have great potential. Management was sold on it, It's installed and now the question, how is it helping us? I can't find any information beyond installation and basic configuration other than to buy more products like ICS or MARS.
for example sig 4703, MSSQL Resolution Stack Overflow, should I do a TCP reset, a deny or a block? If I deny, which type? I am just looking for someone to point me in the right direction. Book? Class?
I'm with you on this one rungemach. Our IPS is inline and working but we've had several signatures that put out massive false positives, especially when dealing with our VPN clients. I've looked all over Cisco for a good starting point on tuning the sigs for true IPS but I'm kind of at a loss. Just my personal thought,I think the virus sigs are pretty reliable. Those will more than likely be the ones that we enable first. After that I'm not sure. NEED GUIDANCE!!!
I have discussed this with our account team and they had no response. We are a named account with Cisco, we can sometimes push a little farther, but it didn't help in this case. We are now having an issue with a handful of SSL web sites. Unfortunately the only way we can use these sites is with the inspection engine in bypass. (This is after resetting the sensor back to defaults and removing all of the tuning). If I could nail it down to a signature, it would be great, but I have searched and searched (actually reported) and cannot find any matches on the source/destination addresses. Unfortunately, there is no easy way to search the event log, at least not that I have found.
TAC has provided the typical response, upgrades/patch, etc. Of course, the customer has to make a decision, turn on the sensor and forego using the website or turn the sensor off and actually make money as a company. One of the websites affected is critical to our ability to do business. (I would think this would qualify ans at least a #2 case.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...