cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
426
Views
0
Helpful
7
Replies

Tuning and Action guidelines

rungemach
Level 1
Level 1

IPS is installed, working well. Events are reporting by default, out of the box. The next step is to start tuning actions for the signatures.

Are there any guidelines for appropriate actions for the different signatures? It would be nice if the signature explanation file contained a "best practice" action.

Is there anywhere that deinfes all of the signatures and the setting, whitout having to go through each one on IDM or VMS?

MySDN is pratcially useless, it is so slow and a simple search, such as by port numbers to find coresponding signatures never turns up anything.

7 Replies 7

mhellman
Level 7
Level 7

"Events are reporting by default, out of the box."

some are anyway;-) By default, 863 signatures are disabled and not retired....do you know why? Should they be enabled?

455 signatures are disabled and retired...do you know why? Should they be disabled and retired (Cisco says yes and most probably should be)?

If my math is correct, the combination of disabled and disabled/retired signatures accounts for over half of all signatures on the sensor.

I assume this IPS is actually being used inline and you're wanting to know what to block and what not. None of ours are inline, but it seems based on the astronomical number of false positives that I get that watching the sensor for a week or two might be a good idea before changing any of the actions.

You hit the nail right on the head. I have a product which appears to have great potential. Management was sold on it, It's installed and now the question, how is it helping us? I can't find any information beyond installation and basic configuration other than to buy more products like ICS or MARS.

for example sig 4703, MSSQL Resolution Stack Overflow, should I do a TCP reset, a deny or a block? If I deny, which type? I am just looking for someone to point me in the right direction. Book? Class?

dhopper82
Level 1
Level 1

I'm with you on this one rungemach. Our IPS is inline and working but we've had several signatures that put out massive false positives, especially when dealing with our VPN clients. I've looked all over Cisco for a good starting point on tuning the sigs for true IPS but I'm kind of at a loss. Just my personal thought,I think the virus sigs are pretty reliable. Those will more than likely be the ones that we enable first. After that I'm not sure. NEED GUIDANCE!!!

bump

Can anybody help us? Is there any documentation on where to start tuning? How to decide if alerts are false positives?

The Cisco documentation does a fine job of telling you how to setup an IPS system but not how to operate it in the real world.

I have discussed this with our account team and they had no response. We are a named account with Cisco, we can sometimes push a little farther, but it didn't help in this case. We are now having an issue with a handful of SSL web sites. Unfortunately the only way we can use these sites is with the inspection engine in bypass. (This is after resetting the sensor back to defaults and removing all of the tuning). If I could nail it down to a signature, it would be great, but I have searched and searched (actually reported) and cannot find any matches on the source/destination addresses. Unfortunately, there is no easy way to search the event log, at least not that I have found.

TAC has provided the typical response, upgrades/patch, etc. Of course, the customer has to make a decision, turn on the sensor and forego using the website or turn the sensor off and actually make money as a company. One of the websites affected is critical to our ability to do business. (I would think this would qualify ans at least a #2 case.

Looks like we will be looking for a new solution.

What exactly the problem with SSL is? Only the norm. engine can drop packets by default and only if the sensor is in the inline mode.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: