Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tuning - Best Performance

In tuning my signatures for products we do not have, such as HP Openview;  what is the best practice, or what offers the best performance- leaving them in the default state, or disabling them?

Cisco Employee

Re: Tuning - Best Performance

Best practice would say that you should remove signatures which are not important - which should decrease inspection load a bit.

However you need to think of one thing before doing this:

Am I only interested in attacks againt my infrastructure? (Victims in my network)


Am I interested to check for attack related to my infrastructure? (sourse or victims in my network)

Apart from the obvious question - what happens if you do install HP open view - will you remember you turned off this signture?

That being said, I understand you already went past the stage where you monitored your traffic in promiscous mode for several weeks and are confident what you actually have in your network - you identified signatures firing false positives and trimmed them. If so, you can also disable some default signatures not related to your infrastructure.

Will you see a superior gain of performance - I doubt so. But it's a good place to start.

Next up:

- changing normalizer mode

- disabling not needed engines.

Hope this helps,