Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Verifying singature matches and baselining


I am supporting an IPS4345 at a Cisco client site.

I wanted to ask the following questions:

1) Is there a way to tell how many matches against each signature have been fired, similar to the hit count on an access list?  I am asking as I would like to disable any unneccessary signatures to improve performance.  The processor seems to stay at about 68%.

2) Is the Learning Period for the Knowledgebase within Anomoly Detection considered baselining?  If not, is the best method for baselining to ue a sniffer monitoring traffic in parralel to the IPS how to baseline the traffic?

Thank You in advance!                  

Community Member

Verifying singature matches and baselining


1) The cli command "show statistics virtual-sensor" will list all signatures with a count for each signature along with other details.

2) This following from the IPS Configuration guide should help you with AD

Learning accept mode

"Although anomaly detection is in detect mode by  default, it conducts an initial learning accept mode for the default  period of 24 hours. We assume that during this phase no attack is being  carried out. Anomaly detection creates an initial baseline, known as a  knowledge base (KB), of the network traffic. The default interval value  for periodic schedule is 24 hours and the default action is rotate,  meaning that a new KB is saved and loaded, and then replaces the initial  KB after 24 hours. "

Detect mode

For ongoing operation, the sensor should remain in detect mode. This is  for 24 hours a day, 7 days a week. Once a KB is created and replaces the  initial KB, anomaly detection detects attacks based on it. It looks at  the network traffic flows that violate thresholds in the KB and sends  alerts. As anomaly detection looks for anomalies, it also records  gradual changes to the KB that do not violate the thresholds and thus  creates a new KB. The new KB is periodically saved and takes the place  of the old one thus maintaining an up-to-date KB.

Community Member

Verifying singature matches and baselining

The default policy and the default values for configured policies do not show up in the configuration when you issue a show running-config EXEC command. Instead, to see the default policy and any default values within configured policies, use the show crypto isakmp policy EXEC command.

CreatePlease to create content