Just wanted to get an idea of what others thought about signatures that are enabled by default with an action.
In our environment we've already seen a few false positives but we have all signatures set for "alert only" for now. We got hit by the ASA normalizer and the MSS Exceeded event so I wanted to make sure we didn't get hit when we enabled the AIP-SSMs.
Having signatures enbled with actions set in theory gives more immediate protection, but it stops us from being able to run auto updates effectively because we prefer to test signatures for false positives for a few days at least before configuring for drop/reset.
So in my case I'd like to see any drop/block/reset actions set on by default. That would allow me to update my signatures via SCP on a timely basis and not have to be here to turn off any actions.
Am I the lone minority on this and how do others handle sig updates? We are a small team and anything we can automate is a hughe plus.
Your sensor cannot automatically load service pack and signature updates from Cisco.com. You need to download them to your SCP server, from which your sensors can automatically retrieve them.Refer the following URL
Yes that's what we're already doing. My question was more in terms of how other fealt about the fact that some signatures come enabled with actions specified.
We use SCP to do the updates but then I have to go diable actions until we're comfortable that their won't be and fasle positives that interfere with valid traffic. Having to do that adds another manual step.
In essesnce the steps are
1. Manual download of updates from Cisco onto SCP/FTP server.
2. Automatic scheduled update to our 2 AIP-SSMs.
3. Manual retuning of signatures.
So in essence we don't gain much/anything from the scheduled auto updates. If we have a dozen IPS sensors then the auto update would be a time saver but for us there's little value.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...