Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Which School of thought for sig defaults.

Just wanted to get an idea of what others thought about signatures that are enabled by default with an action.

In our environment we've already seen a few false positives but we have all signatures set for "alert only" for now. We got hit by the ASA normalizer and the MSS Exceeded event so I wanted to make sure we didn't get hit when we enabled the AIP-SSMs.

Having signatures enbled with actions set in theory gives more immediate protection, but it stops us from being able to run auto updates effectively because we prefer to test signatures for false positives for a few days at least before configuring for drop/reset.

So in my case I'd like to see any drop/block/reset actions set on by default. That would allow me to update my signatures via SCP on a timely basis and not have to be here to turn off any actions.

Am I the lone minority on this and how do others handle sig updates? We are a small team and anything we can automate is a hughe plus.

2 REPLIES
Silver

Re: Which School of thought for sig defaults.

Your sensor cannot automatically load service pack and signature updates from Cisco.com. You need to download them to your SCP server, from which your sensors can automatically retrieve them.Refer the following URL

http://www.ciscopress.com/articles/article.asp?p=426636&rl=1

Community Member

Re: Which School of thought for sig defaults.

Yes that's what we're already doing. My question was more in terms of how other fealt about the fact that some signatures come enabled with actions specified.

We use SCP to do the updates but then I have to go diable actions until we're comfortable that their won't be and fasle positives that interfere with valid traffic. Having to do that adds another manual step.

In essesnce the steps are

1. Manual download of updates from Cisco onto SCP/FTP server.

2. Automatic scheduled update to our 2 AIP-SSMs.

3. Manual retuning of signatures.

So in essence we don't gain much/anything from the scheduled auto updates. If we have a dozen IPS sensors then the auto update would be a time saver but for us there's little value.

Just wanted to know if others had the same view.

2.

129
Views
3
Helpful
2
Replies
CreatePlease to create content