Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Canned CSA rule sets

Are there any repositories of rule sets that Cisco or other CSA users have created for standard applications so we don't need to reinvent the wheel for each application that isn't covered by the default rules?


Tom S


Re: Canned CSA rule sets

Other than the Microsoft Office module I am not aware of any canned set of rules for applications. A word of caution here though. I would not recommend using a rule set from anyone else. Environments differ so much from network to network that you may find yourself opening up holes in your security big enuff to drive a Mack(hack) truck through.

Although it may be a pain in the initial set up I much prefer to have a blank slate with everything locked down at first and create exceptions along the way as need be. Eventually you will have allowed only that which actually needs to be allowed and are restricting everything else. You shouldn't have to continuosly tune the agents. I have found that after a week or so most actions needed by end users have been run through.

Think of it as a "Secure by Default" system like the PIX when you first get it out of the box. You have to start creating holes through access lists, etc for the PIX to let anything through. This (hopefully) minimizes the chance of some port being exploited becasue "Well..I got this config from a buddy of mine from the PIX at his company. It seemed pretty secure at the time" or anything like that.

Hope this helps ease the pain of "reinventing the wheel" :)

Please remember to rate all replies


Re: Canned CSA rule sets

Thanks and I agree with your cautions. Maybe I can clarify my question a bit further. There are quite a few what I would call 'canned' policies, rules, variables and application classes.

The Virus Scanner module comes to mind first as we have McAfee installed and there are file sets and behaviors already defined for McAfee. FrameworkServices.exe is causing Trojan detection alerts because of captured keystrokes and I thought this would be defined as normal behavior for McAfee.

We are getting lots of Trojan detection events associated with other applications as well so I’ll probably create exceptions or app builder rules (I’m still very much in learning mode).

What I was looking for was either Cisco or other vendor supplied rule sets (and updates when a new version of a particular piece of software is released) or for folks that have already run in to these problems and found solutions.

I suggested that Cisco start a CSA forum under Security>Intrusion Prevention Systems so maybe that will be a place to start if and when they do it.

We have 40 hosts running in test mode in either the desktop or laptop groups and they are generating upwards of 15,000 events per day. It is a daunting task to go through but I'm learning. Call me lazy but I'd rather build on someone else’s experience if I can.

Thanks again

Tom S

Re: Canned CSA rule sets

Ahhh....the devil in in the details. With the expanded explanation of your request I see what you are getting at and I would have to agree with you on the issues that you presented. I am sure that as the product evolves Cisco will step up to the plate with more rule sets that encompass as wider array of applications.

I think the dedicated CSA forum is a fantastic idea as well. Mr/Miss Moderator are you awake? :)

CreatePlease to create content