Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA Signature tunning


When i try to tune some signatures, the applications tells me that it could monitor the activity of the application for an hour and then generate the rule (i forget the exact words), can someone tell me more about this feature, what will happen after an hour????

Please help. all posts would be rated.


Re: CSA Signature tunning

you can get more information regarding the tuning of cisco security agent from the following URL,

New Member

Re: CSA Signature tunning

You're referring to the Application Behavior Investigation. Chapter 13 in the CSA 5.1 User's Guide (if you're looking for the doc link)

You configure the job on the CSAMC and generate rules. When the Agent polls next, it picks up the instructions on what to observe.

On the Agent all file, network, registry and COM operations are logged for that job. After the time period or the specified number of executions is reached, the Agent uploads the information to the CSAMC.

On the CSAMC a license is required to generate a rule set, but simply reporting on the gathered data is a function provided with your CSAMC license.

Start small when looking at using this feature. Try observing notepad.exe to get use to the mechanisms involved. Jumping right into an SAP server would be daunting at first, but route I would go if asked to tune policies on that server.

CreatePlease login to create content