Cisco Support Community
Community Member

IDS policy questions

I have three questions here all related to the policy for a Cisco IDS appliance.

1. For a new install, when I initialize a Cisco IDS sensor, does it have the default Cisco IDS policy? By default policy, I mean most signatures enabled, some signatures disabled and with their severity levels defined as recommended by Cisco.

2. By using the command "reset-signatures all" from the CLI, do I reset the policy on the appliance to the Cisco-factory-defined default policy?

3. Allow me to take an example for this one - I have an appliance where I took the default Cisco IDS policy, added 3 custom signatures, changed severity levels for 4 signatures, turned on IPLOG for 5 high-severity signatures, disabled 6 sigs which were in enabled status and applied 2 eventfilters based on source IPs. Now, I proceed to do a signature/service pack update and for illustration purposes let's assume there were 10 new sigs in the new update pack. a> would my custom settings (custom sigs, severity level changes, IPLOG settings, disabled sigs settings and eventfilters) be retained as a result of the update? and b> would the 10 new sigs which were added as a result of the update be set as per the default Cisco IDS policy? (enable/disable status, severity levels, etc.)

Cisco Employee

Re: IDS policy questions

Answer 1) Yes, all of the signatures are set to their default settings on first intialization of the sensor. Each signature will have it's severity defaulted to a particular setting, and will have default setting for whether or not it is enabled. All signatures are set to have no action by default.

Answer 2) Yes, all changes you have made to signature settings will be discarded and each signature parameter will be set back to it's default.

Answer 3) Yes, your assumptions are correct. The signature update will maintain any signature modifications you made to existing signatures and will keep your custom signatures. The additional signatures will be added to your configuration using the assigned defaults.

NOTE: When you install a signature update on a version 3.x appliance the update will not change the severity level of previous signatures regardless of whether or not they had been modified by the user. In version 4.x, if the user has modified the severity level and/or enable status then they will be maintained after the update.

But if the severity level and/or enable status were still at the Cisco default then the severity level and/or enable status may be changed by the signature update if the signature update contains new defaults for that signature.

NOTE2: I have heard of one situation where the user modifications were not maintained after the update.

This would be considered a bug, and could happen if a custom signature or signature modification done in one version was not understood by the next version. If you have several signature modifications then I recommend always saving off your configuraiton prior to upgrading on the very small possibility that you may encounter an installation bug when installing the signature update.

CreatePlease to create content