Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

SA540 IPS rules

Anyone care to give me an idea of what IPS rules you guys have enabled/disabled? We started out with enabling all rules and it's logging a lot of events, even unnecessary ones sometimes.

For example:

*ALERT*[119:2:1] (http_inspect) DOUBLE DECODING ATTACK[Priority: 3]: {TCP} 192.168.6.227:50808 -> 74.217.85.40:80

Component: IPS

Also, its logging cookies and web trackers:

*ALERT*[119:2:1] (http_inspect) DOUBLE DECODING ATTACK[Priority: 3]: {TCP} 192.168.6.101:51773 -> 209.190.106.126:80

Component: IPS

1 REPLY
New Member

SA540 IPS rules

We utilize all of the IPS signatures.  Unless you allow IM'ing (ie AOL IM), torrenting, etc., you will find that the IPS signatures rarely give false positives.  We have tested the latest signatures rather thoroughly and have found them to not adversely affect network traffic.

FYI, we found that once we enabled ProtectLink Web (set to medium security as recommended), ProtectLink prevents any harmful websites, malware, etc. before the traffic even hits the router (and thus the IPS layer).  The biggest plus is that we found our WAN thoroughput to increase to max (30 Mbps strong vs ~22Mbps) once ProtectLink was turned on with IPS!!!  Our theory, based on the debug logs, is that turning on ProtectLink actually utilizes a second 500MHz core on the CPU.

We have found that Trend Micro really takes ProtectLink Web serious by keeping their *signatures*, blacklists, etc. extremely up-to-date.  Especially compared to Cisco's SMB signatures for the SA500 Series routers.  Don't even get me started on the outdated IPS signatures for the WRVS4400N, etc. routers!

FYI, the only URL filtering that we utilize/block in ProtectLink Web are the *harmful* URLs.  Everything else is allowed.  We let the IPS signatures provent the torrent/IM/etc type traffic.

651
Views
0
Helpful
1
Replies