https://community.cisco.com/t5/network-security/tuning-best-performance/m-p/1564252#M66393 <HTML><HEAD></HEAD><BODY><P>Best practice would say that you should remove signatures which are not important - which should decrease inspection load a bit.</P><P></P><P>However you need to think of one thing before doing this:</P><P>Am I only interested in attacks againt my infrastructure? (Victims in my network)</P><P>or</P><P>Am I interested to check for attack related to my infrastructure? (sourse or victims in my network)</P><P></P><P>Apart from the obvious question - what happens if you do install HP open view - will you remember you turned off this signture? <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>That being said, I understand you already went past the stage where you monitored your traffic in promiscous mode for several weeks and are confident what you actually have in your network - you identified signatures firing false positives and trimmed them. If so, you can also disable some default signatures not related to your infrastructure.</P><P></P><P>Will you see a superior gain of performance - I doubt so. But it's a good place to start.</P><P>Next up:</P><P>- changing normalizer mode</P><P>- disabling not needed engines.</P><P></P><P>Hope this helps,</P><P>Marcin</P></BODY></HTML> Fri, 01 Oct 2010 08:03:09 GMT Marcin Latosiewicz 2010-10-01T08:03:09Z https://community.cisco.com/t5/network-security/tuning-best-performance/m-p/1564251#M66391 <P>In tuning my signatures for products we do not have, such as HP Openview<SPAN style="background-color: #f8fafd;">;&nbsp; what is the best practice, or what offers the best performance- leaving them in the default state, or disabling them?</SPAN></P> Sun, 10 Mar 2019 12:08:32 GMT https://community.cisco.com/t5/network-security/tuning-best-performance/m-p/1564251#M66391 trippi 2019-03-10T12:08:32Z https://community.cisco.com/t5/network-security/tuning-best-performance/m-p/1564252#M66393 <HTML><HEAD></HEAD><BODY><P>Best practice would say that you should remove signatures which are not important - which should decrease inspection load a bit.</P><P></P><P>However you need to think of one thing before doing this:</P><P>Am I only interested in attacks againt my infrastructure? (Victims in my network)</P><P>or</P><P>Am I interested to check for attack related to my infrastructure? (sourse or victims in my network)</P><P></P><P>Apart from the obvious question - what happens if you do install HP open view - will you remember you turned off this signture? <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>That being said, I understand you already went past the stage where you monitored your traffic in promiscous mode for several weeks and are confident what you actually have in your network - you identified signatures firing false positives and trimmed them. If so, you can also disable some default signatures not related to your infrastructure.</P><P></P><P>Will you see a superior gain of performance - I doubt so. But it's a good place to start.</P><P>Next up:</P><P>- changing normalizer mode</P><P>- disabling not needed engines.</P><P></P><P>Hope this helps,</P><P>Marcin</P></BODY></HTML> Fri, 01 Oct 2010 08:03:09 GMT https://community.cisco.com/t5/network-security/tuning-best-performance/m-p/1564252#M66393 Marcin Latosiewicz 2010-10-01T08:03:09Z