https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969717#M80277 <HTML><HEAD></HEAD><BODY><P>Hi attmidsteam </P><P></P><P>I have a query regarding fine-tuning IDS Signatures . I am using old IDM (snapshots attached) .I wanto know if for a particular signature i want to disable the logging from specific source IP Range to destination IP Range , how to go about this in the same . Is it we do it via Event filter ? </P><P></P><P>I know how to do it in IDM 5 (we need to go to Event action filters and subtract the action ) .Kindly help me in </P><P>IDM 4 </P><P></P><P>Regards</P><P>Ankur </P><P></P><P> </P><P></P></BODY></HTML> Thu, 17 Apr 2008 06:57:56 GMT ankurs2008 2008-04-17T06:57:56Z https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969715#M80275 <P>Hi,</P><P></P><P>we are going for tuning the IDS signature.No idea how to do it.</P><P></P><P>Please somebody suggest.</P><P></P><P>Thanking u</P><P>Navin </P> Sun, 10 Mar 2019 11:04:09 GMT https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969715#M80275 navin_rk3 2019-03-10T11:04:09Z https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969716#M80276 <HTML><HEAD></HEAD><BODY><P>Your post leaves much information to be desired. Do you want to tune a single signature or a group of signatures? Do you want to simply disable a signature, or do you want to change the summarization key or regex patterns? etc,etc,etc</P><P></P><P>Are you using the IDM, the sensor console CLI, or CSM? Each method varies wildly.</P></BODY></HTML> Wed, 16 Apr 2008 16:59:25 GMT https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969716#M80276 attmidsteam 2008-04-16T16:59:25Z https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969717#M80277 <HTML><HEAD></HEAD><BODY><P>Hi attmidsteam </P><P></P><P>I have a query regarding fine-tuning IDS Signatures . I am using old IDM (snapshots attached) .I wanto know if for a particular signature i want to disable the logging from specific source IP Range to destination IP Range , how to go about this in the same . Is it we do it via Event filter ? </P><P></P><P>I know how to do it in IDM 5 (we need to go to Event action filters and subtract the action ) .Kindly help me in </P><P>IDM 4 </P><P></P><P>Regards</P><P>Ankur </P><P></P><P> </P><P></P></BODY></HTML> Thu, 17 Apr 2008 06:57:56 GMT https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969717#M80277 ankurs2008 2008-04-17T06:57:56Z https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969718#M80278 <HTML><HEAD></HEAD><BODY><P>Yes, if you want a filter a specific signature from a certain source range to a certain destination range, you'll use an event filter.</P></BODY></HTML> Thu, 17 Apr 2008 12:45:22 GMT https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969718#M80278 attmidsteam 2008-04-17T12:45:22Z https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969719#M80279 <HTML><HEAD></HEAD><BODY><P>Hi Attmidsteam,</P><P></P><P>We got this new project recently,so we want fine tune or customize the signature as per our organisation traffic.</P><P></P><P>My Question is how to customize or how to use network tapps?</P><P></P><P>We are accessing the IDS through the IDM as well as CLI &amp; we are not using CSM ,but monitored through the event viewer.</P><P></P><P>Please suggest.</P><P></P><P>Thanking u</P><P>Navin</P></BODY></HTML> Sat, 19 Apr 2008 06:35:36 GMT https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969719#M80279 navin_rk3 2008-04-19T06:35:36Z https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969720#M80280 <HTML><HEAD></HEAD><BODY><P>Configuring an Event Filter (as suggested by attmidsteam) is a very different question from how to use a network tap.</P><P>Do you have traffic to monitor arriving at your sensor? If not, then you need to either use a network tap (instrouction provided by the vendor) or use a switch with port spanning enabled for promiscious sniffing. For inline traffic, you need to create per-interface or VLAN pairs and cable your network traffic to flow through you IPS.</P><P>The CLI and IDM steps for configuring an Event Filter can be found here:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a00808518b2.shtml</A></P><P></P></BODY></HTML> Sat, 19 Apr 2008 13:24:25 GMT https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969720#M80280 rhermes 2008-04-19T13:24:25Z https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969721#M80281 <HTML><HEAD></HEAD><BODY><P>Hi Rhermes,</P><P></P><P>Already the network setup is there .We want to Fine tune the IDS using Network tap &amp; the vendor is Cisco.</P><P></P><P>We don't know how to analyze the traffic? &amp; Ids is in promiscous mode.</P><P></P><P>Please suggest.</P><P></P><P>Thank u</P><P>navin</P></BODY></HTML> Sun, 20 Apr 2008 01:54:03 GMT https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969721#M80281 navin_rk3 2008-04-20T01:54:03Z https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969722#M80282 <HTML><HEAD></HEAD><BODY><P>I would suggest hiring a professional or outsourcing the security at this point. I can't explain how to be a competent security analyst in a paragraph. You'll want someone with a lot of security experience who can first profile your network based upon the devices/servers in use, and then conduct detailed analysis of the events that are generated to determine which are valid and which are false positives. This is typically a 24hr job as hackers/malware/botnets never sleep. Good luck.</P><P></P></BODY></HTML> Tue, 22 Apr 2008 19:59:51 GMT https://community.cisco.com/t5/network-security/fine-tuning-ids/m-p/969722#M80282 attmidsteam 2008-04-22T19:59:51Z