https://community.cisco.com/t5/network-security/ips-configuration/m-p/695926#M88083 <HTML><HEAD></HEAD><BODY><P>You're right. Almost all IPS signatures are set to trigger log or alarm only, except for some critical signatures that by default, drop/deny the traffic in.</P><P></P><P>Normal practise is to monitor your IPS log for at least 1 or 2 days. Review the log for type of violations/misuse. Check for false positive sign as well, as some might not be a real threats.</P><P></P><P>Once confirmed, you may now start to change the actions for the relevant signatures to either drop/reset. Reset is effective for TCP sessions (between attacker &amp; victim host) only.</P><P></P><P>Bear in mind, you need to constantly monitor the IPS log for new/missing violations. Frequent review of logs and security postures are highly recommended by Cisco.</P><P></P><P>Read the SAFE Blueprint for details:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml" target="_blank">http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml</A></P><P></P><P>Using ACL is good as it can work in tandem with IPS where you only allow certain/known source addresses/services to come in. IPS, in turn, will provide deep packet inspection to ensure no malicious content is flowing into your network/servers from that permitted external/source addresses</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00803eb031.html" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00803eb031.html</A></P><P></P><P></P><P>HTH</P><P>AK</P></BODY></HTML> Wed, 13 Dec 2006 01:39:23 GMT a.kiprawih 2006-12-13T01:39:23Z https://community.cisco.com/t5/network-security/ips-configuration/m-p/695925#M88082 <P>Recently I installed the latest IPS update &amp; noticed all signatures show alarm action only. I thought sdf "action" were pre set by Cisco.</P><P>Should any sigs be changed to reset or drop? </P><P>How do you determine which sigs to change? </P><P>Should an ACL be used with IPS?</P><P></P><P>Regards</P><P></P><P> </P><P></P> Sun, 10 Mar 2019 10:22:13 GMT https://community.cisco.com/t5/network-security/ips-configuration/m-p/695925#M88082 ms4561 2019-03-10T10:22:13Z https://community.cisco.com/t5/network-security/ips-configuration/m-p/695926#M88083 <HTML><HEAD></HEAD><BODY><P>You're right. Almost all IPS signatures are set to trigger log or alarm only, except for some critical signatures that by default, drop/deny the traffic in.</P><P></P><P>Normal practise is to monitor your IPS log for at least 1 or 2 days. Review the log for type of violations/misuse. Check for false positive sign as well, as some might not be a real threats.</P><P></P><P>Once confirmed, you may now start to change the actions for the relevant signatures to either drop/reset. Reset is effective for TCP sessions (between attacker &amp; victim host) only.</P><P></P><P>Bear in mind, you need to constantly monitor the IPS log for new/missing violations. Frequent review of logs and security postures are highly recommended by Cisco.</P><P></P><P>Read the SAFE Blueprint for details:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml" target="_blank">http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_white_paper09186a00801bc111.shtml</A></P><P></P><P>Using ACL is good as it can work in tandem with IPS where you only allow certain/known source addresses/services to come in. IPS, in turn, will provide deep packet inspection to ensure no malicious content is flowing into your network/servers from that permitted external/source addresses</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00803eb031.html" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00803eb031.html</A></P><P></P><P></P><P>HTH</P><P>AK</P></BODY></HTML> Wed, 13 Dec 2006 01:39:23 GMT https://community.cisco.com/t5/network-security/ips-configuration/m-p/695926#M88083 a.kiprawih 2006-12-13T01:39:23Z