https://community.cisco.com/t5/network-security/disabling-1330/m-p/659419#M88291 <P>It seems that 1330 and other normalizer sigs are causing Cicso (and myself) some grief (as evident in CSCsc37875). I am wondering if I can just disable 1330 and all the subs entirely. I am seeing this sig (1330/14 in particular) fire alot. I set the action to either produce an alert or do nothing at all (no packet mod or denying or dropping) so I don't see the point of keeping 1330 enabled.</P> Sun, 10 Mar 2019 10:19:34 GMT cniblo1975 2019-03-10T10:19:34Z https://community.cisco.com/t5/network-security/disabling-1330/m-p/659419#M88291 <P>It seems that 1330 and other normalizer sigs are causing Cicso (and myself) some grief (as evident in CSCsc37875). I am wondering if I can just disable 1330 and all the subs entirely. I am seeing this sig (1330/14 in particular) fire alot. I set the action to either produce an alert or do nothing at all (no packet mod or denying or dropping) so I don't see the point of keeping 1330 enabled.</P> Sun, 10 Mar 2019 10:19:34 GMT https://community.cisco.com/t5/network-security/disabling-1330/m-p/659419#M88291 cniblo1975 2019-03-10T10:19:34Z https://community.cisco.com/t5/network-security/disabling-1330/m-p/659420#M88292 <HTML><HEAD></HEAD><BODY><P>Some of the 1330 signatures have additional internal functions, like queueing fragments for reassembly, so just turning them off is not recommended...in the extreme case you may just render your IPS into a wire.</P><P></P><P>The following tunings were included as part of the S248 signature update and represent our suggested "minimal interference" settings that still let the IPS do its job.</P><P></P><P>Normalizer Neutering</P><P>SIGID.SUBSIG ACTION</P><P></P><P>1308 Disable</P><P>1311 Produce Alert ON, Deny_XXX OFF</P><P>1330.3 "</P><P>1330.4 "</P><P>1330.11 "</P><P>1330.14 "</P><P>1330.15 Disable</P><P>1330.16 Produce Alert ON, Deny_XXX OFF</P><P></P><P>HTML sort of killed the formatting...all lines with " are supposed to mean "same as above".</P><P></P><P>Obviously "Produce Alert" is up to you, but we think that these signatures, if firing, warrant some research into the cause. Removing the Deny_whatever actions will keep the signature from interferring with the packets, yet still leave its other functionality enabled.</P><P></P><P>Scott</P></BODY></HTML> Wed, 15 Nov 2006 16:19:42 GMT https://community.cisco.com/t5/network-security/disabling-1330/m-p/659420#M88292 scothrel 2006-11-15T16:19:42Z