topic Re: IPS Tuning and deployment in Network Security https://community.cisco.com/t5/network-security/ips-tuning-and-deployment/m-p/513248#M98786 <HTML><HEAD></HEAD><BODY><P>Good question... We run with the default sigs activated by cisco, with exception to the "spyware" sigs which are turned off by default. We enable those and set the action to deny-packet. The issue that you will most likly run into is assigning actions to the sigs. By default all sigs are set to "produce alert". So the sensor will do nothing but tell you about the events. I encourage you to look into how the "Risk Ratings" and "Event action overides" work. If you can get that to work well then you do not have to assign actions to each sig. Instead you can tell the sensor that if the RR is between 92-100 add a "deny-packet" action.</P><P>It takes a while to get it all figured out.</P><P>Hope this helps</P><P>M</P></BODY></HTML> Tue, 31 Jan 2006 21:57:52 GMT mkirbyii 2006-01-31T21:57:52Z IPS Tuning and deployment https://community.cisco.com/t5/network-security/ips-tuning-and-deployment/m-p/513247#M98785 <P>I have a question for you who are already using the IPS signatures to block traffic. When you started setting up these signatures what guidlines did you use? I'm trying to develop a strategy for my company's activating of signatures. </P> Sun, 10 Mar 2019 09:52:25 GMT https://community.cisco.com/t5/network-security/ips-tuning-and-deployment/m-p/513247#M98785 dhopper82 2019-03-10T09:52:25Z Re: IPS Tuning and deployment https://community.cisco.com/t5/network-security/ips-tuning-and-deployment/m-p/513248#M98786 <HTML><HEAD></HEAD><BODY><P>Good question... We run with the default sigs activated by cisco, with exception to the "spyware" sigs which are turned off by default. We enable those and set the action to deny-packet. The issue that you will most likly run into is assigning actions to the sigs. By default all sigs are set to "produce alert". So the sensor will do nothing but tell you about the events. I encourage you to look into how the "Risk Ratings" and "Event action overides" work. If you can get that to work well then you do not have to assign actions to each sig. Instead you can tell the sensor that if the RR is between 92-100 add a "deny-packet" action.</P><P>It takes a while to get it all figured out.</P><P>Hope this helps</P><P>M</P></BODY></HTML> Tue, 31 Jan 2006 21:57:52 GMT https://community.cisco.com/t5/network-security/ips-tuning-and-deployment/m-p/513248#M98786 mkirbyii 2006-01-31T21:57:52Z