04-06-2015 08:12 AM - edited 03-10-2019 06:21 AM
We have an informational signature that we have tuned a couple of different ways in an effort for the signature to deny packet inline, but it appears that the IPS is not performing that action.
Do we have to change the severity of the signature to something other than "Informational" in order for us to be able to "block" traffic matching that signature?
Thanks,
Tom
04-06-2015 02:33 PM
have you tried checking if "event action filter" is not configured for this signature ID? Also make sure signature is in "enabled" and "active".
04-07-2015 08:47 AM
Hi Pranay,
Thanks for the reply.
Should I assume from your response that the answer to the title question (Can an "Informational" signature be tuned to interfere with the flow of traffic?) is "yes"? If that's the case, please let me know and I will mark this question as answered.
Any event action filters that have been configured on this IPS were disabled for testing. Signature is enabled and is active and was recently updated (04/01).
Thanks again,
Tom
04-07-2015 09:27 AM
Hi Tom,
Yes, signature take action as defined in them. Only way its signature based action can overriden is EAO and EAF.
So this should be work. Few exceptions are only with TCP reassembly and ip fragment signature which is based on
http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_signature_definitions.html#wp1040119
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide