have you tried checking if

c.registration · ‎04-06-2015

We have an informational signature that we have tuned a couple of different ways in an effort for the signature to deny packet inline, but it appears that the IPS is not performing that action.

Do we have to change the severity of the signature to something other than "Informational" in order for us to be able to "block" traffic matching that signature?

Thanks,

Tom

Pranay Prasoon · ‎04-06-2015

have you tried checking if "event action filter" is not configured for this signature ID? Also make sure signature is in "enabled" and "active".

c.registration · ‎04-07-2015

Hi Pranay,

Thanks for the reply.

Should I assume from your response that the answer to the title question (Can an "Informational" signature be tuned to interfere with the flow of traffic?) is "yes"? If that's the case, please let me know and I will mark this question as answered.

Any event action filters that have been configured on this IPS were disabled for testing. Signature is enabled and is active and was recently updated (04/01).

Thanks again,

Tom

Pranay Prasoon · ‎04-07-2015

Hi Tom,

Yes, signature take action as defined in them. Only way its signature based action can overriden is EAO and EAF.

So this should be work. Few exceptions are only with TCP reassembly and ip fragment signature which is based on

http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_signature_definitions.html#wp1040119

Thanks