cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
477
Views
0
Helpful
3
Replies

Can an "Informational" signature be tuned to interfere with the flow of traffic?

c.registration
Beginner
Beginner

We have an informational signature that we have tuned a couple of different ways in an effort for the signature to deny packet inline, but it appears that the IPS is not performing that action.

Do we have to change the severity of the signature to something other than "Informational" in order for us to be able to "block" traffic matching that signature?

Thanks,

Tom

3 Replies 3

Pranay Prasoon
Participant
Participant

have you tried checking if "event action filter" is not configured for this signature ID? Also make sure signature is in "enabled" and "active".

Hi Pranay,

Thanks for the reply.

Should I assume from your response that the answer to the title question (Can an "Informational" signature be tuned to interfere with the flow of traffic?) is "yes"?  If that's the case, please let me know and I will mark this question as answered.

Any event action filters that have been configured on this IPS were disabled for testing.  Signature is enabled and is active and was recently updated (04/01).

Thanks again,

Tom

Hi Tom,

 

Yes, signature take action as defined in them. Only way its signature based action can overriden is EAO and EAF.

So this should be work. Few exceptions are only with TCP reassembly and ip fragment signature which is based on

http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_signature_definitions.html#wp1040119

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers