cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
459
Views
0
Helpful
1
Replies

How to enable IDSM-2 Signature through GUI

antonyice1
Level 1
Level 1

Hi Guys,

We are using IDSM-2 module in cisco 6509 chassis.I believe that only the default signatures were enabled on it at the time of implmentation.Now when I monitor

it (I use cisco IDM as the GUI to access IDSM-2) like after 6 months I could find that it has a bulk of sigantures on it which are not enabled.Could you

please guide me how to enable these sigantures on IDSM with out increasing the load on it.

1 Reply 1

rhermes
Level 7
Level 7

Welcome to the world of tuning your sensor.

First thing you should know is that all signautres were not ment to be enabled simultainously. Some signatures are appropriate for your envioment and some are not (say you run a Lunix only shop). Some signatures have such a high false positive rate that they are essentially useless. Some signatures are actionable (meaning you can do somthing about it) others are not (like scans and recon sigs). You need to define what your goals of having a IPS are:

To generate pretty reports for management?

To investigate all your high severity events to clean up your infected hosts?

To "set it and forget it"?

Your goals will drive you toward an appropriate set of signatures and actions you wish enabled. As always, whatch your sensor load when you make changes, you don't want to overload that thing and start missing packets.

Review Cisco Networking for a $25 gift card