Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
0
Helpful
3
Replies

IPS monitoring Events Notes

Go to solution
learnsec
Level 1
Level 1

‎09-05-2011 11:54 PM - edited ‎03-10-2019 05:28 AM

Dear all,

I have a group of IPS/IDS installed in our network monitoring multiple segments.

Usually, and for years I do find always events with matching severity high or medium in addition to low and informational.

From around two months and till now, while monitoring those IPS/IDS I noticed that I am not finding any event with severity High or Medium although before there was daily logs with the high & Medium Severity and all the group of IPS / IDS is affected with the same behavior not only on one device.

I will be happy if everything is running normally with no matching severity, but I am afraid that there is something wrong with the monitoring of our IPS /IDS Systems.

I find logs with low and informational severity only.

Please advise if I can do any troubleshooting

Regards,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rhermes
Level 7
Level 7
In response to learnsec

‎09-08-2011 08:21 AM

Software updates also contain a signature update. Any signature update applied to an IPS sensor will modify the sensor's existing signature settings. New signatures will be enabled and existing signatures may be altered to provide better performance or retired if they have out lived their usefullness.

The sensor's configuration can be changed to affect what signatures fire as well by configuring event action filters and event action overrides.

- Bob

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rhermes
Level 7
Level 7

‎09-06-2011 09:24 AM

I will assume you have not changed anything on your sensors to explain this difference. It can be accounted for by the normal signature update process. Cisco will phase out (retire) or modify old or poorly performing signatures (prone to false positives) over time. In order to test this idea, take some of the old medium and high severity signature that used to fire and check what their current setting are in your sensors. If they're retired or have been updated, this may account for the difference.

- Bob

0 Helpful

Go to solution
learnsec
Level 1
Level 1
In response to rhermes

‎09-07-2011 05:31 AM

Can u please clarify what kind of updates / modifications on ips config may lead to such circumstances?

Ips config may be changed but nothing related to such behavior.

Thank you for you response,

0 Helpful

Go to solution
rhermes
Level 7
Level 7
In response to learnsec

‎09-08-2011 08:21 AM

Software updates also contain a signature update. Any signature update applied to an IPS sensor will modify the sensor's existing signature settings. New signatures will be enabled and existing signatures may be altered to provide better performance or retired if they have out lived their usefullness.

The sensor's configuration can be changed to affect what signatures fire as well by configuring event action filters and event action overrides.

- Bob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card