Re: IPS policy signature disabling technologies

rick11 · ‎07-24-2019

Hello community,

I have a simple problem using signatures updates in IPS policy. Each update bring new signatures obviously but also a lot of false positives for us. The idea is, I have alerts for "D-Link" signatures, I don't want to see anymore those signatures since it does not apply to the customer enviroment. I tried to work with the categories available.

Is it possible to exclude or disable some signatures to avoid downloading them in the next updates? How do you usually manage this?

Thank you!

Riccardo

rick11 · ‎09-11-2023

Anyone have any feedback? thank you

Marvin Rhoads · ‎09-11-2023

Any new D-Link signatures that may be included in the next update would be downloaded automatically. You cannot choose to download only signatures you want and exclude others.

Any Internet-facing resources will get lots of scans looking for well-known vulnerabilities, including those that apply exclusively to D-link. Not having any D-Link in the protected network won't stop the firewall from blocking those scans as they are known by Cisco Talos to be malicious traffic. However, they should be assigned level 3 or 4 impact levels (Not vulnerable or Unknown Target).

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/admin/720/management-center-admin-72/events-intrusion.html#ID-2211-000004aa

rick11 · ‎09-12-2023

Thank you for feedback, so there is no way to limit signatures, unless disabling the category itself on an upper layer? Is there a description how the signatures layers and firepower reccomendations works toghether?
Thanks!

Marvin Rhoads · ‎09-13-2023

@rick11 there are some Cisco Live presentations that cover IPS rules and layers. Most recently, see BRKCRT-2466 which can be found here: https://www.ciscolive.com/on-demand/on-demand-details.html?#/session/16360601080850017e86

rick11 · ‎09-16-2023

thank you for sharing, I'll take a look!