Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
1
Replies

IPS Tuning and deployment

dhopper82
Level 1
Level 1

‎01-31-2006 06:37 AM - edited ‎03-10-2019 01:52 AM

I have a question for you who are already using the IPS signatures to block traffic. When you started setting up these signatures what guidlines did you use? I'm trying to develop a strategy for my company's activating of signatures.

Labels:
0 Helpful
1 Reply 1

mkirbyii
Level 1
Level 1

‎01-31-2006 01:57 PM

Good question... We run with the default sigs activated by cisco, with exception to the "spyware" sigs which are turned off by default. We enable those and set the action to deny-packet. The issue that you will most likly run into is assigning actions to the sigs. By default all sigs are set to "produce alert". So the sensor will do nothing but tell you about the events. I encourage you to look into how the "Risk Ratings" and "Event action overides" work. If you can get that to work well then you do not have to assign actions to each sig. Instead you can tell the sensor that if the RR is between 92-100 add a "deny-packet" action.

It takes a while to get it all figured out.

Hope this helps

M

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card