Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
2
Replies

Manual Signature Problem

chitre_salil
Level 1
Level 1

‎06-18-2006 06:52 PM - edited ‎03-10-2019 03:03 AM

Hi,

I had created a signature on my IDS. Even though I have deleted it and it does not appear in the configuration, keeps generating the events in the event viewer.

How can I stop this.

Thanks

Salil

Labels:
0 Helpful
2 Replies 2

edadios
Cisco Employee
Cisco Employee

‎06-18-2006 07:21 PM

Hi,

Since you say it is IDS, I would assume you are talkign about version 4.X.

If you are using IDM, please make sure you have applied and saved the configuration deletion you have done.

Also, confirm the event information if it is the signature that you have created that is actually firing.

You can also go to the sensor itslef, login as cisco, and do show events to see the events there, and obtain the details of the alerts.

If it is still your signature that is firing, try refreshing your idm, and editing the signature again.

Hope this helps you.

0 Helpful

scothrel
Level 3
Level 3

‎06-19-2006 08:13 AM

A configuration that is in place when a new connection is made is attached to that connection in the database. That configuration will be in effect as long as that connection exists. If a new configuration is sent, that new configuration will be applied to new connections. The definition of "connection" depends on the circumstances of the signature. A connection can be defined as Machine A is talking to Machine B or vice versa. It can also be defined as Machine A is talking to Machine B on port b. It depends on what the configuration element is configuring.

FYI, We have a shortcut for talking about these connections. AxBx is Machine A talking to Machine B. AxBb is Machine A talking to Machine B on port b. AaBb is the full quad, SourceIP,SourcePort,DestIP,DestPort. You'll see these abbreviations in the signature parameters for storage keys and summarizations.

Don't know if this will explain *your* situation, but this topic comes up every once in a while....

As the ultimate "is in it there or not" resolution, reboot the sensor...wipes the connection database clean. We have an outstanding enhancement request to make a widget to allow you to flush the database from IDM or something.

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card