Re: Sig ID 50000

lcuchisanmillan · ‎01-09-2007

I am working with CISCO ASA 5540 with AIP Module, and i see a lot of events from signature 50000 "Outbreak Prevention Signature" with high severity.

Could anyone explain this signature? What does it mean? Is it useful to be enable or not?

Regards,

Cristina

m.sir · ‎01-09-2007

Check following signature description

http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=50000&signatureSubId=0

This signature supports the Cisco Incident Control System (ICS) service.It you are not running Cisco ICS, this signature can safely be ignored.

M.

Hope that helps rate if it does

jlively · ‎01-09-2007

That signature should be off by default. The only time it would be turned on would be during an outbreak. It would only remain on until a more specific signature could be deployed. At that point it would be turned back off.

What version are you running ?

lcuchisanmillan · ‎01-09-2007

IPS 5.1(4) S260

marcabal · ‎01-09-2007

Leave that signature/subsignatures Disabled.

By default they will trigger on all icmp,tcp, and udp packets.

Cisco ICS will first configure the signature to match only specific types of traffic and then Enable the signature.

Without Cisco ICS that signature is just Noise. It requires that special tuning by Cisco ICS.

So Disable that signature and just Ignore any old alerts from it if you do do not have Cisco ICS.