Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
1
Replies

Tuning - Best Performance

trippi
Level 1
Level 1

‎09-29-2010 08:02 PM - edited ‎03-10-2019 05:08 AM

In tuning my signatures for products we do not have, such as HP Openview;  what is the best practice, or what offers the best performance- leaving them in the default state, or disabling them?

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-01-2010 01:03 AM

Best practice would say that you should remove signatures which are not important - which should decrease inspection load a bit.

However you need to think of one thing before doing this:

Am I only interested in attacks againt my infrastructure? (Victims in my network)

or

Am I interested to check for attack related to my infrastructure? (sourse or victims in my network)

Apart from the obvious question - what happens if you do install HP open view - will you remember you turned off this signture?

That being said, I understand you already went past the stage where you monitored your traffic in promiscous mode for several weeks and are confident what you actually have in your network - you identified signatures firing false positives and trimmed them. If so, you can also disable some default signatures not related to your infrastructure.

Will you see a superior gain of performance - I doubt so. But it's a good place to start.

Next up:

- changing normalizer mode

- disabling not needed engines.

Hope this helps,

Marcin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card