cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How to disable the signature and summary events for a signature on IPS

3404
Views
0
Helpful
0
Comments

What the intrusion prevention system is for and how it works?

Network intrusion is undesirable network traffic impacting on functionality or security of the victim-host. Its purpose is mostly to get illegitimate access or/and to exploit fragile data. A typical attribute of such intrusions is their apparent legitimacy and it is difficult to uncover such traffic and filter it simply out by traffic rules. Let us use DoS intrusion (Denial of Service) as an example. In this type of intrusion, too many connections are established on a port to use up the system resources of the server application so that no other users can connect there. However, the firewall considers this act only as an access to an allowed port.

Therefore, sophisticated analysis of network traffic is needed here to detect network intrusions. Network intrusion detection systems use databases of known intrusions (this is similar to antivirus programs using databases of known viruses). Thanks to regular update of the database, new intrusion types are also recognized.

Intrusion detection is performed before application of traffic rules which avoids intervention of traffic rules with the detection process.

Resolution

In order to disable the summary events on the signature, complete these required steps with IPS Device Manager (IDM):

Choose Configuration.

Choose Configuration > Signature Definition > Signature Configuration.

Choose the signature. 

Click Edit in order to edit the signature. 

Choose Alert Frequency > Summary mode and choose Fire All. 

For Specify Summary Threshold, click No. 

Click OK in order to save.

Master Engine Alert Frequency Parameters 

Parameter
Description
Value

Alert Frequency

Summary options for grouping alerts.

Summary Mode

Mode used for summarization.

Fire All

Fires an alert on all events.

Fire Once

Fires an alert only once.

Global Summarize

Summarizes an alert so that it only fires once regardless of how many attackers or victims.

Summarize

Summarizes alerts.

Summary Threshold

Threshold number of alerts to send signature into summary mode.

0 to 65535

Global Summary Threshold

Threshold number of events to take alerts into global summary.

1 to 65535

Summary Interval

Time in seconds used in each summary alert.

1 to 1000

Summary Key

The storage type on which to summarize this signature:

Attacker address

Attacker and victim addresses

Attacker address and victim port

Victim address

Attacker and victim addresses and ports

Axxx

AxBx

Axxb

xxBx

AaBb


 

Complete these steps in order to enable or disable a signature:

Log in to IDM with an account that has administrator or operator privileges.

Choose Configuration > Signature Definition > Signature Configuration.

The Signature Configuration panel appears. 

In order to locate a signature, choose a sorting option from the Select By list. 

For example, if you search for a UDP Flood signature, choose L2/L3/L4 Protocol and then UDP Floods.

The Signature Configuration panel refreshes and displays only those signatures that match your sorting criteria. 

In order to enable or disable an existing signature, select the signature and complete these steps:  
   
View the Enabled column in order to determine the status of the signature. A signature that is enabled has the value Yes in this column. 

In order to enable a signature that is disabled, select the signature and click Enable. 

In order to disable a signature that is enabled, select the signature and click Disable.  
   
Click Apply in order to apply your changes and save the revised configuration.
Problem Type

Configuration Issue

Product Family

IDS/IPS - 4200 series sensor

Acknowledgement:

IPS

Reference

Refer to the Alert Frequency http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/ime/ime_signature_engines.html#wp1145555 section of Signature Engines http://www.cisco.com/en/US/docs/security/ips/6.2/configuration/guide/ime/ime_signature_engines.html for more information about summary mode Parameter.