Announcement

Collapse
No announcement yet.

IPS Signature Definitions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IPS Signature Definitions

    Hello everybody:

    Can somebody help me plase with this issue:

    I have a NM IPS installed on a Cisco ASA 5510. Signature Version is S385.
    Just one Virtual Sensor, one rules and one anomaly detection.

    There are event action override policy rules for high, medium and low risks rating.

    What can I do for set those event action override for all signatures?
    Should I mark enabled checkbox (IME 6.2) for actions override be set in that signature?

    Event action override overrides individual signature actions?

    If I enable a particular signature ID, this signature ID is reseted to its default state when the IPS is updated?

    Thank you very much.

  • #2
    Re: IPS Signature Definitions

    you will want to take a look at my post for IPS tuning and response guide

    There are event action override policy rules for high, medium and low risks rating.

    click configuration --> event action rules --> RISK CATEGORIES --> STUDY THIS - notice the risk threshold and risk range

    What can I do for set those event action override for all signatures?
    Should I mark enabled checkbox (IME 6.2) for actions override be set in that signature?

    YES

    Event action override overrides individual signature actions?

    Event action override is GLOBAL - or you can drill down into into each signature and get granular with overrides -

    If I enable a particular signature ID, this signature ID is reseted to its default state when the IPS is updated?


    NO

    Also when updates come out you'll want to disable and enable any signatures on your sensor which don't apply to your network. I have a handy cisco ips signature web form which creates the CLI necessary to change the setting much fast that in the gui.

    Comment

    Working...
    X