Monthly Archives: April 2012

Event Action Filters

As we could see so far, for every signature there could be one or more actions associated with it. Those actions are per signature, which means that action or actions associated with a signature will be executed for every attacker/victim … Continue reading

Posted in Cisco, IPS | Tagged , , , , , , , , | 4 Comments

Cisco IPS Event Summarization

One thing an intruder could try pulling off to evade being detected is hammering our IPS with so many events that IPS gets too busy to do its job but rather handling events. This is where summarization comes into play. … Continue reading

Posted in Cisco, IPS | Tagged , , , , , , | Leave a comment

Cisco IPS – Creating a custom signature

Cisco IPS sensor in current version of 7.something has over five thousand sigs, out of which more than one thousand are enabled. However, there will be times when we have to create a custom signature to fit our needs. Let’s … Continue reading

Posted in Cisco, IPS | Tagged , , , , | 2 Comments

IPS: trues or falses

Recently I was thinking about IPS alarms and remembered the times when trying to distinguish between various types of events in IPS.  There are four types of event categories and many people have trouble telling them apart. This is going … Continue reading

Posted in Cisco, IPS | Tagged , , , , , , , , | 1 Comment