Excluding or Including Specific Signatures
After viewing events for several days and analyzing the traffic along with the source and destination addresses, you may want to turn certain signatures off and others on. There could be several reasons why you would want to exclude signatures. They range from too many alarms to false positives being generated by legitimate traffic patterns such as networking monitoring tools using ICMP to check that a node is alive. The ICMP would trigger most ICMP alarms even though the traffic is perfectly legitimate. This tuning process of the sensor by excluding signatures that are not pertinent to your network, or perhaps turning some on that were previously off, will add quite a bit of value to your security effort.
Excluding or Including Signatures in CSPM
To exclude or include a signature in CSPM, perform these steps:
-
Select the signature file you want to edit from the topology map (as seen in Figure 7.24).
-
Click the Signatures tab and select the appropriate subtab, General Signatures, Connection Signatures, String Signatures, or ACL Signatures. Refer to Figure 7.25.
-
You will see the Enable column to the right of the signature screen. To disable the signature, uncheck the boxes, or, if you want to enable a signature, put a check in the box to enable it. Continue this process until you have finished making changes.
-
Once you have finished enabling and disabling the signatures, click OK, then save and update your configuration.
-
From the Command tab, click Approve Now to push the new configuration to your sensor.
Excluding or Including Signatures in IDM
To exclude or include signatures using the Cisco IDM, follow these steps:
-
Once you have logged in to IDM, go to Configuration | Signature Groups. Click the group name that your signature is associated with (see Figure 7.26). Drill down until you get to the signature you want to configure. Select the signature you want to enable or disable.
-
Simply check the box of the signature to enable and uncheck the boxes of the signatures you want to disable or have excluded.
-
Once you have tuned all of your signatures, use the Apply Changes button to implement the changes