How you handle your signatures

What are you doing with your signatures which fire and are false positives? Are you using event action filters or are you disabling the signature? In some cases I see where disabling that signature would be fine. Like if you have a DNS box which is patched and not susceptible to a exploit being noticed by IPS - Since your system is patched and no other boxes are susceptible to the exploit then it seems only logical to disable the signature, yes? But event action filters come into place for signatures like sig-3030 which, in most cases, should only fire when the source is from outside your network. Just want to make sure Im on the right track. Anyone know of a good site which discusses IPS best practice, administration and policy?
Also how many of ya'll monitor your internal network?
Thanks

When I'm troubleshooting a new alert I usually enable 'log pair packets' so I can put more context around the alert itself. Although they get correlated in MARS I use CSM to tune the sensors and signatures. I'll cross-launch to IDM to pull down the packet captures, saving them with somewhat descriptive names in case I need to revisit them later. I also use a great netflow reporting engine (mazu networks) to see where else the suspect PC has been going, and then use online tools like dnsstuff.com, spamhaus DROP lists, Dshield, to see if the IP address is on any block lists. This tool (as well as Arbor Networks, Lancope, etc) also do their own non-signature-based network behavior analysis, and sometimes (not always) something with correlate here too.
After I get enough information I try to tune the actions on the sensor itself. Sometimes you have to fall back on a MARS drop rule, just to screen out false positives or handle special cases, but I think its better to keep the alert from occuring in the first place. Having too many filters gets ugly fast.
You should also be leveraging Cisco's Intellishield service ; each IPS sig subscription gives you (free) access to detailed information on the IPS sigs and the vulnerabilities that prompted the sig in the first place. Great service. I've been able to disable a bunch of sigs using this alone.
Good luck.

Similar Messages

  • In  BDC how you handled header data and item data

    In  BDC how you handled header data and item data

    Raja,
    Can you be more clear ?
    Usually you load the header data one and then loop at the item data and then load the item data.
    This example should help you.
    http://www.sap-img.com/abap/bdc-example-using-table-control-in-bdc.htm
    Regards,
    Ravi
    Note - Please mark all the helpful answers

  • How you restore your security pass code if you have disabled your iPod, due to too many pass code attempts

    How you restore your security pass code if you have disabled your iPod, due to too many pass code attempts?

    If You Are Locked Out Or Have Forgotten Your Passcode
    iTunes 10 for Mac- Update and restore software on iPod, iPhone, or iPad
    iPhone, iPad, iPod touch: Wrong passcode results in red disabled screen
    iOS- Understanding passcodes
         If you have forgotten your Restrictions code, then follow the instructions
         below but DO NOT restore any previous backup. If you do then you will
         simply be restoring the old Restrictions code you have forgotten. This
         same warning applies if you need to restore a clean system.
    A Complete Guide to Restore or Recover Your iDevice (if You Forget Your Passcode)
    If you need to restore your device or ff you cannot remember the passcode, then you will need to restore your device using the computer with which you last synced it. This allows you to reset your passcode and re-sync the data from the device (or restore from a backup). If you restore on a different computer that was never synced with the device, you will be able to unlock the device for use and remove the passcode, but your data will not be present. Refer to Updating and restoring iPhone, iPad and iPod touch software.
    Try restoring the iOS device if backing up and erasing all content and settings doesn't resolve the issue. Using iTunes to restore iOS devices is part of standard isolation troubleshooting. Restoring your device will delete all data and content, including songs, videos, contacts, photos, and calendar information, and will restore all settings to their factory condition.
    Before restoring your iOS device, Apple recommends that you either sync with iTunes to transfer any purchases you have made, or back up new data (data acquired after your last sync). If you have movie rentals on the device, see iTunes Store movie rental usage rights in the United States before restoring.
    Follow these steps to restore your device:
         1. Verify that you are using the latest version of iTunes before attempting to update.
         2. Connect your device to your computer.
         3. Select your iPhone, iPad, or iPod touch when it appears in iTunes under Devices.
         4. Select the Summary tab.
         5. Select the Restore option.
         6. When prompted to back up your settings before restoring, select the Back Up
             option (see in the image below). If you have just backed up the device, it is not
             necessary to create another.
         7. Select the Restore option when iTunes prompts you (as long as you've backed up,
             you should not have to worry about restoring your iOS device).
         8. When the restore process has completed, the device restarts and displays the Apple
             logo while starting up:
               After a restore, the iOS device displays the "Connect to iTunes" screen. For updating
              to iOS 5 or later, follow the steps in the iOS Setup Assistant. For earlier versions of
              iOS, keep your device connected until the "Connect to iTunes" screen goes away or
              you see "iPhone is activated."
         9. The final step is to restore your device from a previous backup.
    If you can not restore your device then you will need to go to recovery mode.
    Placing your device into recovery mode:
    Follow these steps to place your iOS device into recovery mode. If your iOS device is already in recovery mode, you can proceed immediately to step 6.
         1. Disconnect the USB cable from the iPhone, iPad, or iPod touch, but leave the other end
             of the cable connected to your computer's USB port.
         2. Turn off the device: Press and hold the Sleep/Wake button for a few seconds until the
             red slider appears, then slide the slider. Wait for the device to turn off.
              If you cannot turn off the device using the slider, press and hold the Sleep/Wake
              and Home buttons at the same time. When the device turns off, release the Sleep/Wake
              and Home buttons.
         3. While pressing and holding the Home button, reconnect the USB cable to the device.
             The device should turn on. Note: If you see the screen pictured below, let the device
             charge for at least ten minutes to ensure that the battery has some charge, and then
             start with step 2 again.
         4. Continue holding the Home button until you see the "Connect to iTunes" screen.
             When this screen appears you can release the Home button.
         5. If necessary, open iTunes. You should see the following "recovery mode" alert:
         6. Use iTunes to restore the device.
    If you don't see the "Connect to iTunes" screen, try these steps again. If you see the "Connect to iTunes" screen but the device does not appear in iTunes, see this article and its related links.
    Additional Information:
    Note: When using recovery mode, you can only restore the device. All user content on the device will be erased, but if you had previously synced with iTunes on this computer, you can restore from a previous backup. See this article for more information.

  • How are you handling your business listing on maps?

    Did you have to add it to Apple Maps or was it added by one of the Data Providers?
    Have you ever had a problem with information on it being changed?

    Audiophilia,
    Here's my latest info on how to edit/add your business to Apple Maps by country:
    Apple Maps Business Data Suppliers by Country
    I am updating this list regularly as I figure this stuff out.

  • Broken PlayBook - Bad Support - Running out of time :( THIS is how you treat your loyal customers?!?

    Hello,
    I'm wondering if I can get some real help around here.
    I've repeated my story too many times, and I'm just exhausted over trying to get my PlayBook replaced.
    Here's a brief summary;
    My PlayBook started to show very strange issues a few months after purchase.  It would all of a sudden shut off even though the battery would have a good charge on it.
    After this random shutdown, the PB wouldn't turn on and it took a lot of different tricks to make it power back up.  Once I could get it powered back on, the charging was messed up.  I would charge all day long and as soon as I unplugged it, it would turn off.
    Another effect was that my AppWorld could no longer login.  I would be told there was an issue logging in over and over again.
    The ONLY fix was to run the "de-brick" through the Desktop Manager.
    Once the "de-brick" done, and after setting up my PB all over again it would work.
    Sadly, this has happened over a dozen times.
    I finally called support up and I spoke with an agent who was in all honesty, useless.  It took over 45 minutes (7 times I was put on hold!) to explain my problem and to finally get an RMA number.  It was the worst phone support I've had since I dealt with View Sonic back in 2005.
    The line was full of static, there was a language barrier between myself and the support agent, and the amount of times I was on hold because the agent was incompetent killed me, but I got the RMA.
    I specifically inserted a letter explaining all of the issues I have had (the one really but the occasions, how it happened, what I tried to do to resolve it) because I truly believe it needs replaced.
    I got the PB back and it was the same one.  Initially it worked fine (they just did a "de-brick" as I'd done many times) but then the problem of shutting off out of nowhere, not turning back on initially, "charging" and AppWorld login problem came back.
    I've tried to use "playbooksupport[at]blackberry.com with my original incident number as the subject line....
    I get an autoreply saying "thanks for e-mailing, but you can't get support from here, e-mail us at [email protected] with your incident number as the subject.
    .... REALLY!  You have e-mail support that automatically dumps back to the customer that they can't get support through the address, so use this same address to contact us.
    I tried calling once again, but was waiting 40 minutes before I could get an agent, and once I did their line was such poor audio quality I told them "sorry I can't even hear you I'm hanging up"
    Research in Motion.  I've been an avid BB user through 7 models now.  I purchased a PlayBook right when it came out.
    WHY won't you replace my broken device, WHY is your support system to screwed up?
    I try to believe there's a turn-around happening but my support for you after this experience has gone down quite a bit.
    Please, help me REPLACE this device!  I don't know where else to turn as your suggested methods for support are not working at all for me.

    MCoop wrote:
    I tried calling once again, but was waiting 40 minutes before I could get an agent, and once I did their line was such poor audio quality I told them "sorry I can't even hear you I'm hanging up"
    I'd encourage you to try again, when you can, as soon as you can.
    1. If any post helps you please click the below the post(s) that helped you.
    2. Please resolve your thread by marking the post "Solution?" which solved it for you!
    3. Install free BlackBerry Protect today for backups of contacts and data.
    4. Guide to Unlocking your BlackBerry & Unlock Codes
    Join our BBM Channels (Beta)
    BlackBerry Support Forums Channel
    PIN: C0001B7B4   Display/Scan Bar Code
    Knowledge Base Updates
    PIN: C0005A9AA   Display/Scan Bar Code

  • HTMLEditorKit : How you handle FRAMES, IFRAMES and JAVASCRIPT

    Hi all,
    Currently im using the HTMLEditorKit to parse through the HTML page. Obviously its easier when the elements are on the body of the page. But what if the page has frames,iframes or javascript and i want to extract links that these elements reference to. How do i do it? I know some of you would recommend my class to extend the parsercallback class. But is there a way for example i can use 3 or even 4 different iterators each pointing to the different elements ?
    and lets say if i reference to a SCRIPT tag of the HTML, how do i extract the possible URLs in it. Same goes for iFrames and JavaScripts. Can anyone please help me with this ?

    Tim,
    The form action needs to be the page URL. The INPUT fields/objects of your form will be sent as parameters when the form is submitted. These parameters can be read by your portlet by using the parameter passing PDK services. It is recommended to use qualified parameters in case the portlet that reads the parameters is the same as the one that has submitted them.
    As far as I remember the parameter passing sample portlet contains similar code to what you're looking for.

  • How you build your file determines it editability?

    I frequently get A.I. files from my client (both of us are using CS5) where there are no stacks in the layers palette, no swatches (I know they use corporate PMS colors), no links, just artwork (layer named artwork). If you select some of that art, you can see that some of it is still editable, such as a vector shape, but it seems like it is just not the same type of editable file  I might create myself. Some times there are placed raster images with nothing that says it's embedded or even a link. Could it be that this person is placing full page EPS files in illustrator and then saving it as an A.I. file? Or am I ignorant to somthing simple?

    I'd have to test it, but I imagine your right. Loading a raster eps file may make illustrator think its vector. But I never tried it, so I am just guessing.

  • How you finish your apple I'd ?

    Yah help me

    Welcome to the user to User Technical Support Forum provided by Apple.
    Clearly state your Issue and the Troubleshooting Steps you have tried to Resolve it.
    Apple ID FAQs  >  http://support.apple.com/kb/HT5622

  • We want to know how you use your Lenovo!

    I don't have one... feel free to send me one :P I'll tell you all about it! 

    Want to win a YOGA Tablet 2 Pro? Enter our ‪#‎MyLenovo‬ competition through Lenovo Champions for your chance to win. Simply send us a picture of yourself using your Lenovo product and tag it with #MyLenovo. Join Lenovo Champions and enter and enter here: http://bit.ly/1SOTTHn
    We are planning lots of exciting things for our Lenovo Champions, so make sure you sign up!
    This topic first appeared in the Spiceworks Community

  • How Do You Annotate a Graphic Such as your Signature in PDF Using Preview?

    Hi. I'm filling out a form that needs a signature. How do you annotate your signature (as a graphic perhaps?) to the PDF using Preview. Thanks in advance.
    Gbu.

    I'm not sure you can...try dragging & dropping an image onto the PDF. If that doesn't work, you'll have to use the Text tool. That's where Zapfino comes in.

  • How do you arrange your checkboxes acording to their visibility?

    Hi All,
    I mean in our configuration forms we have many check-boxes and these check-boxes' visibility is changing according to application parameters, licenses etc. So I usually want to display the visible check-boxes by re-arranging their locations to keep the good looking in the screen.
    I wonder how you handle these things ? Do you have some common libraries to these things ? Do you have a procedure that you only pass the data-block and some size restrictions and have it handle all the arrangements for you?
    What is best way to follow for these things ?
    Thanks for suggestions
    Muhammed Soyer

    Yes, it can be a pain if you have a lot of checkboxes. You may consider using a different (stacked?) canvas for the various possible layouts--if there aren't too many possibilities. Then just show/hide the canvas.
    Since you can't have the same checkbox appear on differnt canvases, you'd have to create duplicate checkboxes (with different names and/or blocks). Then your code will have to interact with the checkboxes on the canvas that is current showing. Not sure if that will be any easier though...
    Another possibility is to create non-database checkboxes and rename the prompts as the application requires. Then before doing a commit, copy the non-database checkboxes to respective database checkboxes. Hide the ones not being used (the ones showing will always be in order). The challenge here is keeping track of which nondatabase item corresponds with the database item.

  • How do you know your wireless is secure?

    I want to know how you know your internet is secure so no one in your neighbor hood can steal or hack my internet service. A few people in our house use a mix between ethernet cable and wireless. I don't use the wireless so i don't know how you set it up on the computer but when you use wireless for the first time to you have to enter a user name and password to access? I just want to make sure its secure. Thank you

    Prevent someone from hacking your network.. simple, dont use wireless at all and turn the wireless on the router off. Thats the only option to prevent hacking. All other security settings like WEP, WPA, WPA2 will only slow a hacker down. They will not stop them.
    Now if you want wireless, then your only option is to use encryption. Again this will only slow hackers down. But the chances you have a hacker next door is rather remote. Now by default the Verizon router uses WEP security. This is just the basics. Keeps honest people honest. Now if you want to increase your security, you can change the router security to WPA2. Dont worry about WPA as this is basically the same as WEP in terms of security effectiveness. WPA2 is more secure than the other two. This will keep you safe from the novices. Then as long as you dont have an advanced computer user nearby you should be fairly safe.
    ====================================================================================
    Error exists between keyboard and chair.

  • How do you save your DVD to your Hard Drive, and then convert to iPod?

    Hello everyone, I was wondering how you save your DVD to your hard drive and then convert it to the iPod Video.
    Please respond.
    P.S.
    I know that it's been discussed all the time, but none of the posts are useful for me.
    Thanks

    Hi,
    The best option is to pull the card out and plug to your computer UNLESS your computer does not have a card reader. If your computer did not have a card reader, you need to map the cardreader on your printer to your network using the following method:
        http://h10025.www1.hp.com/ewfrf/wc/document?lc=en&dlc=en&cc=us&docname=c00149194
    Regards.
    BH
    **Click the KUDOS thumb up on the left to say 'Thanks'**
    Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

  • How to add a signature at the end of each post

    How do you add a signature at the end of each post (if possible)?
    ^^right now, I just have to copy and paste that

    It's possible to set up your signature on the Desktop such that it can be simply dragged into the Camera icon's "From the Web" field...
    1. Right click on an already posted pic
    2. Choose "Open Link in New Tab"
    3. From the address bar of that new tab, drag the URL's favicon (little icon) to your Desktop whereupon an "@" icon will be created
    The above only has to be done once, and then to use that image in future posts...
    1. Click the Camera icon
    2. Click "From the Web"
    3. Drag the URL's "@" icon from your Desktop to the URL field and click Insert Image
    And if you want your signature instead of a generic "@" icon, that's possible too:

  • How to handle double click event in a text control

    Hi,
       Will u please send me information on handling double click events inside text control and also about locking and unlocking of DB tables for updation.
    Regards,
    Praba.

    Hi Prabhavathi,
    Here is how you handle double click events in Textedit control.
    1)Create a custom control in screen (say TEXT_CONTROL)
    2)In main program,
    a) Declarations:
    data: obj type ref to cl_gui_custiom_control.
          text type ref to cl_gui_textedit.
    b) Create the instance of custom container
    c) Create the instance of textedit control.
    3)Now to handle double click events , create a local class as follows.
    class shail_event definition.
    public section.
    methods:
    handle_doubleclick for event dblclick of cl_gui_textedit .
    endclass.
    class shail_event implementation.
    method handle_doubleclick .
    here do the coding for handling the double click.
    endmethod.
    endclass.
    4) Create an instance of the handler class(ie.ZSHAIL_EVENT).Let it be named hand.
    5) Define varibles for event.
    DATA: i_events TYPE cntl_simple_events,
          wa_events TYPE cntl_simple_event.
    SET HANDLER hand->handle_doubleclick for text.
    wa_events-eventid = cl_gui_textedit=>event_double_click.
    wa_events-appl_event = 'X'. "This is an application event
    APPEND wa_events TO i_events.
    6)
        CALL METHOD texte->set_registered_events
          EXPORTING
            events                    = i_events
          EXCEPTIONS
            cntl_error                = 1
            cntl_system_error         = 2
            illegal_event_combination = 3
            OTHERS                    = 4.
        IF sy-subrc <> 0.
         MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
                    WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
        ENDIF.
    These are the basic steps needed for handling events in Textedit control.You can go to SE24 and type CL_GUI_TEXTEDIT to find the associated events of the class.
    If you want the program, kindly send your mail-id so that I can mail it to you.
    Regards,
    Sylendra.

Maybe you are looking for

  • Garageband won't open!!! Please, Please help

    Hey, I have a 2010 Macbook Pro running Mountain Lion and Garageband 11.   I haven't been able to open Garageband ever since I tried out a trial version of Pro Tools 10.  Since the trial expired, I haven't been able to open up Gargeband.  Below is the

  • Crystal report integration with CRM

    Hi, Guru: I would like to check with you. I need show a demo to integrate crystal reports with our CRM product. I know for CRM mobile (mobile system maintenance), we could have this option. however, my requirement is to seek any other options to inte

  • Help with delete duplicate locked files

    I'm kinda new at this so forgive me if I'm a bonehead. I made a contribute site, then wanted to disable check in check out. All the files have duplicate locked files remaining on server and they take eons to ftp. Is there an easy way to delete them a

  • HT4799 Netflix application to apple tv

    I want to download Netflix application to my apple tv but the only options listed under Internet is YouTube and Radio. Netflix was unable to help me and my apple support has expired. Any suggestions?

  • Input errors between PE - P

    Hi, Here is the picture: two multimode direct fibers between PE - P We are trying to figure out what is causing these erros. No physical issue, we changed both fibers and Gbics... Here are the "sh int" outputs: PE#sh int gi0/0 GigabitEthernet0/0 is u