What is a best practice to follow before tuning a Cisco IPS signature?
A.
Disable all the alert actions on the signature to be tuned.
B.
Disable the signature to be tuned.
C.
Create a clone of the signature to be tuned.
D.
Increase the number of events required to trigger the signature to be tuned.
E.
Decrease the attention span (maximum inter-event interval) of the signature to be tuned
Explanation:
http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs_pdf.pdf, specifically:
Cloning a SignatureAdministrators often find the need to modify a signature to meet the needs of a specific network, such as to reduce false positives or false negatives. In such cases,
the first approach should be to fine tune signature parameters such as event action filters and override policies. If these tunings are not sufficient, the last action that
is available is to modify a signature. By default, signature parameters such as the regular expression cannot be modified.
The signature must first be cloned in order to modify such signature parameters. The original signature can be retired or disabled if it is determined that it is no
longer required.
ORIGINAL FROM CHIP:
Still Doubt here. 100% certain C is wrong.
A is best answer with B also possible.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/ prod_white_paper0900aecd8066d265.html
visibility……without interfering with normal traffic “Do no harm” approach.