you need to edit the regexp string of the Cisco IPS sig…

In tuning a Cisco IPS signature, you need to edit the regexp string of the Cisco IPS signature, but when editing the signature, the regexp string of the signature
cannot be edited. What should you do?

In tuning a Cisco IPS signature, you need to edit the regexp string of the Cisco IPS signature, but when editing the signature, the regexp string of the signature
cannot be edited. What should you do?

A.
Create a new custom signature, then disable the original signature.

B.
Log in to the IPS appliance using a service account, which allows you to edit the regexp string of the signature.

C.
Clone the signature, then edit the cloned signature, then disable the original signature.

D.
Disable the signature first; then you can edit the regexp string of the signature and then re- enable the signature.

Explanation:
http://www.cisco.com/web/about/security/intelligence/ips_custom_sigs.html
Cloning a Signature
Administrators often find the need to modify a signature to meet the needs of a specific network, such as to reduce false positives or false negatives. In such cases,
the first approach should be to fine tune signature parameters such as event action filters and override policies. If these tunings are not sufficient, the last action that
is available is to modify a signature. By default, signature parameters such as the regular expression cannot be modified. The signature must first be cloned in order
to modify such signature parameters. The original signature can be retired or disabled if it is determined that it is no longer required.



Leave a Reply 0

Your email address will not be published. Required fields are marked *