Cisco IDS and IPS event viewer

Posted on 2006-05-12
Last Modified: 2008-01-09
When I'm looking at my Cisco IPS event viewer I see a lot of outbreak prevetion signature 50000 with a severity of high.
What is signature 50000? Also if I go into the IDS module and tell it to deny attacker inline on signature 50000 I still see it when I'm looking at the viewer?? Confused on what 50000 is and should I be concerned.
Question by:mslibrarycommission
    LVL 25

    Accepted Solution

    From what I saw on my IPS, its the Outbreak Prevention Signature. The description off

    Outbreak Prevention Signature—A file that helps IPS devices identify unique patterns of bits and bytes that signal the presence of a network-based threat. Cisco ICS deploys the OPSig to IPS devices.

    Beyond that, I'm not sure what it is.  Hopefully someone with more IPS experience can help you out.
    LVL 25

    Expert Comment

    BTW, do you have SmartNET on that device?  The reason I ask is that you should be able to open a TAC ticket and ask them the question as they should be able to explain it in more detail; unless someone else on EE chimes in of course.
    LVL 32

    Assisted Solution

    Like to take a shot :-)

    Well as you know, the Cisco IDS/IPS works based on the 'known' attacks to the major part. So OPACL and OPSiG are the latest addition to the working of it. This is basically a work model based on the tie up with Trend Micro. So whenever there is an outbreak, first an OPACL is created/pushed by ICS to the sensor, after some time when the signatures are ready OPSiG is created and it will be from the custom signature list. So you should be really looking into NSDB to see if there is something written yet for it (From Event Viewer, I guess you know how to do it). If not, try cisco Online NSDB. If you have the latest signature update, you should have the latest NSDB as well (doesn't matter if it is 5.x or 4.x)


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now