Learn how to a build a cloud-first strategyRegister Now


Cisco IDS and IPS event viewer

Posted on 2006-05-12
Medium Priority
Last Modified: 2008-01-09
When I'm looking at my Cisco IPS event viewer I see a lot of outbreak prevetion signature 50000 with a severity of high.
What is signature 50000? Also if I go into the IDS module and tell it to deny attacker inline on signature 50000 I still see it when I'm looking at the viewer?? Confused on what 50000 is and should I be concerned.
Question by:mslibrarycommission
  • 2
LVL 25

Accepted Solution

Cyclops3590 earned 1000 total points
ID: 16669101
From what I saw on my IPS, its the Outbreak Prevention Signature. The description off cisco.com

Outbreak Prevention Signature—A file that helps IPS devices identify unique patterns of bits and bytes that signal the presence of a network-based threat. Cisco ICS deploys the OPSig to IPS devices.

Beyond that, I'm not sure what it is.  Hopefully someone with more IPS experience can help you out.
LVL 25

Expert Comment

ID: 16676074
BTW, do you have SmartNET on that device?  The reason I ask is that you should be able to open a TAC ticket and ask them the question as they should be able to explain it in more detail; unless someone else on EE chimes in of course.
LVL 32

Assisted Solution

rsivanandan earned 1000 total points
ID: 16676337
Like to take a shot :-)

Well as you know, the Cisco IDS/IPS works based on the 'known' attacks to the major part. So OPACL and OPSiG are the latest addition to the working of it. This is basically a work model based on the tie up with Trend Micro. So whenever there is an outbreak, first an OPACL is created/pushed by ICS to the sensor, after some time when the signatures are ready OPSiG is created and it will be from the custom signature list. So you should be really looking into NSDB to see if there is something written yet for it (From Event Viewer, I guess you know how to do it). If not, try cisco Online NSDB. If you have the latest signature update, you should have the latest NSDB as well (doesn't matter if it is 5.x or 4.x)


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 16 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question