Cisco IDS and IPS event viewer

When I'm looking at my Cisco IPS event viewer I see a lot of outbreak prevetion signature 50000 with a severity of high.
What is signature 50000? Also if I go into the IDS module and tell it to deny attacker inline on signature 50000 I still see it when I'm looking at the viewer?? Confused on what 50000 is and should I be concerned.
LVL 1
mslibrarycommissionAsked:
Who is Participating?
 
Cyclops3590Connect With a Mentor Commented:
From what I saw on my IPS, its the Outbreak Prevention Signature. The description off cisco.com

OPSig
      
Outbreak Prevention Signature—A file that helps IPS devices identify unique patterns of bits and bytes that signal the presence of a network-based threat. Cisco ICS deploys the OPSig to IPS devices.

Beyond that, I'm not sure what it is.  Hopefully someone with more IPS experience can help you out.
0
 
Cyclops3590Commented:
BTW, do you have SmartNET on that device?  The reason I ask is that you should be able to open a TAC ticket and ask them the question as they should be able to explain it in more detail; unless someone else on EE chimes in of course.
0
 
rsivanandanConnect With a Mentor Commented:
Like to take a shot :-)

Well as you know, the Cisco IDS/IPS works based on the 'known' attacks to the major part. So OPACL and OPSiG are the latest addition to the working of it. This is basically a work model based on the tie up with Trend Micro. So whenever there is an outbreak, first an OPACL is created/pushed by ICS to the sensor, after some time when the signatures are ready OPSiG is created and it will be from the custom signature list. So you should be really looking into NSDB to see if there is something written yet for it (From Event Viewer, I guess you know how to do it). If not, try cisco Online NSDB. If you have the latest signature update, you should have the latest NSDB as well (doesn't matter if it is 5.x or 4.x)

Cheers,
Rajesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.