Cisco SITCS 1.0: Cisco Intrusion Prevention Systems II

This course is included in our On-demand training solution.


The Cisco SensorBase correlates real-time data from more than 1.5 million devices around the world to create network reputation scores that enable Cisco IPS devices to block threats from known malicious hosts before they pass through the IPS inspection process. In this course, you’ll learn how to describe some methodologies for tuning a Cisco IPS sensor to properly manage false positive and negative events, including the methods and configuration procedures to create custom signatures on a Cisco IPS sensor. In addition, you’ll learn how to enable the anomaly detection functionality and the reputation-based feature on the Cisco IPS sensor. This course is one of a series in the SkillSoft learning path that covers the objectives for the Implementing Cisco Threat Control Solutions (SITCS) 1.0 (300-207 SITCS) exam.

Target Audience

This path is designed to prepare security engineers with the knowledge covering advanced firewall architecture and configuration with the Cisco next-generation firewall, utilizing access, and identity policies. It is also suitable for students interested in pursuing their Cisco Certified Network Professional Security (CCNP Security) certification.



Expected Duration

120 min.

Course Objectives

Course Introduction

False Positives and Negatives

  • describe false negative and false positive events
  • Cisco IPS Tuning Approaches

  • describe Cisco IPS tuning approaches
  • Tune Cisco IPS to Reduce False Positives

  • tune Cisco IPS to reduce false positives
  • Reducing False Positives

  • reduce false positives by narrowing the search context and the header values, limiting the number of matched patterns, decreasing the attention span, and increasing the number of events
  • Tune Cisco IPS to Reduce False Negatives

  • tune Cisco IPS to reduce false negatives
  • Reducing False Negatives

  • reduce false negatives by using IP reassembly, TCP reassembly, and deobfuscation
  • Custom Signatures

  • provide an overview of custom signatures
  • Custom Signature Wizard

  • describe the configuration and procedure options in the Custom Signature wizard
  • Principles Behind Anomaly Detection

  • describe the principles behind anomaly detection
  • Scanners and Histograms

  • describe scanners and histograms
  • Anomaly Detection and Action

  • describe anomaly detection and actions
  • Anomaly Detection Scenario

  • describe an anomaly detection scenario
  • Anomaly Detection Configuration Procedure

  • describe the anomaly detection configuration procedure
  • Verify Anomaly Detection

  • describe how to verify the operational mode and statistics of anomaly detection
  • Global Correlation and Reputation Filter

  • describe the traffic processing flow in the IPS sensor Global Correlation and Reputation Filter active
  • Global Correlation Operations

  • describe global correlation operations
  • IPS Sensor Feedback to Cisco SensorBase

  • describe how the IPS sensors send information to Cisco SensorBase using network participation
  • Global Correlation Configurations

  • describe the global correlation inspection configurations
  • Verify Global Correlation and Reputation Filter

  • verify Global Correlation and Reputation Filter operations
  • Exercise: Describing Cisco Intrusion Prevention Systems