Regarding String XL engines - what devices support them

afurst — Sun, 10 Mar 2019 12:47:06 GMT

Greetings & Salutations ,

In looking at some ~~issues~~ opportunities we are having, I have some questions regarding the 'String XL Engines'. If I understand correctly, only the specific devices listed at the link would be able to support the signatures that use these engines.

As each signature takes resources, should the signatures that use the XL engines be disabled/retired on a system that doesn’t support them? On the ones that do, the corresponding signature that it supercedes should be disabled/retired, as well.

Why signatures that are dependent on the XL engines would be enabled by default, but not in a consistent fashion, when the parent sig is disabled. On a device that doesn’t support the XL engines, this would create an issue, in coverage, as well as resources. Better yet, why isn’t there an easy, obvious setup for the enabling/disabling/retiring of this group of signatures?

The above would also pertain to the in-line vs promiscuous and asymmetric mode settings/signatures. An automatic (at least group/type) setting of this would help greatly - if the sensor is installed as a promiscuous device the asymmetric mode would be set, as well as the proper signatures would be disabled and retired (e.g. AD 13001-13005). This ability could be buried so that it would not be triggered inadvertently, or by mistake. Perhaps a build/image/package that has a setup for inline and another for promiscuous , this would save a lot of time & effort on everyone’s part. I realze that this may be similar to the signature policies that are not supported by my hardware.

Some devices will give the following error, while others do not. They are running the same policies, and neither supports the XL engines (according to the docs)

‘Warning:Editing signature xxxx:x for engine <string-xl-tcp> has NO effect - regex hardware is not present or is disabled’.

According to the docs, none of the devices that I run support the XL engines. I am running SSM10’s, SSM40’s & 4240’s, 4270-20’s at software revision 7.0(8)E4, 7.1(4)E4, 7.1(6)E4 signature S669.0

From the online 7.1 (and 7.0) configuration guide:

The IPS 4345, IPS 4360, IPS 4510, IPS 4520, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, ASA 5555-X IPS SSP, and ASA 5585-X IPS SSP support the String XL engines and the Regex accelerator card.

Thanks,

Allen

I lost my original post that explains things much better, hopefully this will make enough sense.

Regarding String XL engines - what devices support them

sawgupta — Wed, 26 Sep 2012 05:30:07 GMT

Hi,

The devices which do not support the String XL Engine, even if string-xl signatures are enbaled/unretired; they won't consume any resources.

Regards,

Sawan Gupta

Regarding String XL engines - what devices support them

afurst — Wed, 26 Sep 2012 13:56:58 GMT

Thats good news, thank you.

Is it recommended to retire and disable these signatures for devices that do not support the engines? Also, what is the recommended settings for signatures in relation to promiscuous/in-line - should signatures that do not work be retired? Is there a definitive listing that tells which signatures work (or don't) in promiscuous mode? Also, some way to filter the signatures that do not work in promiscuos mode?

I have also seen signatures that in the definition from CSM, it states that they do not work in promiscuous mode -in other definitions (from web and link from IME), it is not mentioned. Where can I get a definative list and more information regarding this?

Thanks,

Allen

sorry about the spelling

topic Regarding String XL engines - what devices support them in Network Security

Regarding String XL engines - what devices support them

Regarding String XL engines - what devices support them

Regarding String XL engines - what devices support them