https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524326#M66208 <HTML><HEAD></HEAD><BODY><P>Great.&nbsp; Thanks very much for clearing that up for me.&nbsp; I might have gone enabling and un-retiring a bunch of unneeded signatures otherwise!!</P></BODY></HTML> Mon, 08 Nov 2010 05:18:43 GMT mikecrowe4ICS_2 2010-11-08T05:18:43Z https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524320#M66185 <P></P><DIV><P></P><P>For some of the IPS-IDS signatures, the description says "<STRONG>signature is only available on the 5.x platform</STRONG>".&nbsp; Sometimes it adds "<STRONG>obseletes signature &lt;X&gt; on the 5.x platform.</STRONG>"</P><P></P><P>Does this actually mean "5.x OR LATER", such as a sensor running 7.x? Or is it really only 5.x?</P><P></P><P>Example signatures stating this:</P><P></P><UL><LI><A href="http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3654&amp;signatureSubId=0&amp;softwareVersion=6.0&amp;releaseVersion=S181" target="_blank">3654/0 (SSH Gobbles Exploit)</A></LI><LI><A href="http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=4607&amp;signatureSubId=6&amp;softwareVersion=6.0&amp;releaseVersion=S256" target="_blank">4607/6 (Deep Throat Reponse)</A></LI><LI><A href="http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=6203&amp;signatureSubId=1&amp;softwareVersion=6.0&amp;releaseVersion=S256" target="_blank">6203/1 (sadmind directory traversal command exec)</A></LI><LI><A href="http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9401&amp;signatureSubId=2&amp;softwareVersion=6.0&amp;releaseVersion=S256" target="_blank">9401/2 (Back Door Y3K RAT)</A></LI></UL><DIV> </DIV><P></P><P>Can anyone provide clarification on this?</P></DIV><P></P> Sun, 10 Mar 2019 12:10:30 GMT https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524320#M66185 mikecrowe4ICS_2 2019-03-10T12:10:30Z https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524321#M66188 <HTML><HEAD></HEAD><BODY><P>Those signatures are still available in version 7.0, however, some are not enabled by default.</P><P>All Cisco signature pack comes with default "enabled" signature, and Cisco dynamically retired, disabled signature on new signature pack accordingly, and they were documented in the release notes of each signature pack update.</P><P></P><P>I have double checked the 4 enquired signatures on version 7.0.1(E3), and they are not retired.</P><P>However, some of them are disabled (you can manually enable them if you deem that your environment might still be affected by those signatures) --&gt; normally they are disabled for a reason by development team (ie: no longer applicable).</P><P></P><P>From your list,&nbsp; please find the following:</P><P>- 3564/0 --&gt; not retired, and enabled</P><P>- 4607/6 --&gt; not retired, but disabled (4607/1 --&gt; retired)</P><P>- 6203/1 --&gt; not retired, but disabled</P><P>- 9401/2 --&gt; not retired, but disabled</P><P></P><P>To check whether a particular signature is retired or not, you can go to Cisco SIO page (under signature search):</P><P><A class="jive-link-external-small" href="http://tools.cisco.com/security/center/search.x">http://tools.cisco.com/security/center/search.x</A></P><P></P><P>Choose: Search: Signatures, keywords: the actual signature (for example: 4607), it will then give you a list of all 4607 sub-signatures.</P><P>Comparing the following 2 sub-signatures when you click on the actual signature name of the corresponding sub-signature:</P><P>4607/6 --&gt; not retired (it lists "<SPAN class="label1">Default Retired:</SPAN><SPAN class="data1"><STRONG>False</STRONG>")</SPAN></P><P>4607/1 --&gt; retired (it lists "<SPAN class="label1">Default Retired:</SPAN><SPAN class="data1"><STRONG>True</STRONG>")</SPAN></P><P></P><P>Hope that helps.</P></BODY></HTML> Sun, 07 Nov 2010 00:13:31 GMT https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524321#M66188 Jennifer Halim 2010-11-07T00:13:31Z https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524322#M66194 <HTML><HEAD></HEAD><BODY><P>Jennifer --</P><P></P><P>Thanks for your reply.&nbsp; Let me make sure I understand.</P><P></P><P>If a signature with this description (only 5.x) is available for configuration - retired or not - it can work on the 7.x platform.&nbsp; Is that correct?</P><P></P><P>The signature default configurations also mean:</P><P></P><P></P><P><STRONG></STRONG><TABLE border="1" cellpadding="3" cellspacing="0" style="width: 100%; border: 1px solid #000000;"><TBODY><TR><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>Status</STRONG></SPAN></TH><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;"><STRONG>Explanation</STRONG></SPAN></TH></TR><TR><TD><SPAN style="font-weight: normal;">Enabled, Not Retired</SPAN></TD><TD><SPAN style="font-weight: normal;">Recommended by Cisco for use</SPAN></TD></TR><TR><TD><SPAN style="font-weight: normal;">Disabled, Not Retired</SPAN></TD><TD><P><SPAN style="font-weight: normal;">Not recommended for default use, but possibly useful in some environments.</SPAN></P><P><SPAN style="font-weight: normal;">Reasons for default disable could be: no longer applicable, high resource use with low return, high probability of false positives, etc.</SPAN></P></TD></TR><TR><TD><SPAN style="font-weight: normal;">Disabled, Retired</SPAN></TD><TD><SPAN style="font-weight: normal;">Not recommended for default use.&nbsp; Not likely needed for most environments.&nbsp; Possibly obsolete due to newer signature.</SPAN></TD></TR><TR><TD><SPAN style="font-weight: normal;">Enabled, Retired</SPAN></TD><TD><SPAN style="font-weight: normal;">Not a default configuration (except for "LowMem/MedMem Retired")</SPAN></TD></TR></TBODY></TABLE><BR /></P><P>Does all of that look correct?</P><P></P><P>Thanks for your help!</P></BODY></HTML> Mon, 08 Nov 2010 03:07:34 GMT https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524322#M66194 mikecrowe4ICS_2 2010-11-08T03:07:34Z https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524323#M66199 <HTML><HEAD></HEAD><BODY><P></P><DIV><P>I wanted to do a separate reply about the part you mentioned with the 4607 sigs/sub-sigs.&nbsp; The main signature (4607/0) is default <STRONG>disabled</STRONG> and <STRONG>retired</STRONG>. However, the sub-signature 4607-5 is <STRONG>enabled</STRONG> by default, and obsoletes 4607/0.</P><P></P><P>In cases like this, where the main signature (/0) is disabled/retired, does the sub-signature even work?&nbsp; Are the sub-signatures not actually dependent on the main signature, just grouped together?</P><P></P><P>I always thought it was a dependent relationship, but perhaps I misunderstood.</P><P></P><P>Thanks.</P></DIV><P></P></BODY></HTML> Mon, 08 Nov 2010 03:26:22 GMT https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524323#M66199 mikecrowe4ICS_2 2010-11-08T03:26:22Z https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524324#M66202 <HTML><HEAD></HEAD><BODY><P>Yes, you are absolutely correct with all the statements.</P></BODY></HTML> Mon, 08 Nov 2010 05:05:26 GMT https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524324#M66202 Jennifer Halim 2010-11-08T05:05:26Z https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524325#M66205 <HTML><HEAD></HEAD><BODY><P>In terms of signature with sub-signature, 0 does not mean that it is the main signature. The sub-signature always starts from the number "0". Comparing sub-signature "0" and "1" for example, they will be inspecting different things within the same signature name, hence retiring sub-signature 0 is not dependant on other active/enabled sub-signature.</P><P></P><P>Hope that clears the confusion.</P></BODY></HTML> Mon, 08 Nov 2010 05:14:07 GMT https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524325#M66205 Jennifer Halim 2010-11-08T05:14:07Z https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524326#M66208 <HTML><HEAD></HEAD><BODY><P>Great.&nbsp; Thanks very much for clearing that up for me.&nbsp; I might have gone enabling and un-retiring a bunch of unneeded signatures otherwise!!</P></BODY></HTML> Mon, 08 Nov 2010 05:18:43 GMT https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524326#M66208 mikecrowe4ICS_2 2010-11-08T05:18:43Z https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524327#M66216 <HTML><HEAD></HEAD><BODY><P>Cheers, and thanks for the ratings.</P></BODY></HTML> Mon, 08 Nov 2010 05:20:39 GMT https://community.cisco.com/t5/network-security/sig-description-5-x-platform-only/m-p/1524327#M66216 Jennifer Halim 2010-11-08T05:20:39Z