Disabled and Retired Signature generates alerts.

bgl-group · ‎08-25-2011

Can someone give an explanation for this situation I found.

Our security department asked me to remove an alert from the IPS sensors that is a false alarm.

Nothing strange with that but the alert was on signature 5577/1 according to both CSM (where we manage these from) and the IPS itself this signature is NOT enabled and is marked as RETIRED. The local logs on the IPS indicate this has been triggered as well.

I thought that in this situation nothing should be able to alert?

Thanks in advance

Giles Cooper

fabios · ‎08-25-2011

Hi Giles,

A single signature can be in multiple packages. You did not specify on what platform, but if you are in IOS and run a show ip ips signature detail you will get all signatures by packages and you might find out that you retire a package containing that signature but not another.

Cheers

Fabio

bgl-group · ‎08-25-2011

Hi Fabio

Sorry forgot to mention that it is a AIP-10 running in an ASA chassis.

I could be wrong but I don't think the sensor supports packages - or if it does I haven't configured any?

I was looking at the signature list and it shows as disabled in there.

Giles

fabios · ‎08-25-2011

Sorry, I am not familiar with the appliances. Only with IOS based routers. In those, signature are grouped in packages that provide kind of a coherent level of security (io_advance, ios_basic, attacks, http) and therefore some signature are present in multiple sets. You have to retire all packages and then unretire those you are interested in. Then disable any signature you do not want to fire.

I know it doe not help you .... but maybe the philosophy is somewhat similar. I tend to stay away from the management plaftorms because these hide details that are very obvious in the CLI (some have a reversed approach) but maybe those provide you with a way to disable the signature across the different groups in which they are present.

Cheers

Fabio