Solved: Re: IDS Signature Defaults

lkwilk123 · ‎05-16-2006

I am looking for some information regarding Cisco's use of "retire" and "enabled". I am fairly new at dealing with the IDS systems (we are using version 4.1)

My understanding is that a "retired" signature is no longer used/supported by Cisco.

But what about "enabled"? When you load the sensor with Cisco's baseline of signatures, there are approximately 650 that are not retired, yet they are not enabled. Does anyone know why they are not defaulted to be "enabled"?

When installing a new sensor, should we turn on ALL the signatures or just the ones that Cisco has "enabled"?

Thanks for any information you can provide to me.

wsulym · ‎05-18-2006

Linda,

As a general rule, signatures we develop are shipped default enabled. There are a couple reasons where we may chose to ship the signature disabled:

-The signature was added for completeness in coverage for an older vulnerability. While still possibly a legitimate issue, the prevelance of the vulnerable package is minimal so in the bigger scope of things, not that useful for all.

-The signature is for a vulnerability that's just really bad (i.e. very easy to exploit and gain system privilege), but overall use of that package is minimal. Take for example sig 3537-0 for MailEnable, really easy exploit, yet not very widespread useage at all, so we shipped that as disabled.

Bear in mind that disabled, really just means it's kept quiet ... the signature is still active on the sensor, just that it doesn't produce any alerts. As always, if it's applicable to your environment, simply enable it and its ready for action.

View solution in original post

a.giorgi · ‎05-16-2006

Hi lkwilk123 :

A retired signature it is not in the signature database. The the signature engine doesn't compare the traffic with this kinds of signatures, the database is reduced, then you optimize the performance.

A signature disable is in the database but the sig engine only compare enabled signatures.

You can incorporte the retired signatures but it is not convinient at least you think it could be important to your security. Most of them are old fashions attacks like ping of dead.

You can retire signature that doesn't apply to your environment, e.g. if you don't have a FTP server, retire the FTP server signatures, then you will improve the performance of your sensor.

Hope this help. Please rate if it does.

Alberto Giorgi from spain.

lkwilk123 · ‎05-18-2006

Alberto,

That answers about the retired part.

Do you know (or does anyone know) what basis CISCO uses to determine if they leave a signature defaulted as "enabled" versus "disabled"?

Thanks for your help,

Linda

wsulym · ‎05-18-2006

Linda,

As a general rule, signatures we develop are shipped default enabled. There are a couple reasons where we may chose to ship the signature disabled:

-The signature was added for completeness in coverage for an older vulnerability. While still possibly a legitimate issue, the prevelance of the vulnerable package is minimal so in the bigger scope of things, not that useful for all.

-The signature is for a vulnerability that's just really bad (i.e. very easy to exploit and gain system privilege), but overall use of that package is minimal. Take for example sig 3537-0 for MailEnable, really easy exploit, yet not very widespread useage at all, so we shipped that as disabled.

Bear in mind that disabled, really just means it's kept quiet ... the signature is still active on the sensor, just that it doesn't produce any alerts. As always, if it's applicable to your environment, simply enable it and its ready for action.