Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1158
Views
0
Helpful
2
Replies

Regarding String XL engines - what devices support them

afurst
Level 1
Level 1

‎09-21-2012 07:26 PM - edited ‎03-10-2019 05:47 AM

Greetings & Salutations ,

 

In looking at some issues opportunities we are having, I have some questions regarding the 'String XL Engines'. If I understand correctly, only the specific devices listed at the link would be able to support the signatures that use these engines.

As each signature takes resources, should the signatures that use the XL engines be disabled/retired on a system that doesn’t support them? On the ones that do, the corresponding signature that it supercedes should be disabled/retired, as well.

Why signatures that are dependent on the XL engines would be enabled by default, but not in a consistent fashion, when the parent sig is disabled. On a device that doesn’t support the XL engines, this would create an issue, in coverage, as well as resources. Better yet, why isn’t there an easy, obvious setup for the enabling/disabling/retiring of this group of signatures?

The above would also pertain to the in-line vs promiscuous and asymmetric mode settings/signatures. An automatic (at least group/type) setting of this would help greatly - if the sensor is installed as a promiscuous device the asymmetric mode would be set, as well as the proper signatures would be disabled and retired (e.g. AD 13001-13005). This ability could be buried so that it would not be triggered inadvertently, or by mistake. Perhaps a build/image/package that has a setup for inline and another for promiscuous , this would save a lot of time & effort on everyone’s part. I realze that this may be similar to the signature policies that are not supported by my hardware.

Some devices will give the following error, while others do not. They are running the same policies, and neither supports the XL engines (according to the docs)

‘Warning:Editing signature xxxx:x for engine <string-xl-tcp> has NO effect - regex hardware is not present or is disabled’.

According to the docs, none of the devices that I run support the XL engines. I am running SSM10’s, SSM40’s & 4240’s, 4270-20’s at software revision 7.0(8)E4, 7.1(4)E4, 7.1(6)E4 signature S669.0

From the online 7.1 (and 7.0) configuration guide:

The IPS 4345, IPS 4360, IPS 4510, IPS 4520, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, ASA 5555-X IPS SSP, and ASA 5585-X IPS SSP support the String XL engines and the Regex accelerator card.

Thanks,

Allen

I lost my original post that explains things much better, hopefully this will make enough sense.

Labels:
0 Helpful
2 Replies 2

sawgupta
Level 1
Level 1

‎09-25-2012 10:30 PM

Hi,

The devices which do not support the String XL Engine, even if string-xl signatures are enbaled/unretired; they won't consume any resources.

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta
0 Helpful

afurst
Level 1
Level 1
In response to sawgupta

‎09-26-2012 06:56 AM

Thats good news, thank you.

Is it recommended to retire and disable these signatures for devices that do not support the engines? Also, what is the recommended settings for signatures in relation to promiscuous/in-line - should signatures that do not work be retired?  Is there a definitive listing that tells which signatures work (or don't) in promiscuous mode? Also, some way to filter the signatures that do not work in promiscuos mode?

I have also seen signatures that in the definition from CSM, it states that they do not work in promiscuous mode -in other definitions (from web and link from IME), it is not mentioned. Where can I get a definative list and more information regarding this?

Thanks,

Allen

sorry about the spelling

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card