Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
847
Views
0
Helpful
1
Replies

Retired signatures

Go to solution
mark.barrett
Level 1
Level 1

‎08-24-2011 12:25 PM - edited ‎03-10-2019 05:27 AM

Hello,

How does the IPS Signature Development Team determine when a signature is obsolete? Is there ever a reason to un-retire a signature which has been set as Retired through the application of a signature update package?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
raga.fusionet
Level 4
Level 4

‎08-24-2011 09:52 PM

Mark,

Usually an Obsolete signature is the result of a new sig that just came up. Lets say that there is signature 1 that looks for event A. Then the BU comes with signature 2 which looks for event A or event B (usually a variant of event A ) or with signature #3 that has a more eficient way to look for event A. So they decide to Obsolete Signature #1.

Also, there is no real reason to un-retire a retired signature. Retired signatures are usually signatures that fire a lot of false positives and generate a lot of noise.

Here is what the documentation says about this:

Obsoletes

The Cisco signature team uses the obsoletes field to indicate obsoleted,  older signatures that have been replaced by newer, better signatures,  and to indicate disabled signatures in an engine when a better instance  of that engine is available.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_engines.html#wp1013828

I hope that this answers your questions.

Have fun

Raga

View solution in original post

0 Helpful
1 Reply 1

Go to solution
raga.fusionet
Level 4
Level 4

‎08-24-2011 09:52 PM

Mark,

Usually an Obsolete signature is the result of a new sig that just came up. Lets say that there is signature 1 that looks for event A. Then the BU comes with signature 2 which looks for event A or event B (usually a variant of event A ) or with signature #3 that has a more eficient way to look for event A. So they decide to Obsolete Signature #1.

Also, there is no real reason to un-retire a retired signature. Retired signatures are usually signatures that fire a lot of false positives and generate a lot of noise.

Here is what the documentation says about this:

Obsoletes

The Cisco signature team uses the obsoletes field to indicate obsoleted,  older signatures that have been replaced by newer, better signatures,  and to indicate disabled signatures in an engine when a better instance  of that engine is available.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_signature_engines.html#wp1013828

I hope that this answers your questions.

Have fun

Raga

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card