11-05-2010 01:02 AM - edited 03-10-2019 05:10 AM
For some of the IPS-IDS signatures, the description says "signature is only available on the 5.x platform". Sometimes it adds "obseletes signature <X> on the 5.x platform."
Does this actually mean "5.x OR LATER", such as a sensor running 7.x? Or is it really only 5.x?
Example signatures stating this:
Can anyone provide clarification on this?
Solved! Go to Solution.
11-06-2010 05:13 PM
Those signatures are still available in version 7.0, however, some are not enabled by default.
All Cisco signature pack comes with default "enabled" signature, and Cisco dynamically retired, disabled signature on new signature pack accordingly, and they were documented in the release notes of each signature pack update.
I have double checked the 4 enquired signatures on version 7.0.1(E3), and they are not retired.
However, some of them are disabled (you can manually enable them if you deem that your environment might still be affected by those signatures) --> normally they are disabled for a reason by development team (ie: no longer applicable).
From your list, please find the following:
- 3564/0 --> not retired, and enabled
- 4607/6 --> not retired, but disabled (4607/1 --> retired)
- 6203/1 --> not retired, but disabled
- 9401/2 --> not retired, but disabled
To check whether a particular signature is retired or not, you can go to Cisco SIO page (under signature search):
http://tools.cisco.com/security/center/search.x
Choose: Search: Signatures, keywords: the actual signature (for example: 4607), it will then give you a list of all 4607 sub-signatures.
Comparing the following 2 sub-signatures when you click on the actual signature name of the corresponding sub-signature:
4607/6 --> not retired (it lists "Default Retired:False")
4607/1 --> retired (it lists "Default Retired:True")
Hope that helps.
11-07-2010 09:14 PM
In terms of signature with sub-signature, 0 does not mean that it is the main signature. The sub-signature always starts from the number "0". Comparing sub-signature "0" and "1" for example, they will be inspecting different things within the same signature name, hence retiring sub-signature 0 is not dependant on other active/enabled sub-signature.
Hope that clears the confusion.
11-06-2010 05:13 PM
Those signatures are still available in version 7.0, however, some are not enabled by default.
All Cisco signature pack comes with default "enabled" signature, and Cisco dynamically retired, disabled signature on new signature pack accordingly, and they were documented in the release notes of each signature pack update.
I have double checked the 4 enquired signatures on version 7.0.1(E3), and they are not retired.
However, some of them are disabled (you can manually enable them if you deem that your environment might still be affected by those signatures) --> normally they are disabled for a reason by development team (ie: no longer applicable).
From your list, please find the following:
- 3564/0 --> not retired, and enabled
- 4607/6 --> not retired, but disabled (4607/1 --> retired)
- 6203/1 --> not retired, but disabled
- 9401/2 --> not retired, but disabled
To check whether a particular signature is retired or not, you can go to Cisco SIO page (under signature search):
http://tools.cisco.com/security/center/search.x
Choose: Search: Signatures, keywords: the actual signature (for example: 4607), it will then give you a list of all 4607 sub-signatures.
Comparing the following 2 sub-signatures when you click on the actual signature name of the corresponding sub-signature:
4607/6 --> not retired (it lists "Default Retired:False")
4607/1 --> retired (it lists "Default Retired:True")
Hope that helps.
11-07-2010 07:07 PM
Jennifer --
Thanks for your reply. Let me make sure I understand.
If a signature with this description (only 5.x) is available for configuration - retired or not - it can work on the 7.x platform. Is that correct?
The signature default configurations also mean:
Status | Explanation |
---|---|
Enabled, Not Retired | Recommended by Cisco for use |
Disabled, Not Retired | Not recommended for default use, but possibly useful in some environments. Reasons for default disable could be: no longer applicable, high resource use with low return, high probability of false positives, etc. |
Disabled, Retired | Not recommended for default use. Not likely needed for most environments. Possibly obsolete due to newer signature. |
Enabled, Retired | Not a default configuration (except for "LowMem/MedMem Retired") |
Does all of that look correct?
Thanks for your help!
11-07-2010 09:05 PM
Yes, you are absolutely correct with all the statements.
11-07-2010 07:26 PM
I wanted to do a separate reply about the part you mentioned with the 4607 sigs/sub-sigs. The main signature (4607/0) is default disabled and retired. However, the sub-signature 4607-5 is enabled by default, and obsoletes 4607/0.
In cases like this, where the main signature (/0) is disabled/retired, does the sub-signature even work? Are the sub-signatures not actually dependent on the main signature, just grouped together?
I always thought it was a dependent relationship, but perhaps I misunderstood.
Thanks.
11-07-2010 09:14 PM
In terms of signature with sub-signature, 0 does not mean that it is the main signature. The sub-signature always starts from the number "0". Comparing sub-signature "0" and "1" for example, they will be inspecting different things within the same signature name, hence retiring sub-signature 0 is not dependant on other active/enabled sub-signature.
Hope that clears the confusion.
11-07-2010 09:18 PM
Great. Thanks very much for clearing that up for me. I might have gone enabling and un-retiring a bunch of unneeded signatures otherwise!!
11-07-2010 09:20 PM
Cheers, and thanks for the ratings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide