cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1048
Views
5
Helpful
7
Replies

Sig Description - 5.x Platform Only

mikecrowe4ICS_2
Beginner
Beginner

For some of the IPS-IDS signatures, the description says "signature is only available on the 5.x platform".  Sometimes it adds "obseletes signature <X> on the 5.x platform."

Does this actually mean "5.x OR LATER", such as a sensor running 7.x? Or is it really only 5.x?

Example signatures stating this:

Can anyone provide clarification on this?

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Those signatures are still available in version 7.0, however, some are not enabled by default.

All Cisco signature pack comes with default "enabled" signature, and Cisco dynamically retired, disabled signature on new signature pack accordingly, and they were documented in the release notes of each signature pack update.

I have double checked the 4 enquired signatures on version 7.0.1(E3), and they are not retired.

However, some of them are disabled (you can manually enable them if you deem that your environment might still be affected by those signatures) --> normally they are disabled for a reason by development team (ie: no longer applicable).

From your list,  please find the following:

- 3564/0 --> not retired, and enabled

- 4607/6 --> not retired, but disabled (4607/1 --> retired)

- 6203/1 --> not retired, but disabled

- 9401/2 --> not retired, but disabled

To check whether a particular signature is retired or not, you can go to Cisco SIO page (under signature search):

http://tools.cisco.com/security/center/search.x

Choose: Search: Signatures, keywords: the actual signature (for example: 4607), it will then give you a list of all 4607 sub-signatures.

Comparing the following 2 sub-signatures when you click on the actual signature name of the corresponding sub-signature:

4607/6 --> not retired (it lists "Default Retired:False")

4607/1 --> retired (it lists "Default Retired:True")

Hope that helps.

View solution in original post

In terms of signature with sub-signature, 0 does not mean that it is the main signature. The sub-signature always starts from the number "0". Comparing sub-signature "0" and "1" for example, they will be inspecting different things within the same signature name, hence retiring sub-signature 0 is not dependant on other active/enabled sub-signature.

Hope that clears the confusion.

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

Those signatures are still available in version 7.0, however, some are not enabled by default.

All Cisco signature pack comes with default "enabled" signature, and Cisco dynamically retired, disabled signature on new signature pack accordingly, and they were documented in the release notes of each signature pack update.

I have double checked the 4 enquired signatures on version 7.0.1(E3), and they are not retired.

However, some of them are disabled (you can manually enable them if you deem that your environment might still be affected by those signatures) --> normally they are disabled for a reason by development team (ie: no longer applicable).

From your list,  please find the following:

- 3564/0 --> not retired, and enabled

- 4607/6 --> not retired, but disabled (4607/1 --> retired)

- 6203/1 --> not retired, but disabled

- 9401/2 --> not retired, but disabled

To check whether a particular signature is retired or not, you can go to Cisco SIO page (under signature search):

http://tools.cisco.com/security/center/search.x

Choose: Search: Signatures, keywords: the actual signature (for example: 4607), it will then give you a list of all 4607 sub-signatures.

Comparing the following 2 sub-signatures when you click on the actual signature name of the corresponding sub-signature:

4607/6 --> not retired (it lists "Default Retired:False")

4607/1 --> retired (it lists "Default Retired:True")

Hope that helps.

Jennifer --

Thanks for your reply.  Let me make sure I understand.

If a signature with this description (only 5.x) is available for configuration - retired or not - it can work on the 7.x platform.  Is that correct?

The signature default configurations also mean:

StatusExplanation
Enabled, Not RetiredRecommended by Cisco for use
Disabled, Not Retired

Not recommended for default use, but possibly useful in some environments.

Reasons for default disable could be: no longer applicable, high resource use with low return, high probability of false positives, etc.

Disabled, RetiredNot recommended for default use.  Not likely needed for most environments.  Possibly obsolete due to newer signature.
Enabled, RetiredNot a default configuration (except for "LowMem/MedMem Retired")

Does all of that look correct?

Thanks for your help!

Yes, you are absolutely correct with all the statements.

I wanted to do a separate reply about the part you mentioned with the 4607 sigs/sub-sigs.  The main signature (4607/0) is default disabled and retired. However, the sub-signature 4607-5 is enabled by default, and obsoletes 4607/0.

In cases like this, where the main signature (/0) is disabled/retired, does the sub-signature even work?  Are the sub-signatures not actually dependent on the main signature, just grouped together?

I always thought it was a dependent relationship, but perhaps I misunderstood.

Thanks.

In terms of signature with sub-signature, 0 does not mean that it is the main signature. The sub-signature always starts from the number "0". Comparing sub-signature "0" and "1" for example, they will be inspecting different things within the same signature name, hence retiring sub-signature 0 is not dependant on other active/enabled sub-signature.

Hope that clears the confusion.

Great.  Thanks very much for clearing that up for me.  I might have gone enabling and un-retiring a bunch of unneeded signatures otherwise!!

Cheers, and thanks for the ratings.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: