cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1049
Views
5
Helpful
7
Replies

Sig Description - 5.x Platform Only

mikecrowe4ICS_2
Beginner
Beginner

For some of the IPS-IDS signatures, the description says "signature is only available on the 5.x platform".  Sometimes it adds "obseletes signature <X> on the 5.x platform."

Does this actually mean "5.x OR LATER", such as a sensor running 7.x? Or is it really only 5.x?

Example signatures stating this:

Can anyone provide clarification on this?

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Those signatures are still available in version 7.0, however, some are not enabled by default.

All Cisco signature pack comes with default "enabled" signature, and Cisco dynamically retired, disabled signature on new signature pack accordingly, and they were documented in the release notes of each signature pack update.

I have double checked the 4 enquired signatures on version 7.0.1(E3), and they are not retired.

However, some of them are disabled (you can manually enable them if you deem that your environment might still be affected by those signatures) --> normally they are disabled for a reason by development team (ie: no longer applicable).

From your list,  please find the following:

- 3564/0 --> not retired, and enabled

- 4607/6 --> not retired, but disabled (4607/1 --> retired)

- 6203/1 --> not retired, but disabled

- 9401/2 --> not retired, but disabled

To check whether a particular signature is retired or not, you can go to Cisco SIO page (under signature search):

http://tools.cisco.com/security/center/search.x

Choose: Search: Signatures, keywords: the actual signature (for example: 4607), it will then give you a list of all 4607 sub-signatures.

Comparing the following 2 sub-signatures when you click on the actual signature name of the corresponding sub-signature:

4607/6 --> not retired (it lists "Default Retired:False")

4607/1 --> retired (it lists "Default Retired:True")

Hope that helps.

View solution in original post

In terms of signature with sub-signature, 0 does not mean that it is the main signature. The sub-signature always starts from the number "0". Comparing sub-signature "0" and "1" for example, they will be inspecting different things within the same signature name, hence retiring sub-signature 0 is not dependant on other active/enabled sub-signature.

Hope that clears the confusion.

View solution in original post

7 Replies 7