Re: Signature Update affecting Custom Signatures

a.arndt · ‎01-31-2005

Greetings,

I just deployed S140 to a production sensor that had a number of custom signatures. Actually, to be more precise, it had two custom signatures with a number of sub-signatures each.

Here's the rub. The update left the most recently added/modified Sig/SubSig intact but removed all others. This also happened when I deployed S138, but I wanted to confirm the behaviour before I reported it here.

Here's my theory on what is happening. The update routine looks at the custom sigs and checks only the SigID field and the time-modified field. It does not check the SubSig ID field, which results in all SubSigs (except the most recently added/modified) being deleted.

Can someone from Cisco please confirm this behaviour for me? I don't want to open a TAC case, but I will if it's the better route to take to get this sorted out...

Alex Arndt

scothrel · ‎01-31-2005

We have someone from the signature team trying to reproduce it now. Thanks for the heads up.

Scott

craiwill · ‎01-31-2005

I have been unable to recreate this issue in our lab. I will continue to investigate, but anymore details you could provide would be helpful.

a.arndt · ‎01-31-2005

Here are some details:

SigID - 20300

SubSigID - 0 thru 8

IP Packet Signature - each SubSig is differentiated by the source IP

SigID - 20301

SubSigID - 0 thru 8

IP Packet Signature - each SubSig is differentiated by the destination IP

Both are set to "high" and using standard summarisation. SigID 20300 uses the "Attacker" as the summary key; SigID 20301 uses the "Victim" as the summary key.

Pretty basic stuff, actually. Create a new custom SigID and define some SubSigs. Deploy and then update to a newer signature release. Kiss all but the last one added goodbye.

BTW, I'm using IDM to create and deploy the signature on the affected sensor, not VMS.

Alex Arndt

craiwill · ‎01-31-2005

We have been able to replicate this issue, it has been assigned DDTS id: CSCeh00647.

We will continue to investigate this issue, but as a work around you will need to create each custom signature with unique sig-id.

a.arndt · ‎02-09-2005

I was able to reconfigure my sensors with all the signatures I required using a unique SigID for each. While painful, it fixed my problem. The process to reconfigure my SIMS to accommodate a whole bunch of SigIDs, vice only two, was a different matter...

Is Cisco still pursuing a solution to the problem? Could someone please provide the forum with an update?

Alex Arndt

rupadras · ‎02-09-2005

This issue has been reported to the engineers working on the IDS code. It will be fixed in version 5.0.

a.arndt · ‎02-18-2005

Are there any plans to fix it in the next Service Pack for version 4?

This is potentially important, particularly if version 5 is delayed or if folks are slow in adopting it.

Alex Arndt

mcerha · ‎02-18-2005

The next service pack for 4.1 is still in planning with no firm ETA for delivery. A bug has been filed against this issue, but it is not clear if this issue will be addressed due to the fact a workaround is available. This will not be an issue in 5.0.

a.arndt · ‎02-21-2005

With all due respect, creating unique SigIDs for closely related signatures is hardly a workaround.

The whole point of wanting to use the SubSig feature was the fact that I wanted what was essentially the same signature, with only the Destination and/or Source IP filters changing.

When you take these signatures and integrate them with a SIMS, two SigIDs are far simplier, and require no additional updating whenever a new SubSig is added, than a whole bunch of individual SigIDs.

Enough of my ranting though; to me, at least, this is something that should be fixed. It's a bug, plain and simple...