Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
5
Helpful
1
Replies

What are signatures 50010, 50011?

rcullum
Level 1
Level 1

‎06-27-2006 05:43 AM - edited ‎03-10-2019 03:04 AM

I've just noticed since update of my sensor and MC to S235, that there are two new signatures 50010 WORM_SOBER and 50011 WORM_MYTOB. Are these related to the ICS OpSig signatures 50001, 50002 as there doesn't appear to be any info on them? Can I disable them if not using ICS?

Labels:
0 Helpful
1 Reply 1

wsulym
Cisco Employee
Cisco Employee

‎06-27-2006 11:59 AM

Signature 50000.0, 50000.1, and 50000.2 should be left defaulted in your setup...which is disabled.

They are used by the Cisco Incident Control Server (CICS) system to apply what is called an OpACL. An OpACL is a coarse-grain filter on ICMP, UDP, or TCP (see the 3 subsigs, one per protocol) packets. It is used by the Outbreak Prevention service to filter traffic on ports being used by a worm for propagation, communication, etc.... They will be tuned by the CICS when it recieves notification of an outbreak. This service is an extra feature that you can purchase; it is otherwise disabled and has no effect on the sensor. If you had the service and an outbreak was declared, the system would be triggered to tune the appropriate 50000 sub signature to block traffic on the propgation channels while a fine-grained, higher fidelity signature (an OpSig) was developed and automatically deployed to your sensor. At that time, the coarse-grained OpACL would be disabled. The purpose here being an extremely fast (minutes) response while a more time consuming (hours), better response is developed.

Now, 50002, since the question always gets asked anyway: This was a signatures that Trend requested to go out with their first updates (V1.0). This was for customers who run ICS so they can test their setups. It is very similar to the eicar virus test signature.

50010, 50011, Those are a "by-product" of ICS... basically, we (the signature team) will roll the virus updates into a later sigupdate. They are virus specific, you can leave them enabled, there's really no harm.

However, thanks for bringing this up to our attention... we'll look at linking the signatures in an upcoming sigupdate.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card