New Signature updates will they overwirite old Tuned signatures

Unanswered Question
Sep 16th, 2008

Good day,

I will be updating my sensors from s328 to S356. Question, will my previous Tuned rules/actions be overwritten by the new signature defaults ??


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
scothrel Wed, 09/17/2008 - 13:03

I'd give this a qualified "maybe". There is a case where the signature team might have disabled or retired a signature. That disable/retired action could pull the signature from your active list. It will still appear tuned, but it will also be disabled and/or retired. Other parameters that the sig team changes will be overridden by your tunings.

The issue with the enable/retire settings is that they are default enabled and not retired.... When you tune a signature, the instance file (/usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig?.xml) records the changes to the default settings (default.xml). Since the signature is enabled and not retired when you tune it(typically), you typically don't change that default. Now the signature team changes the default value, then there is nothing in the sig?.xml file to override the "new default" and the signature is disabled and or retired.

A workaround for this is that you can explicitly tune the signature to be enabled and not retired. This tuning will be stored in the instance file and override any changes to the default values.

The exception to the default value override is the signature team's use of "obsoletes"...they have the ultimate trump to replace one signature with another (but thats a topic in itself).

The customer's equivalent counter-trump is that they can clone the Cisco signature into a custom signature. The signature updates can't mess with them.

Scott C.

mhellman Wed, 09/17/2008 - 13:14

Good point Scott, I had forgotten about that. You have to think a bit about how the change are saved before that makes sense. In any event, in my experience if Cisco retires a signature it should stay that way.


This Discussion