I'd give this a qualified "maybe". There is a case where the signature team might have disabled or retired a signature. That disable/retired action could pull the signature from your active list. It will still appear tuned, but it will also be disabled and/or retired. Other parameters that the sig team changes will be overridden by your tunings.
The issue with the enable/retire settings is that they are default enabled and not retired.... When you tune a signature, the instance file (/usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig?.xml) records the changes to the default settings (default.xml). Since the signature is enabled and not retired when you tune it(typically), you typically don't change that default. Now the signature team changes the default value, then there is nothing in the sig?.xml file to override the "new default" and the signature is disabled and or retired.
A workaround for this is that you can explicitly tune the signature to be enabled and not retired. This tuning will be stored in the instance file and override any changes to the default values.
The exception to the default value override is the signature team's use of "obsoletes"...they have the ultimate trump to replace one signature with another (but thats a topic in itself).
The customer's equivalent counter-trump is that they can clone the Cisco signature into a custom signature. The signature updates can't mess with them.
Scott C.
