IPS // some signatures can't be disabled (id > 50000)

Unanswered Question
Mar 9th, 2009
User Badges:

Hi,


I recently did an IPS-Installation and CSM-Integration at a customer, where I had the situation that I couldn't disable or modify some of the signatures via CSM. Specifically the problem occured with some signatures with signature-ids in the area of 50000.


One example for this behaviour is the signature # 50010 (WORM_SOBER). While the specific options are greyed-out in CSM, it seems to be possible to do it via IDM. Does anyone have a good explanation for this, or could it be a bug? Those signatures seem to be different from the other signatures, as I also could not find them on Security Center at CCO (http://tools.cisco.com/security/center/search.x?search=Signature).


kind regards,

Florian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Mon, 03/09/2009 - 07:24
User Badges:
  • Cisco Employee,

The signatures in the 50,000 range of Signature IDs were generated by Trend. They are part of the "V1.4" set of signatures you see in the "show version" output.


These were supposed to be controlled by Cisco ICS, and so during CSM development it was decided to not have CSM manage them in order to prevent conflicts between Cisco ICS and CSM.

This is because CSM saves sensor configuration in it's own database and would get out of sync with the sensor if Cisco ICS made changes.


IDM, on the other hand, does not save it't own copy of the sensor configuration. Instead it always read the configuration directly from the sensor. So any changes by Cisco ICS can be seen and managed by IDM. So IDM does have the capability to modify configuration for these signatures.


However, things have changes since Cisco ICS and CSM were originally released.

Cisco ICS is now End Of Sale, and no new V signatures are being created:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps6542/prod_end-of-life_notice0900aecd806d9cdb.html


So there is no longer a concern of Cisco ICS making changes without CSM's knowledge.

It would be safe now to allow CSM to manage and configure these 50,000+ range of signature IDs.

You might consider caling the TAC and asking them to enter an enhancement request to have CSM remove their restrictions on the 50,000+ signature IDs and allow you to now manage them through CSM.

(Requests like this have more weight when requested by customers rather than internal requests.)


As for not showing up on Security Center, the reason is these were developed by Trend.

However, you should be able to make a second enhancement request with the TAC to have these 50,000+ Signature Ids show up on Security Center.


Florian Pressler Mon, 03/09/2009 - 08:51
User Badges:

Hi & thanks for your response.


I wasn't aware that are Trend-signatures in the Cisco IPS-products. I searched CCO for more info on this topic, but couldn't find any. Not on CCO, and not in my Cisco-VT documents.


Are these signatures working with just the Cisco-hardware, or is this some kind of integration into a Trend-product? Why did Cisco go for this, as they have their own global team creating signatures?


Thanks,

Florian

Actions

This Discussion