Non-tuned (default disabled) Sig is enabled.

Unanswered Question
Mar 11th, 2009

If I understand the release notes correctly, sig 6979, is default disabled per S366. I am well passed that release and on the 6.1(2)E3 engine.

However, this alarm fires from our proxy server as the attacker. Researching I find in the Cisco Security Search site,, that this sig is currently disabled. Reviewing release notes, it appears to have been disabled in S366. Examining my signature 6979, it is neither disabled nor “tuned.” When I uncheck the “Enabled” box, only then does the sig become “tuned.”

I do not recall ever specifically enabling this signature.

My greater concern is that I thought I would be operating on the Cisco defaults. I thought that when Cisco disables a signature at some signature release, on that release or later that sig would be disabled on my system.

Have I done something wrong in my update process with the signatures? I used the command line, not the GUI, for signatures and engine upgrades BTW.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vmoopeung Tue, 03/17/2009 - 07:06

Some signatures can be tuned. Tuning signatures at the group level can become complex, because a group can have any sensors of any version. If you need to tune a signature at the group level, and the group involved has different micro-engines, the IDS MC GUI shows you a context. The context uniquely identifies a grouping of signature versions and a signature micro-engine.

bnidacoc Tue, 03/17/2009 - 11:56


Well, I was not trying to tune anything. This Sig which according to Cisco Signature Release Notes was reportedly disabled, however it was actually enabled and NOT classified as "tuned." The absence of the "tuned" state means I did not accidentally or unknowingly enable it.

As there was no activity from the forum, I opened up a ticket with TAC and it was reported to me that the sig was accidentally re-enabled in various signature releases.


This Discussion