If I understand the release notes correctly, sig 6979, is default disabled per S366. I am well passed that release and on the 6.1(2)E3 engine.
However, this alarm fires from our proxy server as the attacker. Researching I find in the Cisco Security Search site, http://tools.cisco.com/security/center/search.x?search=Signature, that this sig is currently disabled. Reviewing release notes, it appears to have been disabled in S366. Examining my signature 6979, it is neither disabled nor âtuned.â When I uncheck the âEnabledâ box, only then does the sig become âtuned.â
I do not recall ever specifically enabling this signature.
My greater concern is that I thought I would be operating on the Cisco defaults. I thought that when Cisco disables a signature at some signature release, on that release or later that sig would be disabled on my system.
Have I done something wrong in my update process with the signatures? I used the command line, not the GUI, for signatures and engine upgrades BTW.