cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
320
Views
0
Helpful
2
Replies

Non-tuned (default disabled) Sig is enabled.

bnidacoc
Level 1
Level 1

If I understand the release notes correctly, sig 6979, is default disabled per S366. I am well passed that release and on the 6.1(2)E3 engine.

However, this alarm fires from our proxy server as the attacker. Researching I find in the Cisco Security Search site, http://tools.cisco.com/security/center/search.x?search=Signature, that this sig is currently disabled. Reviewing release notes, it appears to have been disabled in S366. Examining my signature 6979, it is neither disabled nor “tuned.” When I uncheck the “Enabled” box, only then does the sig become “tuned.”

I do not recall ever specifically enabling this signature.

My greater concern is that I thought I would be operating on the Cisco defaults. I thought that when Cisco disables a signature at some signature release, on that release or later that sig would be disabled on my system.

Have I done something wrong in my update process with the signatures? I used the command line, not the GUI, for signatures and engine upgrades BTW.

Thanks.

2 Replies 2

vmoopeung
Level 5
Level 5

Some signatures can be tuned. Tuning signatures at the group level can become complex, because a group can have any sensors of any version. If you need to tune a signature at the group level, and the group involved has different micro-engines, the IDS MC GUI shows you a context. The context uniquely identifies a grouping of signature versions and a signature micro-engine.

http://www.cisco.com/en/US/docs/security/security_management/vms/ips_mc/2.2/user/guide/ch05.html#wp481259

Thanks,

Well, I was not trying to tune anything. This Sig which according to Cisco Signature Release Notes was reportedly disabled, however it was actually enabled and NOT classified as "tuned." The absence of the "tuned" state means I did not accidentally or unknowingly enable it.

As there was no activity from the forum, I opened up a ticket with TAC and it was reported to me that the sig was accidentally re-enabled in various signature releases.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: