03-11-2009 08:15 AM - edited 03-10-2019 04:32 AM
If I understand the release notes correctly, sig 6979, is default disabled per S366. I am well passed that release and on the 6.1(2)E3 engine.
However, this alarm fires from our proxy server as the attacker. Researching I find in the Cisco Security Search site, http://tools.cisco.com/security/center/search.x?search=Signature, that this sig is currently disabled. Reviewing release notes, it appears to have been disabled in S366. Examining my signature 6979, it is neither disabled nor âtuned.â When I uncheck the âEnabledâ box, only then does the sig become âtuned.â
I do not recall ever specifically enabling this signature.
My greater concern is that I thought I would be operating on the Cisco defaults. I thought that when Cisco disables a signature at some signature release, on that release or later that sig would be disabled on my system.
Have I done something wrong in my update process with the signatures? I used the command line, not the GUI, for signatures and engine upgrades BTW.
Thanks.
03-17-2009 07:06 AM
Some signatures can be tuned. Tuning signatures at the group level can become complex, because a group can have any sensors of any version. If you need to tune a signature at the group level, and the group involved has different micro-engines, the IDS MC GUI shows you a context. The context uniquely identifies a grouping of signature versions and a signature micro-engine.
03-17-2009 11:56 AM
Thanks,
Well, I was not trying to tune anything. This Sig which according to Cisco Signature Release Notes was reportedly disabled, however it was actually enabled and NOT classified as "tuned." The absence of the "tuned" state means I did not accidentally or unknowingly enable it.
As there was no activity from the forum, I opened up a ticket with TAC and it was reported to me that the sig was accidentally re-enabled in various signature releases.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: