S387 Signature set contains quite a few new signatures

Answered Question
Mar 20th, 2009

It appears the S387 signature set contains quite a few new signatures. Many of the signatures are disabled by default, and the ones that I checked are for older vulnerabilities.

Is this simply a back-fill of older vulnerabilities using the newer engine capabilities, or is there another effort going on behind the scenes?

I have this problem too.
0 votes
Correct Answer by wsulym about 7 years 8 months ago

You pretty much nailed it the first time.

To keep it short, we are leveraging new engine technologies to back-fill coverage as well as responding to customer requests for specific coverage. Many of these requests are for older vulnerabilities that we don't feel are broadly applicable so we are creating the signatures but releasing them retired. We're leaving the decision up to the end customer to unretire the signatures if its something you feel you want or need.

We'll be slowly releasing more signatures in upcoming updates, so expect more to come, but similar in nature.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
smalkeric Thu, 03/26/2009 - 09:19

All signature updates are cumulative. The S387 signature update contains all previously released signature updates.

You must have a valid Cisco Services for IPS contract per sensor to receive and use software upgrades including

signature updates from Cisco.com.

A Cisco Services for IPS Services License is required for the installation of all signature updates. The Cisco Services

for IPS Services License can be requested from http://www.cisco.com/go/license for all sensors covered by a

maintenance contract.

The S387 signature update can ONLY be applied to E3 sensors.

srdroppers Thu, 03/26/2009 - 11:42

I realize the signature sets are cumulative. It seemed the S387 set had a much larger than usual number of "new" signatures, some for of the new signatures for vulnerabilities that have been around for a while.

I am interested in why the large number of "new" signatures in S387.

Correct Answer
wsulym Fri, 03/27/2009 - 07:58

You pretty much nailed it the first time.

To keep it short, we are leveraging new engine technologies to back-fill coverage as well as responding to customer requests for specific coverage. Many of these requests are for older vulnerabilities that we don't feel are broadly applicable so we are creating the signatures but releasing them retired. We're leaving the decision up to the end customer to unretire the signatures if its something you feel you want or need.

We'll be slowly releasing more signatures in upcoming updates, so expect more to come, but similar in nature.

Actions

This Discussion