when and why do we disable/retire signatures

Unanswered Question
Mar 20th, 2009

The question comes up every now and again - when do we (IPS signature team) disable or retire signatures.

Remember that there is a difference between disabled and retired. Essentially:

Disabled/enabled - turns the written alert off/on.

Retired/active - signature "does not"/"does" get compiled in memory.

As a rule of thumb, we will release signatures active and enabled.

We may release a signature disabled by default if the vulnerability is severe, but it is unlikely that the software is in wide-spread use.

We may disable a signature that in certain environments would fire excessively on benign traffic.

We will generally release policy signatures (for example, MSN traffic, AIM traffic, p2p, etc.) as disabled by default since they alert on legitimate and normally expected traffic for that application/protocol.

It is up to the organization to enable the alerts if they care too.

We will disable and retire signatures where the vulnerability is 18+ months old, is not a protocol vulnerability (tcp, udp, ip, http, etc.), and has had no active exploitation in the past 6 months.

There will always be exceptions, but this covers most scenarios.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mikecrowe4ICS_2 Mon, 03/07/2011 - 00:50

For any Cisco folks around here ...

This was written ~2 years ago, explaining the process/rationale behind default signature status configurations. 

Can you please indicate if the information is this post is still correct?  Has anything changed regarding your SOP for default signature configurations?



This Discussion