why all the retired signatures?

Answered Question
Nov 21st, 2006
User Badges:
  • Blue, 1500 points or more

In some fairly recent signature upgrade(es), Cisco retired hundreds of signatures. Which sig update retired these signatures? Is there a list of them somewhere?

Correct Answer by marcabal about 10 years 8 months ago

There are 2 sets of configuration on the system:

1) default configuration - which is updated by the signature update

2) user tunings - "sig0" - which overrides what is in the default configuration


If a configuration option is included in both the default and in "sig0", then whatever is in "sig0" is what will take effect.

(NOTE: To see what is in "sig0" just run "show conf")


If a signature is "retired true" in default, then the user can modify the signature to "retired false" in "sig0" in order to active/unretire it.

Once the user puts in "retired false" then it will always be "unretired" regardless of what Cisco puts in the default configuration.


You can even prevent future retiring of signatures.

If a signature is currently "retired false" and is active, you can still go ahead and add "retired false" into "sig0". The configuration in "sig0" and the default both list the signature as "retired false".

BUT if later on Cisco changes the signature to "retired true" you will still have "retired false" in "sig0", and your "retired false" will cause the signature to still remain active.

This way you can force a signature to always be active regardless of what a later signature update does.


As for your question of "Won't they be retired after every signature update?"

The answer is NO.

The default will contain "retired true", but if you put "retired false" into "sig0", then it will override the "retired true" in the current default as well as any new defaults from new signature updates.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
edadios Tue, 11/21/2006 - 19:40
User Badges:
  • Silver, 250 points or more

We have evaluated the recently retired signatures, and considered the vulnerabilities being addressed would most likely no longer be applicable to customer's networks.


Retiring those signatures does increase the sensor's available resources, for more efficient use.


mhellman Mon, 11/27/2006 - 07:18
User Badges:
  • Blue, 1500 points or more

It seems strange to me that Cisco would retire signatures that are in the "tuned" state. I'm curious...what if we want to keep those signatures working? Won't they be retired after every signature update?

Correct Answer
marcabal Mon, 11/27/2006 - 09:31
User Badges:
  • Cisco Employee,

There are 2 sets of configuration on the system:

1) default configuration - which is updated by the signature update

2) user tunings - "sig0" - which overrides what is in the default configuration


If a configuration option is included in both the default and in "sig0", then whatever is in "sig0" is what will take effect.

(NOTE: To see what is in "sig0" just run "show conf")


If a signature is "retired true" in default, then the user can modify the signature to "retired false" in "sig0" in order to active/unretire it.

Once the user puts in "retired false" then it will always be "unretired" regardless of what Cisco puts in the default configuration.


You can even prevent future retiring of signatures.

If a signature is currently "retired false" and is active, you can still go ahead and add "retired false" into "sig0". The configuration in "sig0" and the default both list the signature as "retired false".

BUT if later on Cisco changes the signature to "retired true" you will still have "retired false" in "sig0", and your "retired false" will cause the signature to still remain active.

This way you can force a signature to always be active regardless of what a later signature update does.


As for your question of "Won't they be retired after every signature update?"

The answer is NO.

The default will contain "retired true", but if you put "retired false" into "sig0", then it will override the "retired true" in the current default as well as any new defaults from new signature updates.


mhellman Mon, 11/27/2006 - 10:13
User Badges:
  • Blue, 1500 points or more

I got it, thanks. It all makes perfect sense when I think about the underlying files (default.xml and sig0.xml). sig updates create a new default.xml but leave sig0.xml untouched. If the retired attribute of a signatures was never modified, then it will have whatever [possibly new] setting is in default.xml.

Actions

This Discussion