cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
978
Views
5
Helpful
5
Replies

why all the retired signatures?

mhellman
Level 7
Level 7

In some fairly recent signature upgrade(es), Cisco retired hundreds of signatures. Which sig update retired these signatures? Is there a list of them somewhere?

1 Accepted Solution

Accepted Solutions

There are 2 sets of configuration on the system:

1) default configuration - which is updated by the signature update

2) user tunings - "sig0" - which overrides what is in the default configuration

If a configuration option is included in both the default and in "sig0", then whatever is in "sig0" is what will take effect.

(NOTE: To see what is in "sig0" just run "show conf")

If a signature is "retired true" in default, then the user can modify the signature to "retired false" in "sig0" in order to active/unretire it.

Once the user puts in "retired false" then it will always be "unretired" regardless of what Cisco puts in the default configuration.

You can even prevent future retiring of signatures.

If a signature is currently "retired false" and is active, you can still go ahead and add "retired false" into "sig0". The configuration in "sig0" and the default both list the signature as "retired false".

BUT if later on Cisco changes the signature to "retired true" you will still have "retired false" in "sig0", and your "retired false" will cause the signature to still remain active.

This way you can force a signature to always be active regardless of what a later signature update does.

As for your question of "Won't they be retired after every signature update?"

The answer is NO.

The default will contain "retired true", but if you put "retired false" into "sig0", then it will override the "retired true" in the current default as well as any new defaults from new signature updates.

View solution in original post

5 Replies 5

We have evaluated the recently retired signatures, and considered the vulnerabilities being addressed would most likely no longer be applicable to customer's networks.

Retiring those signatures does increase the sensor's available resources, for more efficient use.

It seems strange to me that Cisco would retire signatures that are in the "tuned" state. I'm curious...what if we want to keep those signatures working? Won't they be retired after every signature update?

There are 2 sets of configuration on the system:

1) default configuration - which is updated by the signature update

2) user tunings - "sig0" - which overrides what is in the default configuration

If a configuration option is included in both the default and in "sig0", then whatever is in "sig0" is what will take effect.

(NOTE: To see what is in "sig0" just run "show conf")

If a signature is "retired true" in default, then the user can modify the signature to "retired false" in "sig0" in order to active/unretire it.

Once the user puts in "retired false" then it will always be "unretired" regardless of what Cisco puts in the default configuration.

You can even prevent future retiring of signatures.

If a signature is currently "retired false" and is active, you can still go ahead and add "retired false" into "sig0". The configuration in "sig0" and the default both list the signature as "retired false".

BUT if later on Cisco changes the signature to "retired true" you will still have "retired false" in "sig0", and your "retired false" will cause the signature to still remain active.

This way you can force a signature to always be active regardless of what a later signature update does.

As for your question of "Won't they be retired after every signature update?"

The answer is NO.

The default will contain "retired true", but if you put "retired false" into "sig0", then it will override the "retired true" in the current default as well as any new defaults from new signature updates.

I got it, thanks. It all makes perfect sense when I think about the underlying files (default.xml and sig0.xml). sig updates create a new default.xml but leave sig0.xml untouched. If the retired attribute of a signatures was never modified, then it will have whatever [possibly new] setting is in default.xml.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: