Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Gold

disabled vs. retired sig

Hi

I didnt get what is difference between disable and retired signature...

I read that retired sig save sensor HW resources but what about disabled???

Thx

M.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: disabled vs. retired sig

If you want to save HW resources then you need to retire unneeded signatures. Retiring/unretiring signatures forces the appliance to 'recompile' the signatures which are then loaded into memory.

Disabling/enabling signatures does only that. It does not impact what signatures have been compiled into memory.

As you can imagine, compiling signatures can be resource intensive. Perhaps something that you do not want to do during peak utilization -- so you may want to disable a signature that is not relevant for your environment as a prime time tuning activity. It is safe.

You may want to schedule retiring/unretiring signatures during a maintenance window.

I hope this helps.

Best Regards,

Troy McCarty

5 REPLIES
Cisco Employee

Re: disabled vs. retired sig

If you want to save HW resources then you need to retire unneeded signatures. Retiring/unretiring signatures forces the appliance to 'recompile' the signatures which are then loaded into memory.

Disabling/enabling signatures does only that. It does not impact what signatures have been compiled into memory.

As you can imagine, compiling signatures can be resource intensive. Perhaps something that you do not want to do during peak utilization -- so you may want to disable a signature that is not relevant for your environment as a prime time tuning activity. It is safe.

You may want to schedule retiring/unretiring signatures during a maintenance window.

I hope this helps.

Best Regards,

Troy McCarty

New Member

Re: disabled vs. retired sig

From this understanding that retired signatures are not active in the sensors memory, what is the state of a signature that is retired but enabled?

Cisco Employee

Re: disabled vs. retired sig

Nam,

Good question. (1) I verified that the system would allow one to retire an enabled signature. (2) I launched an attack against a server, which the IPS dropped. (3) I retired the signature which was providing the protection (4) I re-launched the attack. (5) The attack was dropped by the IPS.

I am very, very surprised. Software build is 5.1(3) S244.

Note to self: Self, don't retire enabled signature!

Best Regards,

Troy

Cisco Employee

Re: disabled vs. retired sig

Retired & Enabled is an invalid state (when you think about it, it doesn;t really make sense). In any case, as the sensor parses the config, an error is generated and placed into the main log file stating just that - the sig is retired and disabled (no, you won't see that "error" as an event). Retired trumps disabled, so the sensor will pull that out of the cache.

What you're seeing is alerts generated by the lingering inspectors - once they time out, the alert will be gone. To force the inspectors to clear and start "fresh", you can reset the sensor.

In other words, the old config is still active until the sessions time out.

Gold

Re: disabled vs. retired sig

As someone who has inadvertently made this boneheaded mistake more than once...Here's an idea;-)

If it's an invalid state, don't let users configure a signature as both retired and enabled (or at least warn them during the process).

257
Views
19
Helpful
5
Replies