11-06-2006 06:18 AM - edited 03-10-2019 03:18 AM
Hi
I didnt get what is difference between disable and retired signature...
I read that retired sig save sensor HW resources but what about disabled???
Thx
M.
Solved! Go to Solution.
11-06-2006 06:54 AM
If you want to save HW resources then you need to retire unneeded signatures. Retiring/unretiring signatures forces the appliance to 'recompile' the signatures which are then loaded into memory.
Disabling/enabling signatures does only that. It does not impact what signatures have been compiled into memory.
As you can imagine, compiling signatures can be resource intensive. Perhaps something that you do not want to do during peak utilization -- so you may want to disable a signature that is not relevant for your environment as a prime time tuning activity. It is safe.
You may want to schedule retiring/unretiring signatures during a maintenance window.
I hope this helps.
Best Regards,
Troy McCarty
11-06-2006 06:54 AM
If you want to save HW resources then you need to retire unneeded signatures. Retiring/unretiring signatures forces the appliance to 'recompile' the signatures which are then loaded into memory.
Disabling/enabling signatures does only that. It does not impact what signatures have been compiled into memory.
As you can imagine, compiling signatures can be resource intensive. Perhaps something that you do not want to do during peak utilization -- so you may want to disable a signature that is not relevant for your environment as a prime time tuning activity. It is safe.
You may want to schedule retiring/unretiring signatures during a maintenance window.
I hope this helps.
Best Regards,
Troy McCarty
11-08-2006 12:56 PM
From this understanding that retired signatures are not active in the sensors memory, what is the state of a signature that is retired but enabled?
11-08-2006 10:19 PM
Nam,
Good question. (1) I verified that the system would allow one to retire an enabled signature. (2) I launched an attack against a server, which the IPS dropped. (3) I retired the signature which was providing the protection (4) I re-launched the attack. (5) The attack was dropped by the IPS.
I am very, very surprised. Software build is 5.1(3) S244.
Note to self: Self, don't retire enabled signature!
Best Regards,
Troy
11-09-2006 06:04 AM
Retired & Enabled is an invalid state (when you think about it, it doesn;t really make sense). In any case, as the sensor parses the config, an error is generated and placed into the main log file stating just that - the sig is retired and disabled (no, you won't see that "error" as an event). Retired trumps disabled, so the sensor will pull that out of the cache.
What you're seeing is alerts generated by the lingering inspectors - once they time out, the alert will be gone. To force the inspectors to clear and start "fresh", you can reset the sensor.
In other words, the old config is still active until the sessions time out.
11-09-2006 06:08 AM
As someone who has inadvertently made this boneheaded mistake more than once...Here's an idea;-)
If it's an invalid state, don't let users configure a signature as both retired and enabled (or at least warn them during the process).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: