Solved: disabled vs. retired sig

m.sir · ‎11-06-2006

Hi

I didnt get what is difference between disable and retired signature...

I read that retired sig save sensor HW resources but what about disabled???

Thx

M.

trmccart · ‎11-06-2006

If you want to save HW resources then you need to retire unneeded signatures. Retiring/unretiring signatures forces the appliance to 'recompile' the signatures which are then loaded into memory.

Disabling/enabling signatures does only that. It does not impact what signatures have been compiled into memory.

As you can imagine, compiling signatures can be resource intensive. Perhaps something that you do not want to do during peak utilization -- so you may want to disable a signature that is not relevant for your environment as a prime time tuning activity. It is safe.

You may want to schedule retiring/unretiring signatures during a maintenance window.

I hope this helps.

Best Regards,

Troy McCarty

View solution in original post

trmccart · ‎11-06-2006

If you want to save HW resources then you need to retire unneeded signatures. Retiring/unretiring signatures forces the appliance to 'recompile' the signatures which are then loaded into memory.

Disabling/enabling signatures does only that. It does not impact what signatures have been compiled into memory.

As you can imagine, compiling signatures can be resource intensive. Perhaps something that you do not want to do during peak utilization -- so you may want to disable a signature that is not relevant for your environment as a prime time tuning activity. It is safe.

You may want to schedule retiring/unretiring signatures during a maintenance window.

I hope this helps.

Best Regards,

Troy McCarty

npham · ‎11-08-2006

From this understanding that retired signatures are not active in the sensors memory, what is the state of a signature that is retired but enabled?

trmccart · ‎11-08-2006

Nam,

Good question. (1) I verified that the system would allow one to retire an enabled signature. (2) I launched an attack against a server, which the IPS dropped. (3) I retired the signature which was providing the protection (4) I re-launched the attack. (5) The attack was dropped by the IPS.

I am very, very surprised. Software build is 5.1(3) S244.

Note to self: Self, don't retire enabled signature!

Best Regards,

Troy

wsulym · ‎11-09-2006

Retired & Enabled is an invalid state (when you think about it, it doesn;t really make sense). In any case, as the sensor parses the config, an error is generated and placed into the main log file stating just that - the sig is retired and disabled (no, you won't see that "error" as an event). Retired trumps disabled, so the sensor will pull that out of the cache.

What you're seeing is alerts generated by the lingering inspectors - once they time out, the alert will be gone. To force the inspectors to clear and start "fresh", you can reset the sensor.

In other words, the old config is still active until the sessions time out.

mhellman · ‎11-09-2006

As someone who has inadvertently made this boneheaded mistake more than once...Here's an idea;-)

If it's an invalid state, don't let users configure a signature as both retired and enabled (or at least warn them during the process).