Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS // some signatures can't be disabled (id > 50000)

Hi,

I recently did an IPS-Installation and CSM-Integration at a customer, where I had the situation that I couldn't disable or modify some of the signatures via CSM. Specifically the problem occured with some signatures with signature-ids in the area of 50000.

One example for this behaviour is the signature # 50010 (WORM_SOBER). While the specific options are greyed-out in CSM, it seems to be possible to do it via IDM. Does anyone have a good explanation for this, or could it be a bug? Those signatures seem to be different from the other signatures, as I also could not find them on Security Center at CCO (http://tools.cisco.com/security/center/search.x?search=Signature).

kind regards,

Florian

3 REPLIES
Cisco Employee

Re: IPS // some signatures can't be disabled (id > 50000)

The signatures in the 50,000 range of Signature IDs were generated by Trend. They are part of the "V1.4" set of signatures you see in the "show version" output.

These were supposed to be controlled by Cisco ICS, and so during CSM development it was decided to not have CSM manage them in order to prevent conflicts between Cisco ICS and CSM.

This is because CSM saves sensor configuration in it's own database and would get out of sync with the sensor if Cisco ICS made changes.

IDM, on the other hand, does not save it't own copy of the sensor configuration. Instead it always read the configuration directly from the sensor. So any changes by Cisco ICS can be seen and managed by IDM. So IDM does have the capability to modify configuration for these signatures.

However, things have changes since Cisco ICS and CSM were originally released.

Cisco ICS is now End Of Sale, and no new V signatures are being created:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps6542/prod_end-of-life_notice0900aecd806d9cdb.html

So there is no longer a concern of Cisco ICS making changes without CSM's knowledge.

It would be safe now to allow CSM to manage and configure these 50,000+ range of signature IDs.

You might consider caling the TAC and asking them to enter an enhancement request to have CSM remove their restrictions on the 50,000+ signature IDs and allow you to now manage them through CSM.

(Requests like this have more weight when requested by customers rather than internal requests.)

As for not showing up on Security Center, the reason is these were developed by Trend.

However, you should be able to make a second enhancement request with the TAC to have these 50,000+ Signature Ids show up on Security Center.

Community Member

Re: IPS // some signatures can't be disabled (id > 50000)

Hi & thanks for your response.

I wasn't aware that are Trend-signatures in the Cisco IPS-products. I searched CCO for more info on this topic, but couldn't find any. Not on CCO, and not in my Cisco-VT documents.

Are these signatures working with just the Cisco-hardware, or is this some kind of integration into a Trend-product? Why did Cisco go for this, as they have their own global team creating signatures?

Thanks,

Florian

Community Member

IPS // some signatures can't be disabled (id > 50000)

This was a great explanation.

Thank You for that.

Jesse

217
Views
0
Helpful
3
Replies
CreatePlease to create content