I noticed that the S214 signature upgrade contains a couple 5.1 only signatures (see below)? Given all the problems customers are having with this release, and Cisco's troubleshooting efforts being limited to "rebuild as 5.0", this is quite insulting.
Does Cisco plan to actually continue this trend(5.1 only sigs)? What does 5.1 bring to the table technically that is resulting in 5.1 only sigs? Any chance we can get a timetable on when Cisco will address the issues with 5.1?
5.1 5726.0 Active Directory Failed Login MULTI-STRING Medium True
5.1 5726.1 Active Directory Failed Login MULTI-STRING Medium True
These signatures were 5.1 only signatures because they could not be written in 5.0 or 4.1.
The signatures were written in a new Multi-String engine. The Multi-String engine is seen on both 5.0 and 5.1 sensors because they share the same typedefs and signature settings, but any signatures written within the Multi-String engine will only be loaded in a 5.1 sensor.
So 5.1 does have new functionality that allows it to monitor for these signatures that is not available in 5.0.
The signature team did research into being able to use a different engine that would be supported by 5.0, but found parameter limitations that would prevent these signatures from working properly.
Does Cisco plan to continue generating 5.1 only sigs?
Yes, but only in cases where the signature can NOT be written in 5.0.
Today the signature team bases it's development primarily on what is available in 5.0. If the signature can be created with an existing 5.0 signature engine then that is what they will use. These signatures work just the same in 5.1 so 5.1 users get the signature as well.
It is only in the rare cases where 5.0 engines are not capable of monitoring for the attack that a 5.1 only signature would be created.
As for fixes to 5.1, Cisco is working on a Service Pack to address 5.1 issues, but I am not sure of the timetable for those fixes.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...