Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


new sigs for [broken] 5.1 only?

I noticed that the S214 signature upgrade contains a couple 5.1 only signatures (see below)? Given all the problems customers are having with this release, and Cisco's troubleshooting efforts being limited to "rebuild as 5.0", this is quite insulting.

Does Cisco plan to actually continue this trend(5.1 only sigs)? What does 5.1 bring to the table technically that is resulting in 5.1 only sigs? Any chance we can get a timetable on when Cisco will address the issues with 5.1?

5.1 5726.0 Active Directory Failed Login MULTI-STRING Medium True

5.1 5726.1 Active Directory Failed Login MULTI-STRING Medium True

  • Intrusion Prevention Systems/IDS
Cisco Employee

Re: new sigs for [broken] 5.1 only?

These signatures were 5.1 only signatures because they could not be written in 5.0 or 4.1.

The signatures were written in a new Multi-String engine. The Multi-String engine is seen on both 5.0 and 5.1 sensors because they share the same typedefs and signature settings, but any signatures written within the Multi-String engine will only be loaded in a 5.1 sensor.

So 5.1 does have new functionality that allows it to monitor for these signatures that is not available in 5.0.

The signature team did research into being able to use a different engine that would be supported by 5.0, but found parameter limitations that would prevent these signatures from working properly.

Does Cisco plan to continue generating 5.1 only sigs?

Yes, but only in cases where the signature can NOT be written in 5.0.

Today the signature team bases it's development primarily on what is available in 5.0. If the signature can be created with an existing 5.0 signature engine then that is what they will use. These signatures work just the same in 5.1 so 5.1 users get the signature as well.

It is only in the rare cases where 5.0 engines are not capable of monitoring for the attack that a 5.1 only signature would be created.

As for fixes to 5.1, Cisco is working on a Service Pack to address 5.1 issues, but I am not sure of the timetable for those fixes.