Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Sig Description - 5.x Platform Only

For some of the IPS-IDS signatures, the description says "signature is only available on the 5.x platform".  Sometimes it adds "obseletes signature <X> on the 5.x platform."

Does this actually mean "5.x OR LATER", such as a sensor running 7.x? Or is it really only 5.x?

Example signatures stating this:

Can anyone provide clarification on this?

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Sig Description - 5.x Platform Only

Those signatures are still available in version 7.0, however, some are not enabled by default.

All Cisco signature pack comes with default "enabled" signature, and Cisco dynamically retired, disabled signature on new signature pack accordingly, and they were documented in the release notes of each signature pack update.

I have double checked the 4 enquired signatures on version 7.0.1(E3), and they are not retired.

However, some of them are disabled (you can manually enable them if you deem that your environment might still be affected by those signatures) --> normally they are disabled for a reason by development team (ie: no longer applicable).

From your list,  please find the following:

- 3564/0 --> not retired, and enabled

- 4607/6 --> not retired, but disabled (4607/1 --> retired)

- 6203/1 --> not retired, but disabled

- 9401/2 --> not retired, but disabled

To check whether a particular signature is retired or not, you can go to Cisco SIO page (under signature search):

http://tools.cisco.com/security/center/search.x

Choose: Search: Signatures, keywords: the actual signature (for example: 4607), it will then give you a list of all 4607 sub-signatures.

Comparing the following 2 sub-signatures when you click on the actual signature name of the corresponding sub-signature:

4607/6 --> not retired (it lists "Default Retired:False")

4607/1 --> retired (it lists "Default Retired:True")

Hope that helps.

Cisco Employee

Re: Sig Description - 5.x Platform Only

In terms of signature with sub-signature, 0 does not mean that it is the main signature. The sub-signature always starts from the number "0". Comparing sub-signature "0" and "1" for example, they will be inspecting different things within the same signature name, hence retiring sub-signature 0 is not dependant on other active/enabled sub-signature.

Hope that clears the confusion.

7 REPLIES
Cisco Employee

Re: Sig Description - 5.x Platform Only

Those signatures are still available in version 7.0, however, some are not enabled by default.

All Cisco signature pack comes with default "enabled" signature, and Cisco dynamically retired, disabled signature on new signature pack accordingly, and they were documented in the release notes of each signature pack update.

I have double checked the 4 enquired signatures on version 7.0.1(E3), and they are not retired.

However, some of them are disabled (you can manually enable them if you deem that your environment might still be affected by those signatures) --> normally they are disabled for a reason by development team (ie: no longer applicable).

From your list,  please find the following:

- 3564/0 --> not retired, and enabled

- 4607/6 --> not retired, but disabled (4607/1 --> retired)

- 6203/1 --> not retired, but disabled

- 9401/2 --> not retired, but disabled

To check whether a particular signature is retired or not, you can go to Cisco SIO page (under signature search):

http://tools.cisco.com/security/center/search.x

Choose: Search: Signatures, keywords: the actual signature (for example: 4607), it will then give you a list of all 4607 sub-signatures.

Comparing the following 2 sub-signatures when you click on the actual signature name of the corresponding sub-signature:

4607/6 --> not retired (it lists "Default Retired:False")

4607/1 --> retired (it lists "Default Retired:True")

Hope that helps.

New Member

Re: Sig Description - 5.x Platform Only

Jennifer --

Thanks for your reply.  Let me make sure I understand.

If a signature with this description (only 5.x) is available for configuration - retired or not - it can work on the 7.x platform.  Is that correct?

The signature default configurations also mean:

StatusExplanation
Enabled, Not RetiredRecommended by Cisco for use
Disabled, Not Retired

Not recommended for default use, but possibly useful in some environments.

Reasons for default disable could be: no longer applicable, high resource use with low return, high probability of false positives, etc.

Disabled, RetiredNot recommended for default use.  Not likely needed for most environments.  Possibly obsolete due to newer signature.
Enabled, RetiredNot a default configuration (except for "LowMem/MedMem Retired")

Does all of that look correct?

Thanks for your help!

Cisco Employee

Re: Sig Description - 5.x Platform Only

Yes, you are absolutely correct with all the statements.

New Member

Re: Sig Description - 5.x Platform Only

I wanted to do a separate reply about the part you mentioned with the 4607 sigs/sub-sigs.  The main signature (4607/0) is default disabled and retired. However, the sub-signature 4607-5 is enabled by default, and obsoletes 4607/0.

In cases like this, where the main signature (/0) is disabled/retired, does the sub-signature even work?  Are the sub-signatures not actually dependent on the main signature, just grouped together?

I always thought it was a dependent relationship, but perhaps I misunderstood.

Thanks.

Cisco Employee

Re: Sig Description - 5.x Platform Only

In terms of signature with sub-signature, 0 does not mean that it is the main signature. The sub-signature always starts from the number "0". Comparing sub-signature "0" and "1" for example, they will be inspecting different things within the same signature name, hence retiring sub-signature 0 is not dependant on other active/enabled sub-signature.

Hope that clears the confusion.

New Member

Re: Sig Description - 5.x Platform Only

Great.  Thanks very much for clearing that up for me.  I might have gone enabling and un-retiring a bunch of unneeded signatures otherwise!!

Cisco Employee

Re: Sig Description - 5.x Platform Only

Cheers, and thanks for the ratings.

636
Views
5
Helpful
7
Replies
CreatePlease to create content