Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
1
Replies

when and why do we disable/retire signatures

wsulym
Cisco Employee
Cisco Employee

‎03-20-2009 08:34 AM - edited ‎03-10-2019 04:33 AM

The question comes up every now and again - when do we (IPS signature team) disable or retire signatures.

Remember that there is a difference between disabled and retired. Essentially:

Disabled/enabled - turns the written alert off/on.

Retired/active - signature "does not"/"does" get compiled in memory.

As a rule of thumb, we will release signatures active and enabled.

We may release a signature disabled by default if the vulnerability is severe, but it is unlikely that the software is in wide-spread use.

We may disable a signature that in certain environments would fire excessively on benign traffic.

We will generally release policy signatures (for example, MSN traffic, AIM traffic, p2p, etc.) as disabled by default since they alert on legitimate and normally expected traffic for that application/protocol.

It is up to the organization to enable the alerts if they care too.

We will disable and retire signatures where the vulnerability is 18+ months old, is not a protocol vulnerability (tcp, udp, ip, http, etc.), and has had no active exploitation in the past 6 months.

There will always be exceptions, but this covers most scenarios.

Labels:
0 Helpful
1 Reply 1

mikecrowe4ICS_2
Level 1
Level 1

‎03-07-2011 12:50 AM

For any Cisco folks around here ...

This was written ~2 years ago, explaining the process/rationale behind default signature status configurations. 

Can you please indicate if the information is this post is still correct?  Has anything changed regarding your SOP for default signature configurations?

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card