11-21-2006 08:27 AM - edited 03-10-2019 03:20 AM
In some fairly recent signature upgrade(es), Cisco retired hundreds of signatures. Which sig update retired these signatures? Is there a list of them somewhere?
Solved! Go to Solution.
11-27-2006 09:31 AM
There are 2 sets of configuration on the system:
1) default configuration - which is updated by the signature update
2) user tunings - "sig0" - which overrides what is in the default configuration
If a configuration option is included in both the default and in "sig0", then whatever is in "sig0" is what will take effect.
(NOTE: To see what is in "sig0" just run "show conf")
If a signature is "retired true" in default, then the user can modify the signature to "retired false" in "sig0" in order to active/unretire it.
Once the user puts in "retired false" then it will always be "unretired" regardless of what Cisco puts in the default configuration.
You can even prevent future retiring of signatures.
If a signature is currently "retired false" and is active, you can still go ahead and add "retired false" into "sig0". The configuration in "sig0" and the default both list the signature as "retired false".
BUT if later on Cisco changes the signature to "retired true" you will still have "retired false" in "sig0", and your "retired false" will cause the signature to still remain active.
This way you can force a signature to always be active regardless of what a later signature update does.
As for your question of "Won't they be retired after every signature update?"
The answer is NO.
The default will contain "retired true", but if you put "retired false" into "sig0", then it will override the "retired true" in the current default as well as any new defaults from new signature updates.
11-21-2006 09:00 AM
found them here:
but would still like to know why. Was it a resource issue?
11-21-2006 07:40 PM
We have evaluated the recently retired signatures, and considered the vulnerabilities being addressed would most likely no longer be applicable to customer's networks.
Retiring those signatures does increase the sensor's available resources, for more efficient use.
11-27-2006 07:18 AM
It seems strange to me that Cisco would retire signatures that are in the "tuned" state. I'm curious...what if we want to keep those signatures working? Won't they be retired after every signature update?
11-27-2006 09:31 AM
There are 2 sets of configuration on the system:
1) default configuration - which is updated by the signature update
2) user tunings - "sig0" - which overrides what is in the default configuration
If a configuration option is included in both the default and in "sig0", then whatever is in "sig0" is what will take effect.
(NOTE: To see what is in "sig0" just run "show conf")
If a signature is "retired true" in default, then the user can modify the signature to "retired false" in "sig0" in order to active/unretire it.
Once the user puts in "retired false" then it will always be "unretired" regardless of what Cisco puts in the default configuration.
You can even prevent future retiring of signatures.
If a signature is currently "retired false" and is active, you can still go ahead and add "retired false" into "sig0". The configuration in "sig0" and the default both list the signature as "retired false".
BUT if later on Cisco changes the signature to "retired true" you will still have "retired false" in "sig0", and your "retired false" will cause the signature to still remain active.
This way you can force a signature to always be active regardless of what a later signature update does.
As for your question of "Won't they be retired after every signature update?"
The answer is NO.
The default will contain "retired true", but if you put "retired false" into "sig0", then it will override the "retired true" in the current default as well as any new defaults from new signature updates.
11-27-2006 10:13 AM
I got it, thanks. It all makes perfect sense when I think about the underlying files (default.xml and sig0.xml). sig updates create a new default.xml but leave sig0.xml untouched. If the retired attribute of a signatures was never modified, then it will have whatever [possibly new] setting is in default.xml.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: