Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Zero-day attacks through a SIG

Can the IDS catch zero-day attacks and report on them?


New Member

Re: Zero-day attacks through a SIG

I think as long as the "zero day" attack uses a vulnerability with a sig it should.

An example is a "new" way to exploit ASN.1. This new exploit should cause the ASN.1 vulnerability signature to fire on the IDS.

However a true zero-day attack (an unknown vulnerability with exploit code to take advantage of it) would probably get through unnoticed.

Is this the opinion of Cisco as well?

New Member

Re: Zero-day attacks through a SIG

By definition, a "zero-day" attack is one that is unknown and does not have a signature, yet. That is where a behavior-based IDS comes in handy instead of signature-based one. It should provide additional protection for zero-day attacks.

If you are looking for a Cisco product in this realm, you should look at Cisco Security Agent (a Host-based IDS that looks at behavior, not signatures).

Re: Zero-day attacks through a SIG

Here is my take on this subject. Security should be installed in layers. From hte Perimeter to the core and then on end points and network nodes. You should have properly hardened routers backed up by a firewall with IDS/IPS on the outside and inside. Then a properly segmented network by way of VLANS etc to allow traffic only where it needs to go. Should anyone get past these measures then host-based intrusion prevention by products such as Cisco Security agent will come into play for "zero-day" attacks. CSA works off rules, not patterns so the end result is if the "zero-day" attack tries to do something it is not allowed to do, write to the registry, delete files, etc, CSA kicks in to stop it. No signatures needed.

Learn more about this and other fine Cisco products at

Now go ask John Cambers if my endorsement check is ready. I have a car note due.

Hope this helps.

Please remember to rate all replies

Cisco Employee

Re: Zero-day attacks through a SIG

Just thought I would thow this into the conversation.


The Cisco Anomaly Guard and Anomaly Detector products are designed to look for and protect from Anomalous traffic on the network. The Anomalous traffic can often be caused by "zero-day" attacks.

There is an Ask The Expert event that started on July 28th and will last until August 11th that is specifically discussing the Guard and Detector.

If you want to learn more about how Guard and Detector can help in protecting against "zero-day" attacks you might try posting a comment on the Ask the Expert postings.