Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Are there significant differences between 3.x and 4.x signatures?

Hello,

I noticed that Cisco IDS ver 4.x has many types of signatures - simple pattern matching, stateful pattern matching, protocol decodes-based signatures, virus/worms/trojans/backdoors and scans/sweeps.

- How is this different from ver 3.x ? Was 3.x missing any of these types of signatures?

- Is it just the difference in number of signatures or a change in architecture of the signature engines themselves with the new ver 4.x?

- Are there new signatures released today only for ver 4.x?

- If we continued to use 3.x, would we miss out on a lot of featues/functionality? Any details?

Thanks

2 REPLIES
Cisco Employee

Re: Are there significant differences between 3.x and 4.x signat

Hi Smitha,

Please read Matthew Cerha's post yesterday on this. Cutting n pasting the same here.

Yes, there is change in architecture of the signature engines with the new ver 4.x.

The signatures are released for both 3.x as well as 4.x. 3.x sometimes lags in the releases though.

There are many new features that are incorporated into 4.0 which are not available in 3.x

Thanks,

yatin

-------------------------------------

mcerha@cisco.com

Jul 7, 2003, 9:00am PST

None of the 4.0 only SMB signatures are necessarily good candidates for string based regexes. Due to the complexity and variability of the SMB protocol, a special protocol engine for SMB was needed. This was done for reasons of speed and reducing false postives. While it is true that you might be able to construct a regex to match the conditions for the signatures you listed, it would would come at a great expense in terms of processor / memory usage due to the complexity of the regexes needed. This is especially true for 3.x systems. Using a more straight forward protocol parser, like 4.0 does, reduces this impact significantly. Also, with a complex regex, the possibility of false positives greatly increases in our experience. This is why in a nutshell that the signatures are 4.0 only.

-------------------------------------

Bronze

Re: Are there significant differences between 3.x and 4.x signat

The biggest difference between 3.x and 4.0 is that all of our signatures are now implemented in the newer engine format. This means that all signatures have some degree of configurability, which may have not been available before. All of the signature types you mentioned are in 3.x as well as 4.0. And yes, there are signatures which have been and will be released as 4.0 only signatures.

90
Views
0
Helpful
2
Replies