Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238
Views
0
Helpful
2
Replies

Are there significant differences between 3.x and 4.x signatures?

msmitha
Level 1
Level 1

‎07-08-2003 05:51 AM - edited ‎03-09-2019 03:56 AM

Hello,

I noticed that Cisco IDS ver 4.x has many types of signatures - simple pattern matching, stateful pattern matching, protocol decodes-based signatures, virus/worms/trojans/backdoors and scans/sweeps.

- How is this different from ver 3.x ? Was 3.x missing any of these types of signatures?

- Is it just the difference in number of signatures or a change in architecture of the signature engines themselves with the new ver 4.x?

- Are there new signatures released today only for ver 4.x?

- If we continued to use 3.x, would we miss out on a lot of featues/functionality? Any details?

Thanks

Labels:
0 Helpful
2 Replies 2

ywadhavk
Cisco Employee
Cisco Employee

‎07-08-2003 06:57 AM

Hi Smitha,

Please read Matthew Cerha's post yesterday on this. Cutting n pasting the same here.

Yes, there is change in architecture of the signature engines with the new ver 4.x.

The signatures are released for both 3.x as well as 4.x. 3.x sometimes lags in the releases though.

There are many new features that are incorporated into 4.0 which are not available in 3.x

Thanks,

yatin

-------------------------------------

mcerha@cisco.com

Jul 7, 2003, 9:00am PST

None of the 4.0 only SMB signatures are necessarily good candidates for string based regexes. Due to the complexity and variability of the SMB protocol, a special protocol engine for SMB was needed. This was done for reasons of speed and reducing false postives. While it is true that you might be able to construct a regex to match the conditions for the signatures you listed, it would would come at a great expense in terms of processor / memory usage due to the complexity of the regexes needed. This is especially true for 3.x systems. Using a more straight forward protocol parser, like 4.0 does, reduces this impact significantly. Also, with a complex regex, the possibility of false positives greatly increases in our experience. This is why in a nutshell that the signatures are 4.0 only.

-------------------------------------

0 Helpful

mcerha
Level 3
Level 3

‎07-08-2003 07:59 AM

The biggest difference between 3.x and 4.0 is that all of our signatures are now implemented in the newer engine format. This means that all signatures have some degree of configurability, which may have not been available before. All of the signature types you mentioned are in 3.x as well as 4.0. And yes, there are signatures which have been and will be released as 4.0 only signatures.

0 Helpful
Customers Also Viewed These Support Documents