Yes, that's true. However besides all those signatures, there should be more signatures that are default enabled in version 3 and default disabled in version 4.

I'm searching for an explanation why these signatures were disabled...

TIA!

I am not aware (there shouldn't be) of any signature besides there ones turned off in S61 that are turned on in 3.1 and off in 4.1. Do you have any specific examples?

Thanks, that's the answer I was looking for. I just wanted to make sure that there were no more extra disabled signatures.

There is one more thing to be aware of:

In version 3.x, to disable a signature the severity level was set to "0".

On several occasions we have released signatures with severities between 1 and 5 that we later wanted to disable and set to 0.

So in version 3.x the new packetd.conf template file would set the severity level of the signature to "0" to disable it.

The problem is that during a signature update, your packetd.conf file with your tunings is compared to the template file. Any signatures not in your packetd.conf file are copied in from the template file. However, the changes we made to severities (like setting older signatures to "0" to disable them) are not copied into your packetd.conf file.

So in version 3.x if we change the severity to "0" in the template file, If your sensor already had that signature with a severity between 1 and 5, then aftre the update the signature in your file would still have a severity between 1 and 5 and would not be disabled.

The root of the problem, is that in 3.x the installation script had no way to determine whether the different severity level in your packetd.conf file was because the signature had an old default severity value, or if the user had gone in and manually changed the value. So the script had to assume that any differences were intenional by the user, and so would not change them to the new defaults.

So when 3.x signature udpates are released, the readme will tell you which signatures have had their severity levels modified. It is then up to the user if they want to manually go to those signatures and make them match the new default settings we recommended.

This was addressed in version 4.x.

In version 4.x the file for the signatures will contain both the default and any changes the user may have made.

Also the Enabling and Disabling of the signature is now controlled by an Enabled option in the signature definition.

During installation of a new signature update, the installation script can go into to your file and change the defaults.

So if the signature previously had a default of Enabled = True, the script could go in and change the default to Enabled = False with the next signature update.

So when comparing enabled signatures between version 3.x and 4.x, you would need to compare against the /usr/nr/etc/wgc/templates/packetd.conf file instead of /usr/nr/etc/packetd.conf.

You will want to compare the version 4.x Enabled = False signatures, with the signatures in the /usr/nr/etc/wgc/templates/packetd.conf file that have a severity = 0.

You should see the same signatures disabled on both versions (with the exception that there may be a few more disabled on v4.x for signatures which do not even exist on v3.x).

You can then compare your /usr/nr/etc/packetd.conf file with the defaults in /usr/nr/etc/wgc/templates/packetd.conf to determine which signatures have been disabled in later updates but are not disabled in your packetd configuration.