Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS v3 default enabled signatures versus version 4

A default installation of a Cisco IDS 3.1 S65 shows +700 enabled signatures. When I install a 4.1(3)S65 sensor, the IDSMC shows not more than 470 enabled signatures. Is this difference only related to the install of 4.1(3)S61-SP or are there more extra default disabled signatures in version 4.

If yes, is there somewhere a list or a useful link?

Thanks

5 REPLIES
Cisco Employee

Re: IDS v3 default enabled signatures versus version 4

There were several additional signatures that have been disabled in the version 4.1(3)S61 Service Pack.

From the readme for the Service Pack:

TUNED SIGNATURES

To free up system resources on the sensor, signatures for vulnerabi-

lities discovered prior to 2002 have been disabled in this release.

For a complete list of these signatures, refer to bugid CSCec88388

in Bug Naviagator at the following url:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

New Member

Re: IDS v3 default enabled signatures versus version 4

Yes, that's true. However besides all those signatures, there should be more signatures that are default enabled in version 3 and default disabled in version 4.

I'm searching for an explanation why these signatures were disabled...

TIA!

New Member

Re: IDS v3 default enabled signatures versus version 4

I am not aware (there shouldn't be) of any signature besides there ones turned off in S61 that are turned on in 3.1 and off in 4.1. Do you have any specific examples?

New Member

Re: IDS v3 default enabled signatures versus version 4

Thanks, that's the answer I was looking for. I just wanted to make sure that there were no more extra disabled signatures.

Cisco Employee

Re: IDS v3 default enabled signatures versus version 4

There is one more thing to be aware of:

In version 3.x, to disable a signature the severity level was set to "0".

On several occasions we have released signatures with severities between 1 and 5 that we later wanted to disable and set to 0.

So in version 3.x the new packetd.conf template file would set the severity level of the signature to "0" to disable it.

The problem is that during a signature update, your packetd.conf file with your tunings is compared to the template file. Any signatures not in your packetd.conf file are copied in from the template file. However, the changes we made to severities (like setting older signatures to "0" to disable them) are not copied into your packetd.conf file.

So in version 3.x if we change the severity to "0" in the template file, If your sensor already had that signature with a severity between 1 and 5, then aftre the update the signature in your file would still have a severity between 1 and 5 and would not be disabled.

The root of the problem, is that in 3.x the installation script had no way to determine whether the different severity level in your packetd.conf file was because the signature had an old default severity value, or if the user had gone in and manually changed the value. So the script had to assume that any differences were intenional by the user, and so would not change them to the new defaults.

So when 3.x signature udpates are released, the readme will tell you which signatures have had their severity levels modified. It is then up to the user if they want to manually go to those signatures and make them match the new default settings we recommended.

This was addressed in version 4.x.

In version 4.x the file for the signatures will contain both the default and any changes the user may have made.

Also the Enabling and Disabling of the signature is now controlled by an Enabled option in the signature definition.

During installation of a new signature update, the installation script can go into to your file and change the defaults.

So if the signature previously had a default of Enabled = True, the script could go in and change the default to Enabled = False with the next signature update.

So when comparing enabled signatures between version 3.x and 4.x, you would need to compare against the /usr/nr/etc/wgc/templates/packetd.conf file instead of /usr/nr/etc/packetd.conf.

You will want to compare the version 4.x Enabled = False signatures, with the signatures in the /usr/nr/etc/wgc/templates/packetd.conf file that have a severity = 0.

You should see the same signatures disabled on both versions (with the exception that there may be a few more disabled on v4.x for signatures which do not even exist on v3.x).

You can then compare your /usr/nr/etc/packetd.conf file with the defaults in /usr/nr/etc/wgc/templates/packetd.conf to determine which signatures have been disabled in later updates but are not disabled in your packetd configuration.

115
Views
5
Helpful
5
Replies
CreatePlease login to create content