IDS v3 default enabled signatures versus version 4
A default installation of a Cisco IDS 3.1 S65 shows +700 enabled signatures. When I install a 4.1(3)S65 sensor, the IDSMC shows not more than 470 enabled signatures. Is this difference only related to the install of 4.1(3)S61-SP or are there more extra default disabled signatures in version 4.
If yes, is there somewhere a list or a useful link?
Re: IDS v3 default enabled signatures versus version 4
There is one more thing to be aware of:
In version 3.x, to disable a signature the severity level was set to "0".
On several occasions we have released signatures with severities between 1 and 5 that we later wanted to disable and set to 0.
So in version 3.x the new packetd.conf template file would set the severity level of the signature to "0" to disable it.
The problem is that during a signature update, your packetd.conf file with your tunings is compared to the template file. Any signatures not in your packetd.conf file are copied in from the template file. However, the changes we made to severities (like setting older signatures to "0" to disable them) are not copied into your packetd.conf file.
So in version 3.x if we change the severity to "0" in the template file, If your sensor already had that signature with a severity between 1 and 5, then aftre the update the signature in your file would still have a severity between 1 and 5 and would not be disabled.
The root of the problem, is that in 3.x the installation script had no way to determine whether the different severity level in your packetd.conf file was because the signature had an old default severity value, or if the user had gone in and manually changed the value. So the script had to assume that any differences were intenional by the user, and so would not change them to the new defaults.
So when 3.x signature udpates are released, the readme will tell you which signatures have had their severity levels modified. It is then up to the user if they want to manually go to those signatures and make them match the new default settings we recommended.
This was addressed in version 4.x.
In version 4.x the file for the signatures will contain both the default and any changes the user may have made.
Also the Enabling and Disabling of the signature is now controlled by an Enabled option in the signature definition.
During installation of a new signature update, the installation script can go into to your file and change the defaults.
So if the signature previously had a default of Enabled = True, the script could go in and change the default to Enabled = False with the next signature update.
So when comparing enabled signatures between version 3.x and 4.x, you would need to compare against the /usr/nr/etc/wgc/templates/packetd.conf file instead of /usr/nr/etc/packetd.conf.
You will want to compare the version 4.x Enabled = False signatures, with the signatures in the /usr/nr/etc/wgc/templates/packetd.conf file that have a severity = 0.
You should see the same signatures disabled on both versions (with the exception that there may be a few more disabled on v4.x for signatures which do not even exist on v3.x).
You can then compare your /usr/nr/etc/packetd.conf file with the defaults in /usr/nr/etc/wgc/templates/packetd.conf to determine which signatures have been disabled in later updates but are not disabled in your packetd configuration.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :