Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Sig Updates overwriting previous tuning

I know this has been posted before in several different posts, but can someone please re-post what needs to be re-tuned (what tunes are overwritten) with a sig update? Previous disables, enables, individual sig parameter changes, filters, etc? Do filters have to be re-applied?

Cisco Employee

Re: Sig Updates overwriting previous tuning

During all signature updates for 4.x sensors the user should not have to re-tune any of the signatures.

Any configuration modifications made by the user will be maintained through the update.

If you are seeing configurations that are not being maintained through a signature update then please notify the TAC as a bug may need to be created.

Other considerations:

During a signature update the DEFAULT severity and enable settings (as well as a few other signature parameters) may change. These changes to the DEFAULTS are typically listed in the readme for the signature update.

If you don't like the new DEFAULT setting, then you may choose to tune the signature and put the parameter back to the old setting.

One ofthe 4.x signature updates when set the DEFAULT setting for several older signature to disabled. If you wanted these older signatures then you will need to tune them at set them to enabled. Once you have manually enabled them then they will stay enabled for future signature updates.

Now the major version upgrade from 3.x to 4.x isn't as simple.

The sensor upgrade from 3.x to 4.x will reformat the hard drive and all configuration will need to be redone.

If you were using IDS MC then the IDS MC can help to convert some but not all of the 3.x configuration to 4.x. I am not sure what from the 3.x configuration was not able to be converted to 4.x configuration using the IDS MC.

CreatePlease to create content