Why is signature X retired?
What is the difference between disabled and retired?
Why are some new signatures disabled or retired by default?
Does Cisco IPS detect virus X?
How do I write custom signatures for Cisco IPS?
Can we have some Snort signatures ported to Cisco IPS?
Why is port 0 or address 0.0.0.0 displayed in alerts?
Why was signature X changed?
Does an obsolete signature need to be retired?
Why is an IPS not good at catching compressed malicious files?
What is SFR?
A: Signatures can be retired or disabled for a variety of reasons:
- The signature is “old” and of very little value.
- The vulnerability being detected is sufficiently old enough to be widely patched
- The vulnerability is unlikely to be exploited in the wild.
- The signature is more than 2 years old
- Specifications have changed and what was previously considered an indicator of malicious activity is now valid or no longer considered malicious. Any reporting of those signatures would essentially be false positives.
- The signature has a resources impact.
- The sensor resources are limited. Occasionally as new signatures are released, old signatures must be retired to ensure the sensor runs optimally.
- There is no way to run all signatures with the resources constraint, so the default shipping signature set must run a subset of all signatures.
- There have been reports of false positives and it is not possible to tune the signature to reduce false positives.
- The signature effectively detects a vulnerability potentially being exploited, but has the potential in many environments to produce false positive alerts. It is therefore disabled or retired to prevent “noise” in other customers' networks.
At any time, the end customer is still able to enable and unretire a signature if the customer is still running the affected/vulnerable software and needs the protection provided by the signature.
A: Disabled means that the signature does not produce an alert but is compiled into memory and inspection takes place. There are advantages of having signatures disabled, such as allowing the customer to quickly enable the signature without waiting for it to be loaded into memory and for inspection to take place.
Retired means that the signature is not loaded into memory at all and no inspection takes place.
A: New signatures may be disabled or retired by default in signature updates because the signature may
- Not be suitable for every customer
- Negatively affect customers' network traffic depending on where the sensor is deployed
- Be a policy signature that detects otherwise legitimate traffic that a customer may wish to block on the network
- Have concerns regarding memory or inspection time, but is otherwise suitable depending on network conditions
If you have a specific query about a specific signature, contact the Cisco TAC.
A: The IPS is not a suitable platform for antivirus because IPS units are generally placed at critical points in the network. Due to the network design, the IPS does not, or may not, see all the traffic to perform effective antivirus functions.
If a virus spreads using a vulnerability, signatures will cover the vulnerability being used to gain access to remote systems where possible. Because the IDS/IPS inspects network traffic, these systems cannot detect a virus that does not spread via the network.
Cisco may be able to provide a signature to help detect the effects of an infection to help contain infected workstations or devices.
A: The white paper Writing Custom Signatures for the Cisco Intrusion Prevention System provides instruction in writing and testing signatures for Cisco IPS. The Cisco Intrusion Prevention System Engine Quick Reference describes methods for blocking certain types of traffic.
A: Contact the Cisco TAC if you require Snort signatures to be ported to Cisco IPS. The TAC will be in the best position to determine how Cisco can help you complete this task.
A: Summarization of events can cause an address of 0.0.0.0 to be displayed in alerts, and the majority of the time port 0 is shown. Sometimes attackers will use port 0 to try to bypass firewall port filtering rules.
A: Signatures may be changed for a variety of reasons:
- Signature or engine replacement: A new signature caused the previous signature to become obsolete, or the signature was moved to another engine.
- Cosmetic changes: Cosmetic changes occurred (for example, ensuring all regular expressions meet certain guidelines that do not affect how the signature operates).
- Signature fidelity: The signature fidelity rating has changed after actual field deployment has shown the signature is better or worse at detecting attacks than previously believed.
- Summary key: The summary key has changed (for example, Axxx may make more sense after signatures are deployed, but AxBx was used when the signature was first released).
- Memory/performance trade off: Based on detection history, the signature may be expanded or decreased in memory to increase coverage or improve performance.
A: The short answer is no. The longer answer is that any signature that is obsoleted by any another signature will be set to “enabled false, retired true” internally, regardless of the settings on the signature.
A: An IPS as a network device would need to reassemble the packets to get the full file (no matter its size), then unpack it and scan with an antitvirus engine. If an IPS did that, customers would complain about the device being so slow. For detecting malicious files, an antivirus solution is still the tool of choice.
A: SFR stands for Signature Fidelity Rating. It helps quantify the degree of attack certainty. There is no formula or exact set of criteria to determine SFR. The value is largely influenced by what is being detected (signature parameters, regex, lengths, wildcards, and so on), engine choice, and performance against fixed test samples of traffic and "in the wild" beta sensors.
SFR quantifies the degree of attack certainty; however, the word attack does not make much sense when you look at an informational severity signature with an SFR=100; so without taking signature severity into account, SFR is more generally a measure of accuracy in detection.
To make an analogy: A weather forecaster states that there is a 70 percent chance of rain. What that means simply is that 7 out of 10 cases where the weather is similar, there will be a measurable amount of precipitation. Take this same idea to the IPS; an SFR=70 means that 7 out of 10 cases where the conditions are similar, the IPS has detected an "attack."
Signature 2004/0, severity=informational, SFR=100
There is nothing malicious about this traffic - no attack. It is simply an ICMP echo request, and 10 out of 10 times that this signature fires, it has detected an ICMP echo request.
Signature 4256/1, severity=high, SFR=90
Because the signature carries a high severity, we know the outcome of a successful attack can be control of the victim machine. An SFR=90 shows that 9 out of 10 cases where the detected traffic is similar, this is an attack attempting to exploit CVE-2014-1776.
There is an exception to all this, and that is for meta component only signatures. When the signature serves only as a component, we set the severity=informational and SFR=60. The signature almost always does not produce an alert, and setting the severity and SFR to these values removes the possibility that traffic will be dropped based on an event action override that is determined by risk rating.
The signature developer sets the SFR, but it is not possible to test against every conceivable traffic scenario. As such, the end user can adjust the SFR based on the user's circumstances.
This document is part of Cisco Security Research & Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.