Why is signature X retired?
A: Signatures can be retired or disabled for a variety of reasons:
At any time, the end customer is still able to enable and unretire a signature if the customer is still running the affected/vulnerable software and needs the protection provided by the signature.
A: Disabled means that the signature does not produce an alert but is compiled into memory and inspection takes place. There are advantages of having signatures disabled, such as allowing the customer to quickly enable the signature without waiting for it to be loaded into memory and for inspection to take place.
Retired means that the signature is not loaded into memory at all and no inspection takes place.
A: New signatures may be disabled or retired by default in signature updates because the signature may
If you have a specific query about a specific signature, contact the Cisco TAC.
A: The IPS is not a suitable platform for antivirus because IPS units are generally placed at critical points in the network. Due to the network design, the IPS does not, or may not, see all the traffic to perform effective antivirus functions.
If a virus spreads using a vulnerability, signatures will cover the vulnerability being used to gain access to remote systems where possible. Because the IDS/IPS inspects network traffic, these systems cannot detect a virus that does not spread via the network.
Cisco may be able to provide a signature to help detect the effects of an infection to help contain infected workstations or devices.
A: The white paper Writing Custom Signatures for the Cisco Intrusion Prevention System provides instruction in writing and testing signatures for Cisco IPS. The Cisco Intrusion Prevention System Engine Quick Reference describes methods for blocking certain types of traffic.
A: Contact the Cisco TAC if you require Snort signatures to be ported to Cisco IPS. The TAC will be in the best position to determine how Cisco can help you complete this task.
A: Summarization of events can cause an address of 0.0.0.0 to be displayed in alerts, and the majority of the time port 0 is shown. Sometimes attackers will use port 0 to try to bypass firewall port filtering rules.
A: Signatures may be changed for a variety of reasons:
A: The short answer is no. The longer answer is that any signature that is obsoleted by any another signature will be set to “enabled false, retired true” internally, regardless of the settings on the signature.
A: An IPS as a network device would need to reassemble the packets to get the full file (no matter its size), then unpack it and scan with an antitvirus engine. If an IPS did that, customers would complain about the device being so slow. For detecting malicious files, an antivirus solution is still the tool of choice.
A: SFR stands for Signature Fidelity Rating. It helps quantify the degree of attack certainty. There is no formula or exact set of criteria to determine SFR. The value is largely influenced by what is being detected (signature parameters, regex, lengths, wildcards, and so on), engine choice, and performance against fixed test samples of traffic and "in the wild" beta sensors.
SFR quantifies the degree of attack certainty; however, the word attack does not make much sense when you look at an informational severity signature with an SFR=100; so without taking signature severity into account, SFR is more generally a measure of accuracy in detection.
To make an analogy: A weather forecaster states that there is a 70 percent chance of rain. What that means simply is that 7 out of 10 cases where the weather is similar, there will be a measurable amount of precipitation. Take this same idea to the IPS; an SFR=70 means that 7 out of 10 cases where the conditions are similar, the IPS has detected an "attack."
There is an exception to all this, and that is for meta component only signatures. When the signature serves only as a component, we set the severity=informational and SFR=60. The signature almost always does not produce an alert, and setting the severity and SFR to these values removes the possibility that traffic will be dropped based on an event action override that is determined by risk rating.
The signature developer sets the SFR, but it is not possible to test against every conceivable traffic scenario. As such, the end user can adjust the SFR based on the user's circumstances.
This document is part of Cisco Security Intelligence Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.