All shipping Cisco
® IDS/IPS appliances, blades, and modules, including but not limited to Cisco IPS appliances, Cisco IDS/IPS blades, Cisco access router IPS modules, and Cisco ASA IPS modules.
Signature File Definition
A signature file is a package of network patterns, policies, and/or countermeasures developed for Cisco intrusion detection and prevention system (IDS/IPS) products. This signature package, used by the IDS/IPS products, enables the sensors to provide up-to-date protection for the evolving threat environment. These IDS/IPS devices compare network traffic (packets and streams) against data patterns within the signature file library. This comparison is used to detect and control unauthorized or malicious network traffic. Therefore, the signature file, once installed on an IDS/IPS product, becomes the signature database used to detect suspicious behavior and to provide protection against the latest vulnerabilities and exploits.
End of Signature Release Support Milestones and Conditions for Cisco IDS/IPS Signature Updates
1. Access to signature updates is limited to products covered under the current equipment list of an existing Cisco Services for IPS contract. The serial number of the product(s), chassis, or module must appear in the Cisco contract database to be entitled to get signature file updates.
2. Cisco IPS signature updates include the following:
a) Signature file updates that are downloadable from Cisco.com
b) Cisco IPS Threat Defense e-mail bulletins notifying customers of the availability of new signature file update packages, threat information, or support
4. Updates to the Cisco IPS signature files are provided in accordance with the following terms:
a) At least twelve (12) months of signature release support after first customer ship (FCS) of all minor and major software releases and twelve (12) months of signature release support after the end of sale of a major release.
i. For major-to-major releases (e.g., Version "A".x to Version "B".y, where "A" and "B" are consecutive version numbers): Minimum of eighteen (18) months of signature release support after the end-of-sale announcement of that older software release. This 18-month signature release support window consists of no fewer than six (6) months between the software end-of-sale announce date and the actual software end-of-sale date, and no more than twelve (12) months of signature release support after the software end-of-sale date.
ii. For minor-to-minor releases (e.g., v5.x to v5.y): Twelve (12) months of signature release support after the announcement of the availability of the new minor release (e.g., v5.y). Signature release support for the older minor release (e.g., v5.x) typically aligns with the end-of-sale date of the minor software release.
iii. For service-pack-to-service-pack releases (e.g., v5.1(x) to v5.1(y)): A minimum of twelve (12) months of signature release support, including at least six (6) months after the announcement of the availability of the new service pack, provided no software issues prevent signature updates from being installed and operating correctly.
Operational flow example: IPSv5.1(x) to IPSv5.1(y), where "x" and "y" are service pack (i.e., maintenance release) numbers: Assuming service pack "x: has been available for six (6) months, after the announcement of service pack "y," customers on service pack "x" will have at least six (6) months to migrate to service pack "y." During the six (6)-month window, signature support will be available for both "x" and "y." If service pack "x" had only been available for three (3) months prior to service pack "y" becoming available, customers on service pack "x" would have nine (9) months to migrate to service pack "y."
iv. For engine updates in IPSv6.y(y)-Ex, IPSv7.y(y)-Ex (where the "x" is the engine number): Signature updates will only be released for the most current engine. Previously released signature updates for older engines will be supported for sixty (60) days after the release of a newer engine. New engine updates created after declaring that a release has reached end-of-sale status will not be integrated into the software release that has reached end-of-sale status. Signature release support will only be provided for the existing set of signature engines available for that release, thus affecting the completeness of signature coverage. New engine updates will not be back-ported to older versions.
Operational flow example: When signature updates are released. they will require the sensor to be running a minimum engine number. For example, IPS-sig-S680-req-E4 would require the sensor to be running IPSv7.1(5)-E4 and/or IPSv6.2(4)-E4.
v. Caveats: If a software issue in a major release, minor release, or service pack prevents signature updates from being installed and operating correctly, the customer may remain at the last "good" signature release or install the software release that includes a fix for the issue. Cisco will note this requirement in the release documentation.
b) Signature support for hardware platforms that are past their end-of-sale date may be delivered through subsequent major or minor software releases available for that hardware platform. Customers will be required to upgrade to those new software releases to maintain signature release support.
c) Hardware products announced as reaching end-of-sale status are provided with software support for three (3) years. In the event that a major or minor software release is not supported on the end-of-sale hardware, Cisco will support signature releases for up to three (3) years after the hardware end-of-sale date on the last available software release for that hardware platform.
5. Cisco Technical Assistance Center (TAC) support, hardware support, operating system support, and application software support exclusive of signature release support (such as maintenance releases, bug fixes, and patches) is as defined in Cisco's current policy. Refer to Cisco's end-of-life policy at
For More Information
For more information about the end-of-sale Cisco IDS/IPS sensors, visit
http://www.cisco.com/go/ips or contact your local account representative.