Why is signature X retired?
A: Signatures can be retired or disabled for a variety of reasons:
At any time, the end customer is still able to enable and unretire a signature if the customer is still running the affected/vulnerable software and needs the protection provided by the signature.
A: Disabled means that the signature does not produce an alert but is compiled into memory and inspection takes place. There are advantages of having signatures disabled, such as allowing the customer to quickly enable the signature without waiting for it to be loaded into memory and for inspection to take place.
Retired means that the signature is not loaded into memory at all and no inspection takes place.
A: New signatures may be disabled or retired by default in signature updates because the signature may
If you have a specific query about a specific signature, contact the Cisco TAC.
A: The IPS is not a suitable platform for antivirus because IPS units are generally placed at critical points in the network. Due to the network design, the IPS does not, or may not, see all the traffic to perform effective antivirus functions.
If a virus spreads using a vulnerability, signatures will cover the vulnerability being used to gain access to remote systems where possible. Because the IDS/IPS inspects network traffic, these systems cannot detect a virus that does not spread via the network.
Cisco may be able to provide a signature to help detect the effects of an infection to help contain infected workstations or devices.
A: The white paper Writing Custom Signatures for the Cisco Intrusion Prevention System provides instruction in writing and testing signatures for Cisco IPS. The Cisco Intrusion Prevention System Engine Quick Reference describes methods for blocking certain types of traffic.
A: Contact the Cisco TAC if you require Snort signatures to be ported to Cisco IPS. The TAC will be in the best position to determine how Cisco can help you complete this task.
A: Summarization of events can cause an address of 0.0.0.0 to be displayed in alerts, and the majority of the time port 0 is shown. Sometimes attackers will use port 0 to try to bypass firewall port filtering rules.
A: Signatures may be changed for a variety of reasons:
A: The short answer is no. The longer answer is that any signature that is obsoleted by any another signature will be set to “enabled false, retired true” internally, regardless of the settings on the signature.
An IPS as a network device would need to reassemble the packets to get the full file (no matter its size), then unpack it and scan with an antitvirus engine. If an IPS did that, customers would complain about the device being so slow. For detecting malicious files, an antivirus solution is still the tool of choice.
This document is part of Cisco Security Intelligence Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.