Guest

Cisco Intrusion Prevention System Signatures: Frequently Asked Questions

Contents

Why is signature x retired?
What is the difference between disabled and retired?
Why are some new signatures disabled or retired by default?
Does Cisco IPS detect virus x?
How do I write custom signatures for Cisco IPS?
Can I port some Snort signatures to Cisco IPS?
Why is port 0 or address 0.0.0.0 displayed in alerts?
Why was signature x changed?
Does an obsolete signature need to be retired?
Why is an IPS not good at catching compressed malicious files?
What is SFR?


Why is signature x retired?

Signatures can be retired or disabled for a variety of reasons:

  • The signature is “old” and of very little value.
    • The vulnerability being detected is sufficiently old enough to be widely patched.
    • The vulnerability is unlikely to be exploited in the wild.
    • The signature is more than two years old.
    • Specifications have changed and what was previously considered an indicator of malicious activity is now valid or is not considered malicious anymore. Any reporting of those signatures would essentially be false positives.
  • The signature has a resources impact.
    • The sensor resources are limited. Occasionally, as new signatures are released, old signatures must be retired to ensure the sensor runs optimally.
    • There is no way to run all signatures with the resources constraint, so the default shipping signature set must run a subset of all signatures.
  • There have been reports of false positives and it is not possible to tune the signature to reduce false positives.
  • The signature effectively detects a vulnerability potentially being exploited but has the potential in many environments to produce false positive alerts. It is therefore disabled or retired to prevent “noise” in other customers' networks.

At any time, the end customer is still able to enable and unretire a signature if the customer is still running the affected/vulnerable software and needs the protection provided by the signature.

Back to Top

What is the difference between disabled and retired?

Disabled means that the signature does not produce an alert but is compiled into memory and inspection takes place. There are advantages of having signatures disabled, such as allowing the customer to quickly enable the signature without waiting for it to be loaded into memory and for inspection to take place.

Retired means that the signature is not loaded into memory at all and no inspection takes place.

Back to Top

Why are some new signatures disabled or retired by default?

New signatures may be disabled or retired by default in signature updates because the signature may:

  • Not be suitable for every customer
  • Negatively affect customers' network traffic depending on where the sensor is deployed
  • Be a policy signature that detects otherwise legitimate traffic that a customer may wish to block on the network
  • Have concerns regarding memory or inspection time, but is otherwise suitable depending on network conditions

If you have a specific query about a specific signature, contact the Cisco Technical Assistance Center (TAC).

Back to Top

Does Cisco IPS detect virus x?

The IPS is not a suitable platform for antivirus functions because IPS units are generally placed at critical points in the network. Due to the network design, the IPS does not or may not see all the traffic to perform effective antivirus functions.

If a virus spreads using a vulnerability, signatures will cover the vulnerability being used to gain access to remote systems where possible. Because the IDS/IPS inspects network traffic, these systems cannot detect a virus that does not spread via the network.

Cisco may be able to provide a signature to help detect the effects of an infection to help contain infected workstations or devices.

Back to Top

How do I write custom signatures for Cisco IPS?

The Writing Custom Signatures for the Cisco Intrusion Prevention System white paper provides instructions for writing and testing signatures for Cisco IPS. In addition, the Cisco Intrusion Prevention System Engine Quick Reference describes methods for blocking certain types of traffic.

Back to Top

Can I port some Snort signatures to Cisco IPS?

Contact the Cisco TAC if you require Snort signatures to be ported to Cisco IPS. The TAC will be in the best position to determine how Cisco can help you complete this task.

Back to Top

Why is port 0 or address 0.0.0.0 displayed in alerts?

Summarization of events can cause an address of 0.0.0.0 to be displayed in alerts and the majority of the time port 0 is shown. Sometimes attackers will use port 0 to try to bypass firewall port filtering rules.

Back to Top

Why was signature x changed?

Signatures may be changed for a variety of reasons:

  • Signature or engine replacement: A new signature caused the previous signature to become obsolete, or the signature was moved to another engine.
  • Cosmetic changes: Cosmetic changes occurred, for example, ensuring all regular expressions meet certain guidelines that do not affect how the signature operates.
  • Signature fidelity: The signature fidelity rating has changed after actual field deployment has shown that the signature is better or worse at detecting attacks than previously believed.
  • Summary key: The summary key has changed, for example, Axxx may make more sense after signatures are deployed but AxBx was used when the signature was first released.
  • Memory/performance tradeoff: Based on detection history, the signature may be expanded or decreased in memory to increase coverage or improve performance.

Back to Top

Does an obsolete signature need to be retired?

The short answer is "No." The longer answer is that any signature that is obsoleted by any another signature will be set to enabled false, retired true internally, regardless of the settings on the signature.

Back to Top

Why is an IPS not good at catching compressed malicious files?

An IPS as a network device would need to reassemble the packets to get the full file (no matter its size), and then unpack and scan it with an antitvirus engine. If an IPS did that, customers would complain about the device being so slow. To detect malicious files, an antivirus solution is still the tool of choice.

Back to Top

What is SFR?

SFR stands for Signature Fidelity Rating. It helps quantify the degree of attack certainty. There is no formula or exact set of criteria to determine SFR. The value is largely influenced by what is being detected (signature parameters, regex, lengths, wildcards, and so on), engine choice, and performance against fixed test samples of traffic and "in the wild" beta sensors.

SFR quantifies the degree of attack certainty. However, the word attack does not make much sense when you look at an informational severity signature where the SFR is 100; without taking signature severity into account, SFR is more generally a measure of accuracy in detection.

To make an analogy: A weather forecaster states that there is a 70 percent chance of rain. What that means simply is that 7 out of 10 cases where the weather is similar, there will be a measurable amount of precipitation. Take this same idea to the IPS; an SFR of 70 means that 7 out of 10 cases where the conditions are similar, the IPS has detected an "attack."

For example:

Signature 2004/0, severity=informational, SFR=100

There is nothing malicious about this traffic - no attack. It is simply an ICMP echo request, and 10 out of 10 times that this signature fires, it has detected an ICMP echo request.

Signature 4256/1, severity=high, SFR=90

Because the signature carries a high severity, we know the outcome of a successful attack can be control of the victim machine. SFR=90 shows that 9 out of 10 cases where the detected traffic is similar, this is an attack attempting to exploit CVE-2014-1776.

There is an exception to all this, and that is for meta component only signatures. When the signature serves only as a component, we set the severity to informational and the SFR to 60. The signature almost never produces an alert, and setting the severity and SFR to these values removes the possibility that traffic will be dropped based on an event action override that is determined by risk rating.

The signature developer sets the SFR but it is not possible to test against every conceivable traffic scenario. As such, the end user can adjust the SFR based on the user's circumstances.


This document is part of the Cisco Security portal.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.

Back to Top