Signatures can be retired or disabled for a variety of reasons:
The signature is “old” and of very little value.
The vulnerability being detected is sufficiently old enough to be widely patched.
The vulnerability is unlikely to be exploited in the wild.
The signature is more than two years old.
Specifications have changed and what was previously considered an indicator of malicious activity is now valid or is not considered malicious anymore. Any reporting of those signatures would essentially be false positives.
The signature has a resources impact.
The sensor resources are limited. Occasionally, as new signatures are released, old signatures must be retired to ensure the sensor runs optimally.
There is no way to run all signatures with the resources constraint, so the default shipping signature set must run a subset of all signatures.
There have been reports of false positives and it is not possible to tune the signature to reduce false positives.
The signature effectively detects a vulnerability potentially being exploited but has the potential in many environments to produce false positive alerts. It is therefore disabled or retired to prevent “noise” in other customers' networks.
At any time, the end customer is still able to enable and unretire a signature if the customer is still running the affected/vulnerable software and needs the protection provided by the signature.
What is the difference between disabled and retired?
Disabled means that the signature does not produce an alert but is compiled into memory and inspection takes place. There are advantages of having signatures disabled, such as allowing the customer to quickly enable the signature without waiting for it to be loaded into memory and for inspection to take place.
Retired means that the signature is not loaded into memory at all and no inspection takes place.
The IPS is not a suitable platform for antivirus functions because IPS units are generally placed at critical points in the network. Due to the network design, the IPS does not or may not see all the traffic to perform effective antivirus functions.
If a virus spreads using a vulnerability, signatures will cover the vulnerability being used to gain access to remote systems where possible. Because the IDS/IPS inspects network traffic, these systems cannot detect a virus that does not spread via the network.
Cisco may be able to provide a signature to help detect the effects of an infection to help contain infected workstations or devices.
Why is port 0 or address 0.0.0.0 displayed in alerts?
Summarization of events can cause an address of 0.0.0.0 to be displayed in alerts and the majority of the time port 0 is shown. Sometimes attackers will use port 0 to try to bypass firewall port filtering rules.
The short answer is "No." The longer answer is that any signature that is obsoleted by any another signature will be set to enabled false, retired true internally, regardless of the settings on the signature.
Why is an IPS not good at catching compressed malicious files?
An IPS as a network device would need to reassemble the packets to get the full file (no matter its size), and then unpack and scan it with an antitvirus engine. If an IPS did that, customers would complain about the device being so slow. To detect malicious files, an antivirus solution is still the tool of choice.
SFR stands for Signature Fidelity Rating. It helps quantify the degree of attack certainty. There is no formula or exact set of criteria to determine SFR. The value is largely influenced by what is being detected (signature parameters, regex, lengths, wildcards, and so on), engine choice, and performance against fixed test samples of traffic and "in the wild" beta sensors.
SFR quantifies the degree of attack certainty. However, the word attack does not make much sense when you look at an informational severity signature where the SFR is 100; without taking signature severity into account, SFR is more generally a measure of accuracy in detection.
To make an analogy: A weather forecaster states that there is a 70 percent chance of rain. What that means simply is that 7 out of 10 cases where the weather is similar, there will be a measurable amount of precipitation. Take this same idea to the IPS; an SFR of 70 means that 7 out of 10 cases where the conditions are similar, the IPS has detected an "attack."
Signature 2004/0, severity=informational, SFR=100
There is nothing malicious about this traffic - no attack. It is simply an ICMP echo request, and 10 out of 10 times that this signature fires, it has detected an ICMP echo request.
Signature 4256/1, severity=high, SFR=90
Because the signature carries a high severity, we know the outcome of a successful attack can be control of the victim machine. SFR=90 shows that 9 out of 10 cases where the detected traffic is similar, this is an attack attempting to exploit CVE-2014-1776.
There is an exception to all this, and that is for meta component only signatures. When the signature serves only as a component, we set the severity to informational and the SFR to 60. The signature almost never produces an alert, and setting the severity and SFR to these values removes the possibility that traffic will be dropped based on an event action override that is determined by risk rating.
The signature developer sets the SFR but it is not possible to test against every conceivable traffic scenario. As such, the end user can adjust the SFR based on the user's circumstances.
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.