Which state must a signature be in before any actions can be taken when an attack matches that signature?

You use Cisco Configuration Professional to enable Cisco IOS IPS. Which state must a signature be in
before any actions can be taken when an attack matches that signature?

You use Cisco Configuration Professional to enable Cisco IOS IPS. Which state must a signature be in
before any actions can be taken when an attack matches that signature?

A.
Enabled

B.
Unretired

C.
Successfully complied

D.
Successfully complied and unretired

E.
Successfully complied and enabled

F.
Unretired and enabled

G.
Enabled, unretired, and successfully complied

Explanation:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0
900aecd8066d265.html
Step 21. Verify the signatures are loaded properly by using this command at the router prompt:
router#show ip ips signatures count
Cisco SDF release version S353.0
Trend SDF release version V0.0
|
snip
|
Total Signatures: 2363
Total Enabled Signatures: 1025
Total Retired Signatures: 1796
Total Compiled Signatures: 567
Total Obsoleted Signatures: 15
Step 23. To retire/unretire and enable/disable signatures, select the Edit IPS tab, then select
Signatures.
Highlight the signature(s), and then click the Enable, Disable, Retire, or Unretire button. Notice the
status changed in the Enabled or the Retired column. A yellow icon appears for the signature(s) in
the column next to Enabled. The yellow icon means changes have been made to the signature, but
have not been applied. Click the Apply Changes button to make the changes take effect.
Retire/unretire is to select/de-select which signatures are being used by IOS IPS to scan traffic.
Retiring a signature means IOS IPS will NOT compile that signature into memory for scanning.
Unretiring a signature instructs IOS IPS to compile the signature into memory and use the signature
to scan traffic.
Enable/disable does NOT select/de-select signatures to be used by IOS IPS.
Enabling a signature means that when triggered by a matching packet (or packet flow), the signature
takes the appropriate action associated with it. However, only unretired AND successfully compiled
signatures will take the action when they are enabled. In other words, if a signature is retired, even
though it is enabled, it will not be compiled (because it is retired) and it will not take the action
associated with it.
Disabling a signature means that when triggered by a matching packet (or packet flow), the
signature DOES NOT take the appropriate action associated with it. In other words, when a signature
is disabled, even though it is unretired and successfully compiled, it will not take the action
associated with it.



Leave a Reply 0

Your email address will not be published. Required fields are marked *