SubSig IDs - What is the differences

Unanswered Question
Mar 26th, 2007

What do the different SubSig IDs mean. Take SisID 5748 for example. There are SubSigs 0 - 3 for this SigID. I have started seeing quite a few of these in my event log. Most look to be SubSig ID 1 or 2 which are marked as informational where as the SubSig ID 0 is marked as low. I am trying to understand if this is an issue to / from my mail servers or not. Do I simply need to tune things further to filter out this?

Is there a way to run a report or something to see how long a specific Sig ID has been firing?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
edadios Mon, 03/26/2007 - 18:39

Signature 5748-0 is a meta engine signature.

Definition of Meta signature is here

5748-0 should fire after detecting traffic that matches the sequence of the subsigs 1-5 as defined in 5748-0.

Subsigs 1-5 are meta component signatures, and by default configured to have no event action of their on, and should be left that way. This is because they are only looking for a very small subset of the main meta signature, and on their own could generate a lot of event alerts if set to produce alert.

If you have changed the default action, you should revert them back to default.

Depending on whether the event log storage has wrapped, you would be able to use the IDM for 5.x or SDM for 6.x using >monitoring>events to view if the signature has fired for the time setting you set.

I hope this information helps you.


This Discussion