S300 Signature Set - Adds SigID 5874 - Appears to duplicate SigID 5873

Unanswered Question
Sep 6th, 2007

The description is the same as well. Should this be a SubSig instead?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mhellman Thu, 09/06/2007 - 10:22

Neither of those sigs was added in S300. I'm not exactly sure which release included them orginally, but the readme's should tell you that. We can't see the regex because it's protected, but they likely aren't identical based on the clsid's contained in the alert notes.

wsulym Thu, 09/06/2007 - 10:30

They were both released originally in s290.

As of the S300 release, the regex are *not* hidden. They are both different clsids.

The signature description, while almost identical, differs by what clsid is called.

Where/how are you seeing that the sig is duplicated?

mhellman Thu, 09/06/2007 - 10:51

"As of the S300 release, the regex are *not* hidden. They are both different clsids."

I beg to differ. I have S300 installed and the regex is hidden...unless of course the actual regex is "********";-)

wsulym Fri, 09/07/2007 - 12:09

You're correct, it still shows up as hidden. We did actually unhide it (you can see that in the xml - easiest is in the CSM zip file for s300). I thought that the bug was fixed, but its not. CSCsj03949

the regex are as follows:






This Discussion