"component of" explaination

Unanswered Question
Aug 29th, 2008

Why are some signatures a "component of" some other signature. Does this mean they depend on each other to work properly?

Example is Signature 5748/1

This is a component of meta signature 5748-0 and has no event actions of its own defined..

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
wsulym Fri, 08/29/2008 - 08:28


The meta engine allows us to group a number of signatures together, and if say all of them fire, then we fire the meta sig.

The component signatures of a meta-signature may or may not individually be malicious. We tend to leave them set to not produce an alert, and add the sig string info line of "component of...." so you have visibility to the fact that its a component sig.

So if you look at the -0 sig, it's written using the meta engine, and in order for -0 to fire, the individual components -1 thru -5 must all fire within 3 seconds.


This Discussion