08-29-2008 07:23 AM - edited 03-10-2019 04:16 AM
Why are some signatures a "component of" some other signature. Does this mean they depend on each other to work properly?
Example is Signature 5748/1
This is a component of meta signature 5748-0 and has no event actions of its own defined..
08-29-2008 08:28 AM
Sortof...
The meta engine allows us to group a number of signatures together, and if say all of them fire, then we fire the meta sig.
The component signatures of a meta-signature may or may not individually be malicious. We tend to leave them set to not produce an alert, and add the sig string info line of "component of...." so you have visibility to the fact that its a component sig.
So if you look at the -0 sig, it's written using the meta engine, and in order for -0 to fire, the individual components -1 thru -5 must all fire within 3 seconds.
08-29-2008 11:13 AM
Great thanks.. makes sense
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: