Is this maybe a summary alert you are seeing and trying to filter? When I look at 5591-1 off a 5.1.5 s278 sensor (default settings), I see the following in the alert:
signature: description=SMB: Windows Share Enumeration id=5591 version=S262
subsigId: 1
sigDetails: SMB: Windows Share Enumeration
interfaceGroup:
vlan: 0
participants:
attacker:
addr: locality=OUT 171.71.84.149
port: 445
target:
addr: locality=OUT 10.25.80.156
port: 10166
Can you provide cli output of the alert you are using to attempt to create a filter. If you'd rather not paste that into the forum, you can send it direct to me at wsulym@cisco.com