Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Filter Signature which is part of a Meta-Signature

What happens to a Meta-Signature if I filter out a single signature within that Meta-signature? Does the Meta-sig still fire or no? I don't want to filter out a signature if it's going to prevent the Meta-sig from firing but I also would like to clean up false positives in VMS..

Any advise or help in this area would be appreciated…


Re: Filter Signature which is part of a Meta-Signature

Depending of how you configure your meta signature .. you can remove the individual signature from the meta signature and then disable it or stop it from logging. Your metasignature will still fire based on the other signatures remaining and according to the way it is configured ( i.e order, time ..etc ).

I hope it helps ... pl;ease rate it if it does !!!

New Member

Re: Filter Signature which is part of a Meta-Signature

It kind of helps... I was talking more about the canned meta-signatures and how they would or would not be affected.

Does anyone know of or have a Cisco IDS/IPS signature matrix which may include basic Meta-Sigs?

New Member

Re: Filter Signature which is part of a Meta-Signature

Hi rcavel1234:

The metasignature only fire if all the signatures in the set happen..

If only one signature happen and you have filtered this one It is not show in the log and do not fire the meta because the other signatures doesn't happened.

For example if you create a metasign that fire when sig 2004 and 2000 happen, and then filter out (action none) both of them the log only show the metasign if both conditions happen but doesn't show the event if only one of them happen.

I've just test it!

I hope this help to you

Alberto Giorgi from spain (new kid on this block)