Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

"component of" explaination

Why are some signatures a "component of" some other signature. Does this mean they depend on each other to work properly?

Example is Signature 5748/1

This is a component of meta signature 5748-0 and has no event actions of its own defined..

2 REPLIES
Cisco Employee

Re: "component of" explaination

Sortof...

The meta engine allows us to group a number of signatures together, and if say all of them fire, then we fire the meta sig.

The component signatures of a meta-signature may or may not individually be malicious. We tend to leave them set to not produce an alert, and add the sig string info line of "component of...." so you have visibility to the fact that its a component sig.

So if you look at the -0 sig, it's written using the meta engine, and in order for -0 to fire, the individual components -1 thru -5 must all fire within 3 seconds.

Community Member

Re: "component of" explaination

Great thanks.. makes sense

188
Views
5
Helpful
2
Replies
CreatePlease to create content