The meta engine allows us to group a number of signatures together, and if say all of them fire, then we fire the meta sig.
The component signatures of a meta-signature may or may not individually be malicious. We tend to leave them set to not produce an alert, and add the sig string info line of "component of...." so you have visibility to the fact that its a component sig.
So if you look at the -0 sig, it's written using the meta engine, and in order for -0 to fire, the individual components -1 thru -5 must all fire within 3 seconds.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...