Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

S300 Signature Set - Adds SigID 5874 - Appears to duplicate SigID 5873

The description is the same as well. Should this be a SubSig instead?

4 REPLIES
Gold

Re: S300 Signature Set - Adds SigID 5874 - Appears to duplicate

Neither of those sigs was added in S300. I'm not exactly sure which release included them orginally, but the readme's should tell you that. We can't see the regex because it's protected, but they likely aren't identical based on the clsid's contained in the alert notes.

Cisco Employee

Re: S300 Signature Set - Adds SigID 5874 - Appears to duplicate

They were both released originally in s290.

As of the S300 release, the regex are *not* hidden. They are both different clsids.

The signature description, while almost identical, differs by what clsid is called.

Where/how are you seeing that the sig is duplicated?

Gold

Re: S300 Signature Set - Adds SigID 5874 - Appears to duplicate

"As of the S300 release, the regex are *not* hidden. They are both different clsids."

I beg to differ. I have S300 installed and the regex is hidden...unless of course the actual regex is "********";-)

Cisco Employee

Re: S300 Signature Set - Adds SigID 5874 - Appears to duplicate

You're correct, it still shows up as hidden. We did actually unhide it (you can see that in the xml - easiest is in the CSM zip file for s300). I thought that the bug was fixed, but its not. CSCsj03949

the regex are as follows:

5873-0:

[Cc][Ll][Ss][Ii][Dd][:][{][eE][eE][eE]78591[-][fF][eE]22[-]11[dD]0[-]8[bB][eE][fF][-]0060081841[dD][eE]

5874-0:

[Cc][Ll][Ss][Ii][Dd][:][{]4[eE]3[dD]9[dD]1[fF][-]0[cC]63[-]11[D]1[-]8[bB][fF][bB][-]0060081841[dD][eE]

158
Views
4
Helpful
4
Replies
CreatePlease to create content