Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
0
Helpful
4
Replies

Security monitor NSDB link looks up wrong sigsubid

Go to solution
MARK BAKER
Level 4
Level 4

‎03-08-2006 07:03 AM - edited ‎03-10-2019 01:55 AM

I found that when I use security monitor to lookup the explanation of a signature event that it always looks up the signature with subid of 0 even if the actual subid is something else.

Example below:

http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=3327&signatureSubId=0

The actual subid of this event as seen using IDM is subid=6

This is very misleading because in the example above subid=0 has no known benign triggers, but subid=6 does have reported false positives. Until I happened to use the IDM event viewer and saw the actual subid, I could only conclude that this was likely malicious activity. This wouldn't be as bad if the detail pain of security monitor listed the subid, but it doesn't. It only has the base id of the signature.

Has anyone else seen this and know of a way to correct it? I don't want to have to use IDM to verify the subid for every alert.

Thank you,

Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
4 Replies 4

Go to solution
a-vazquez
Level 6
Level 6

‎03-14-2006 07:31 AM

The user will see duplicate names for sub-signatures with the same General Signature parent.

This defect will occur for the few sub-signatures whose parent General signatures have two or more sub-signatures.

It occurs because the sub-signature inherits its name from its General signature parent.

There is currently no workaround to display unique sub-signature names and the NSDB does not provide information that allows the user to identify the sub-signature by sub-sig ID.

0 Helpful

Go to solution
MARK BAKER
Level 4
Level 4
In response to darin.marais

‎04-26-2006 04:46 AM

Thank you. That did answer my question. Unfortunately the bug has not been resolved.

Thanks,

Mark

0 Helpful

Go to solution
darin.marais
Level 4
Level 4
In response to MARK BAKER

‎04-27-2006 12:46 AM

Mark,

There is a temporary patch out but you will need to contact Cisco TAC. It will probably be included in the next SecMon update.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card