Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Security monitor NSDB link looks up wrong sigsubid

I found that when I use security monitor to lookup the explanation of a signature event that it always looks up the signature with subid of 0 even if the actual subid is something else.

Example below:

http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=3327&signatureSubId=0

The actual subid of this event as seen using IDM is subid=6

This is very misleading because in the example above subid=0 has no known benign triggers, but subid=6 does have reported false positives. Until I happened to use the IDM event viewer and saw the actual subid, I could only conclude that this was likely malicious activity. This wouldn't be as bad if the detail pain of security monitor listed the subid, but it doesn't. It only has the base id of the signature.

Has anyone else seen this and know of a way to correct it? I don't want to have to use IDM to verify the subid for every alert.

Thank you,

Mark

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Security monitor NSDB link looks up wrong sigsubid

4 REPLIES
Silver

Re: Security monitor NSDB link looks up wrong sigsubid

The user will see duplicate names for sub-signatures with the same General Signature parent.

This defect will occur for the few sub-signatures whose parent General signatures have two or more sub-signatures.

It occurs because the sub-signature inherits its name from its General signature parent.

There is currently no workaround to display unique sub-signature names and the NSDB does not provide information that allows the user to identify the sub-signature by sub-sig ID.

New Member

Re: Security monitor NSDB link looks up wrong sigsubid

Bronze

Re: Security monitor NSDB link looks up wrong sigsubid

Thank you. That did answer my question. Unfortunately the bug has not been resolved.

Thanks,

Mark

New Member

Re: Security monitor NSDB link looks up wrong sigsubid

Mark,

There is a temporary patch out but you will need to contact Cisco TAC. It will probably be included in the next SecMon update.

159
Views
0
Helpful
4
Replies
CreatePlease to create content