Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

SubSig IDs - What is the differences

What do the different SubSig IDs mean. Take SisID 5748 for example. There are SubSigs 0 - 3 for this SigID. I have started seeing quite a few of these in my event log. Most look to be SubSig ID 1 or 2 which are marked as informational where as the SubSig ID 0 is marked as low. I am trying to understand if this is an issue to / from my mail servers or not. Do I simply need to tune things further to filter out this?

Is there a way to run a report or something to see how long a specific Sig ID has been firing?

Cisco Employee

Re: SubSig IDs - What is the differences

Signature 5748-0 is a meta engine signature.

Definition of Meta signature is here

5748-0 should fire after detecting traffic that matches the sequence of the subsigs 1-5 as defined in 5748-0.

Subsigs 1-5 are meta component signatures, and by default configured to have no event action of their on, and should be left that way. This is because they are only looking for a very small subset of the main meta signature, and on their own could generate a lot of event alerts if set to produce alert.

If you have changed the default action, you should revert them back to default.

Depending on whether the event log storage has wrapped, you would be able to use the IDM for 5.x or SDM for 6.x using >monitoring>events to view if the signature has fired for the time setting you set.

I hope this information helps you.

CreatePlease to create content