Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Alarm 8000

I have an sensor that is firing alarm 8000 with a subsig id of 51314. I am

unable to locate this subsig in the CSIDS Signature Encyclopedia. Can anyone tell me what this subsig is???

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: Alarm 8000

The 8000 signature is the Custom String Match signature.

The SubSigID is a user generated ID. A SubSigID is assigned to each custom string being searched for.

The sensor is configured by default with some example custom strings, but 51314 was not one of these example strings.

So more than likely another employee created a custom string.

To determine what the custom string is you can look in the packetd.conf file.

Example:

RecordOfStringName 51301 513 3 1 "IFS[= ]+[/]"

RecordOfStringName 51302 513 1 1 "[/]etc[/]shadow"

RecordOfStringName 51303 513 1 1 "[+][ ]+[+]"

You would need to look at what your 51314 is looking for, and ask around your office to see who created it and why.

85
Views
0
Helpful
1
Replies
This widget could not be displayed.