Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
2
Replies

Lost SIG3000

teperjesi
Level 1
Level 1

‎02-05-2002 05:05 AM - edited ‎03-08-2019 09:44 PM

I've been changed the severity level of the signature 3000 from medium to low. After the Sensor Update I've lost the signature on the CSPM, however, it's fire, and the severity level didn't change! How can I get back my Sig3000? Should I update my Signature version?

Configuration: CSPM 2.3.3 S10; IDS Sensor 3.0 S10

Thx

Eper

CSPM 2.3.3 S10; IDS Sensor 3.0 S10

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee

‎02-05-2002 10:04 AM

The "3000" signature is just a place holder for it's sub signatures which are TCP connections.

These TCP connections can each have a different severity level configured for them in CSPM.

Because the 3000 signature is just a place holder, it is not configurable in CSPM.

Instead CSPM will automatically set it's severity to the highest severity set for any of it's TCP Connection sub signatures.

If you look in the /usr/nr/etc/packetd.conf file on your sensor you should see the "3000" signature with a severity matching the highest severity set for any of the SigOfTcpPacket configuration lines.

This differs from the Unix Director, where the "3000" signature could be independantly set regardless of what the subsignatures were set to, but this lead to confusion for users of the Unix DIrector so it was changed in CSPM.

NOTE: The 4000, 8000, and 10000 signatures are also treated the same way because each have subsignatures that can be independantly set.

0 Helpful

teperjesi
Level 1
Level 1
In response to marcabal

‎02-06-2002 12:14 AM

OK! I understand it now! Thank you!

Eper

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents