Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Lost SIG3000

I've been changed the severity level of the signature 3000 from medium to low. After the Sensor Update I've lost the signature on the CSPM, however, it's fire, and the severity level didn't change! How can I get back my Sig3000? Should I update my Signature version?

Configuration: CSPM 2.3.3 S10; IDS Sensor 3.0 S10

Thx

Eper

CSPM 2.3.3 S10; IDS Sensor 3.0 S10

2 REPLIES
Cisco Employee

Re: Lost SIG3000

The "3000" signature is just a place holder for it's sub signatures which are TCP connections.

These TCP connections can each have a different severity level configured for them in CSPM.

Because the 3000 signature is just a place holder, it is not configurable in CSPM.

Instead CSPM will automatically set it's severity to the highest severity set for any of it's TCP Connection sub signatures.

If you look in the /usr/nr/etc/packetd.conf file on your sensor you should see the "3000" signature with a severity matching the highest severity set for any of the SigOfTcpPacket configuration lines.

This differs from the Unix Director, where the "3000" signature could be independantly set regardless of what the subsignatures were set to, but this lead to confusion for users of the Unix DIrector so it was changed in CSPM.

NOTE: The 4000, 8000, and 10000 signatures are also treated the same way because each have subsignatures that can be independantly set.

New Member

Re: Lost SIG3000

OK! I understand it now! Thank you!

Eper

90
Views
0
Helpful
2
Replies
CreatePlease login to create content