Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

signatures with event level 0

Hi, in the recent signature updates, there are quite a few signatures with event level set to 0. I found that activities which trigger signatures 3216, 5081 etc would generally also trigger these new signatures eg 5249, 5250, 5256? I wish to understand why the level is set to 0, and what is the best way to handle them. Thanks.

Cisco Employee

Re: signatures with event level 0

Level 0 is an internal alarm that packetd uses to track such services as RIP, ICMP, and so on; it is never routed to postofficed.

Level 0 is also used to disable a signature.




Re: signatures with event level 0

5249, 5250, 5256 were shipped disabled by default (set to level 0). This was done to reduce the number of alarms that will likely be produced by these signatures. This is particularly true in environments with Nimda worm activity (ala signature 5081). The signatures were included to provide additional signature coverage at the discretion of the administrator. 5256 and 3216 do overlap ('../' vs '../..') in coverage, so you could disable 3216 and enable 5256 to gain additional coverage with the more liberal regex pattern. 5249 and 5250 look for the double decoding of HTTP characters in a URI. This is another technique employed by the Nimda virus and others.

New Member

Re: signatures with event level 0

Thanks to both of you for the clear and detail explainations.

CreatePlease to create content