https://community.cisco.com/t5/network-security/subsig-ids-what-is-the-differences/m-p/731012#M87164 <P>What do the different SubSig IDs mean. Take SisID 5748 for example. There are SubSigs 0 - 3 for this SigID. I have started seeing quite a few of these in my event log. Most look to be SubSig ID 1 or 2 which are marked as informational where as the SubSig ID 0 is marked as low. I am trying to understand if this is an issue to / from my mail servers or not. Do I simply need to tune things further to filter out this? </P><P></P><P>Is there a way to run a report or something to see how long a specific Sig ID has been firing? </P> Sun, 10 Mar 2019 10:32:01 GMT bberry 2019-03-10T10:32:01Z https://community.cisco.com/t5/network-security/subsig-ids-what-is-the-differences/m-p/731012#M87164 <P>What do the different SubSig IDs mean. Take SisID 5748 for example. There are SubSigs 0 - 3 for this SigID. I have started seeing quite a few of these in my event log. Most look to be SubSig ID 1 or 2 which are marked as informational where as the SubSig ID 0 is marked as low. I am trying to understand if this is an issue to / from my mail servers or not. Do I simply need to tune things further to filter out this? </P><P></P><P>Is there a way to run a report or something to see how long a specific Sig ID has been firing? </P> Sun, 10 Mar 2019 10:32:01 GMT https://community.cisco.com/t5/network-security/subsig-ids-what-is-the-differences/m-p/731012#M87164 bberry 2019-03-10T10:32:01Z https://community.cisco.com/t5/network-security/subsig-ids-what-is-the-differences/m-p/731013#M87165 <HTML><HEAD></HEAD><BODY><P>Signature 5748-0 is a meta engine signature.</P><P>Definition of Meta signature is here </P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide/dmsigeng.htm#wp1040063" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids13/idmguide/dmsigeng.htm#wp1040063</A></P><P></P><P>5748-0 should fire after detecting traffic that matches the sequence of the subsigs 1-5 as defined in 5748-0. </P><P></P><P>Subsigs 1-5 are meta component signatures, and by default configured to have no event action of their on, and should be left that way. This is because they are only looking for a very small subset of the main meta signature, and on their own could generate a lot of event alerts if set to produce alert.</P><P></P><P>If you have changed the default action, you should revert them back to default. </P><P></P><P>Depending on whether the event log storage has wrapped, you would be able to use the IDM for 5.x or SDM for 6.x using &gt;monitoring&gt;events to view if the signature has fired for the time setting you set.</P><P></P><P>I hope this information helps you.</P></BODY></HTML> Tue, 27 Mar 2007 01:39:13 GMT https://community.cisco.com/t5/network-security/subsig-ids-what-is-the-differences/m-p/731013#M87165 edadios 2007-03-27T01:39:13Z