https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584332#M90328 <P>I found that when I use security monitor to lookup the explanation of a signature event that it always looks up the signature with subid of 0 even if the actual subid is something else.</P><P></P><P>Example below:</P><P></P><P><A class="jive-link-custom" href="http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=3327&amp;signatureSubId=0" target="_blank">http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=3327&amp;signatureSubId=0</A></P><P></P><P>The actual subid of this event as seen using IDM is subid=6</P><P></P><P>This is very misleading because in the example above subid=0 has no known benign triggers, but subid=6 does have reported false positives. Until I happened to use the IDM event viewer and saw the actual subid, I could only conclude that this was likely malicious activity. This wouldn't be as bad if the detail pain of security monitor listed the subid, but it doesn't. It only has the base id of the signature.</P><P></P><P>Has anyone else seen this and know of a way to correct it? I don't want to have to use IDM to verify the subid for every alert.</P><P></P><P>Thank you,</P><P></P><P>Mark</P> Sun, 10 Mar 2019 09:55:20 GMT MARK BAKER 2019-03-10T09:55:20Z https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584332#M90328 <P>I found that when I use security monitor to lookup the explanation of a signature event that it always looks up the signature with subid of 0 even if the actual subid is something else.</P><P></P><P>Example below:</P><P></P><P><A class="jive-link-custom" href="http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=3327&amp;signatureSubId=0" target="_blank">http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=3327&amp;signatureSubId=0</A></P><P></P><P>The actual subid of this event as seen using IDM is subid=6</P><P></P><P>This is very misleading because in the example above subid=0 has no known benign triggers, but subid=6 does have reported false positives. Until I happened to use the IDM event viewer and saw the actual subid, I could only conclude that this was likely malicious activity. This wouldn't be as bad if the detail pain of security monitor listed the subid, but it doesn't. It only has the base id of the signature.</P><P></P><P>Has anyone else seen this and know of a way to correct it? I don't want to have to use IDM to verify the subid for every alert.</P><P></P><P>Thank you,</P><P></P><P>Mark</P> Sun, 10 Mar 2019 09:55:20 GMT https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584332#M90328 MARK BAKER 2019-03-10T09:55:20Z https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584333#M90329 <HTML><HEAD></HEAD><BODY><P>The user will see duplicate names for sub-signatures with the same General Signature parent.</P><P></P><P>This defect will occur for the few sub-signatures whose parent General signatures have two or more sub-signatures.</P><P></P><P>It occurs because the sub-signature inherits its name from its General signature parent.</P><P></P><P>There is currently no workaround to display unique sub-signature names and the NSDB does not provide information that allows the user to identify the sub-signature by sub-sig ID.</P><P></P></BODY></HTML> Tue, 14 Mar 2006 15:31:34 GMT https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584333#M90329 a-vazquez 2006-03-14T15:31:34Z https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584334#M90331 <HTML><HEAD></HEAD><BODY><P>take note of:</P><P></P><P><A class="jive-link-custom" href="http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddae323" target="_blank">http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=Intrusion%20Prevention%20Systems/IDS&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddae323</A></P><P></P><P>If it helps, rate the post</P></BODY></HTML> Wed, 26 Apr 2006 08:18:42 GMT https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584334#M90331 darin.marais 2006-04-26T08:18:42Z https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584335#M90332 <HTML><HEAD></HEAD><BODY><P>Thank you. That did answer my question. Unfortunately the bug has not been resolved.</P><P></P><P>Thanks,</P><P></P><P>Mark</P></BODY></HTML> Wed, 26 Apr 2006 11:46:16 GMT https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584335#M90332 MARK BAKER 2006-04-26T11:46:16Z https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584336#M90333 <HTML><HEAD></HEAD><BODY><P>Mark, </P><P></P><P>There is a temporary patch out but you will need to contact Cisco TAC. It will probably be included in the next SecMon update.</P></BODY></HTML> Thu, 27 Apr 2006 07:46:27 GMT https://community.cisco.com/t5/network-security/security-monitor-nsdb-link-looks-up-wrong-sigsubid/m-p/584336#M90333 darin.marais 2006-04-27T07:46:27Z