Filter Signature which is part of a Meta-Signature

rcave1234 · ‎05-02-2006

What happens to a Meta-Signature if I filter out a single signature within that Meta-signature? Does the Meta-sig still fire or no? I don't want to filter out a signature if it's going to prevent the Meta-sig from firing but I also would like to clean up false positives in VMS..

Any advise or help in this area would be appreciated…

Fernando_Meza · ‎05-02-2006

Depending of how you configure your meta signature .. you can remove the individual signature from the meta signature and then disable it or stop it from logging. Your metasignature will still fire based on the other signatures remaining and according to the way it is configured ( i.e order, time ..etc ).

I hope it helps ... pl;ease rate it if it does !!!

rcave1234 · ‎05-03-2006

It kind of helps... I was talking more about the canned meta-signatures and how they would or would not be affected.

Does anyone know of or have a Cisco IDS/IPS signature matrix which may include basic Meta-Sigs?

a.giorgi · ‎05-03-2006

Hi rcavel1234:

The metasignature only fire if all the signatures in the set happen..

If only one signature happen and you have filtered this one It is not show in the log and do not fire the meta because the other signatures doesn't happened.

For example if you create a metasign that fire when sig 2004 and 2000 happen, and then filter out (action none) both of them the log only show the metasign if both conditions happen but doesn't show the event if only one of them happen.

I've just test it!

I hope this help to you

Alberto Giorgi from spain (new kid on this block)