I am trying to understand how signatures work on the network security manager. I am looking at the signature for the Micorosoft Windows DirectShow insecure library loading (in or outbound)
cve - 2011-0032
Whats happening is - im currently having multiple WS being alerted on this traffic BUT I dont understand how the signature is laid out.
For the signature set #6 It has 3 different signatures all with "AND THEN" I dont understand the AND THEN part of it. the reason being is because one packet that I exported ONLY shows me hitting the third row for that signature exactly. (but the and then makes it look like that signature needs to hit all three hex values in one packet.)