Updated HIPS 8 Query: How to query the ePolicy Orchestrator database for Host Intrusion Prevention 8.0 content signatures with CVE numbers

Version 2

    I updated the Query as found for HIPS7 and thought I would share with everyone.

     

    Jay

    Summary

    Perform these steps in this article to run a SQL query against the ePO server database to obtain a list of the current Host IPS content signatures checked in to the ePO repository.
    Intel Security recommends that you back up the SQL database before running any queries or updates against it. This query does not change data but extracts existing data from the SQL database.

     

     

    Solution

    Perform the following steps to query the ePO database for Host IPS content signatures:

    NOTE:
    This solution is intended for ePO 4.x versions.

    1. Open SQL Server Query Analyzer or SQL Server Management Studio.

    2. Click New Query button.
    3. Select the ePO_servername database name from the drop down list, to the left of the Execute button on the SQL Management Studio toolbar.

    4. Copy and paste the following SQL statement into the query window. SQL query is also attached for your convenience.

    5. Click the Execute button.

     

         6. Click the block in the upper left corner.

         7. Click Save Results As... a Text (Tab delimited file) or CSV file.

    8. Open the file up in Excel.

     

    You can view the results file in Microsoft Word or import it to Microsoft Excel.

    • SignatureTypeID = Platform

      1 = Windows
      2 = Solaris
      3 = Linux
    • Category = Signature Type

      0 = Host Intrusion Prevention signature
      1 = Network IPS signature
    • IsLogEnabled = Log Status

      0 = Disabled
      1 = Enabled
    • IsCreateLocalExEnabled = Allow Client Rules

      0 = Disabled
      1 = Enabled
    • SeverityLevel = Signature Severity Level

      4 = High
      3 = Medium
      2 = Low
      1 = Informational
      0 = Disabled

       

    • CVECode = Link to applicable CVE Vulnerability ID
    • _versionNo = N/A Not Applicable
    • MinContentVersion = Content version build introduced (round up to the next public content build release)

    • IsDeleted = Mandatory disabled. Signature cannot be enabled.
    • SignatureName = Signature Name
    • SignatureDesc = Signature Description

     

     

    SQL Query for HIPS 8

    Copy query below this line..............

     

    SELECT

    sig.SignatureID,

    sig.SignatureTypeID,

    sig.Category,

    sig.IsLogEnabled,

    sig.IsCreateLocalExEnabled,

    sig.SeverityLevel,

    sig.CVECode,

    sig._versionNo,

    sig.MinContentVersion,

    sig.IsDeleted,

    sigName.SignatureName as SignatureName,

    sigDesc.TextValue as SignatureDesc

     

    FROM

    HIP8_Signature as sig

    LEFT JOIN HIP8_SigNameXlate as sigName ON sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

    LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

     

    This document was generated from the following discussion: The specified item was not found.