cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Question about Signature KB Article

Jump to solution

I have some questions about this KB Article:

https://kc.mcafee.com/corporate/index?page=content&id=KB55119

It states that in the "SignatureTypeID" field, that 1=windows, 2=solaris, and 3= linux. When I run the query, I have some that are 4. What does the number 4 correspond to in the SignatureTypeID field?

It also states that in the "Category" field, that 0= HIPS, 1= NIPS. When I run the query, I have some that are 2. What does the number 2 correspond to in the Category field?

Thanks in advance if anyone knows.

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Question about Signature KB Article

Jump to solution

SignatureTypeID 4 are for disabled signatures no longer applicable to the product.

Examples:

SignatureIDSignatureTypeIDIsDeletedSignatureName
190141Link to dev
190241Program Execution with Binary Arguments
190341Link to Critical System File Created   


"Category 2" is custom IPS Signatures 4000-5999.

View solution in original post

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Question about Signature KB Article

Jump to solution

SignatureTypeID 4 are for disabled signatures no longer applicable to the product.

Examples:

SignatureIDSignatureTypeIDIsDeletedSignatureName
190141Link to dev
190241Program Execution with Binary Arguments
190341Link to Critical System File Created   


"Category 2" is custom IPS Signatures 4000-5999.

View solution in original post

Highlighted

Re: Question about Signature KB Article

Jump to solution

Thank you.

Highlighted
Level 9
Report Inappropriate Content
Message 4 of 4

Re: Question about Signature KB Article

Jump to solution

For anyone that doesn't want to do the definition conversion (ie 1 = windows, etc) after they export the sigantures from the database, I've gone ahead and created a query that will do it for you. So you have your signature export and your conversion in one step. I hate doing things twice. I've also created I few for other queries for additional uses, which may work for someone else.

NOTE: The below queries will only work for those running HIPS 8.x

=============================

BEGIN QUERY - all sigantures w/ conversion

=============================

select

case [SeverityLevel]

when 4 then 'HIGH'

when 3 then 'MED'

when 2 then 'LOW'

when 1 then 'INFO'

else 'DISABLED'

end as SeverityLevel,

sig.SignatureID,

case [SignatureTypeID]

when 1 then 'Windows'

when 2 then 'Solaris'

when 3 then 'Linux'

else 'Other'

end as SigPlatform,

sigName.SignatureName as SignatureName,

sig.MinContentVersion,

case [Category]

when 0 then 'HIPS'

when 1 then 'NIPS'

when 2 then 'CUSTOM'

else 'Other'

end as Category,

case [IsLogEnabled]

when 0 then 'Disabled'

when 1 then 'Enabled'

else 'Other'

end as LogStatus,

sig.CVECode,

sigDesc.TextValue as SignatureDesc

FROM

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

=============================

END QUERY - all sigantures w/ conversion

=============================

===================================

BEGIN QUERY - Enabled Sigantures ONLY (no conversion)

===================================

select

sig.SignatureID,

sig.SignatureTypeID,

sig.Category,

sig.IsLogEnabled,

sig.IsCreateLocalExEnabled,

sig.SeverityLevel,

sig.CVECode,

sig.MinContentVersion,

sig.IsDeleted,

sigName.SignatureName as SignatureName,

sigDesc.TextValue as SignatureDesc

FROM

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

WHERE

sig.SeverityLevel not like '0'

===================================

END QUERY - Enabled Sigantures ONLY (no conversion)

===================================

===================================

BEGIN QUERY - Disabled Sigantures ONLY (no conversion)

===================================

select

sig.SignatureID,

sig.SignatureTypeID,

sig.Category,

sig.IsLogEnabled,

sig.IsCreateLocalExEnabled,

sig.SeverityLevel,

sig.CVECode,

sig.MinContentVersion,

sig.IsDeleted,

sigName.SignatureName as SignatureName,

sigDesc.TextValue as SignatureDesc

 

FROM

 

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

 

WHERE

sig.SeverityLevel = '0'

===================================

END QUERY - Disabled Sigantures ONLY (no conversion)

===================================

===================================

BEGIN QUERY - Windows Sigantures ONLY (no conversion)

===================================

select

sig.SignatureID,

sig.SignatureTypeID,

sig.Category,

sig.IsLogEnabled,

sig.IsCreateLocalExEnabled,

sig.SeverityLevel,

sig.CVECode,

sig.MinContentVersion,

sig.IsDeleted,

sigName.SignatureName as SignatureName,

sigDesc.TextValue as SignatureDesc

FROM

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

WHERE

sig.SignatureTypeID = '1'

===================================

END QUERY - Windows Sigantures ONLY (no conversion)

===================================

==========================================

BEGIN QUERY - Signatures for latest Content Version (no conversion)

==========================================

select

sig.SignatureID,

sig.SignatureTypeID,

sig.Category,

sig.IsLogEnabled,

sig.IsCreateLocalExEnabled,

sig.SeverityLevel,

sig.CVECode,

sig.MinContentVersion,

sig.IsDeleted,

sigName.SignatureName as SignatureName,

sigDesc.TextValue as SignatureDesc

FROM

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

WHERE

sig.MinContentVersion = '8.0.0.4933' /* Enter the latest content version number here to see all sigs for that release or releases, depending on query */

==========================================

END QUERY - Signatures for latest Content Version (no conversion)

==========================================




You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community