cancel
Showing results for 
Search instead for 
Did you mean: 
greatscott
Level 12

Question about Signature KB Article

Jump to solution

I have some questions about this KB Article:

https://kc.mcafee.com/corporate/index?page=content&id=KB55119

It states that in the "SignatureTypeID" field, that 1=windows, 2=solaris, and 3= linux. When I run the query, I have some that are 4. What does the number 4 correspond to in the SignatureTypeID field?

It also states that in the "Category" field, that 0= HIPS, 1= NIPS. When I run the query, I have some that are 2. What does the number 2 correspond to in the Category field?

Thanks in advance if anyone knows.

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Question about Signature KB Article

Jump to solution

SignatureTypeID 4 are for disabled signatures no longer applicable to the product.

Examples:

SignatureIDSignatureTypeIDIsDeletedSignatureName
190141Link to dev
190241Program Execution with Binary Arguments
190341Link to Critical System File Created   


"Category 2" is custom IPS Signatures 4000-5999.

0 Kudos
3 Replies
McAfee Employee

Re: Question about Signature KB Article

Jump to solution

SignatureTypeID 4 are for disabled signatures no longer applicable to the product.

Examples:

SignatureIDSignatureTypeIDIsDeletedSignatureName
190141Link to dev
190241Program Execution with Binary Arguments
190341Link to Critical System File Created   


"Category 2" is custom IPS Signatures 4000-5999.

0 Kudos
greatscott
Level 12

Re: Question about Signature KB Article

Jump to solution

Thank you.

0 Kudos
dcobes
Level 9

Re: Question about Signature KB Article

Jump to solution

For anyone that doesn't want to do the definition conversion (ie 1 = windows, etc) after they export the sigantures from the database, I've gone ahead and created a query that will do it for you. So you have your signature export and your conversion in one step. I hate doing things twice. I've also created I few for other queries for additional uses, which may work for someone else.

NOTE: The below queries will only work for those running HIPS 8.x

=============================

BEGIN QUERY - all sigantures w/ conversion

=============================

select

case [SeverityLevel]

when 4 then 'HIGH'

when 3 then 'MED'

when 2 then 'LOW'

when 1 then 'INFO'

else 'DISABLED'

end as SeverityLevel,

sig.SignatureID,

case [SignatureTypeID]

when 1 then 'Windows'

when 2 then 'Solaris'

when 3 then 'Linux'

else 'Other'

end as SigPlatform,

sigName.SignatureName as SignatureName,

sig.MinContentVersion,

case [Category]

when 0 then 'HIPS'

when 1 then 'NIPS'

when 2 then 'CUSTOM'

else 'Other'

end as Category,

case [IsLogEnabled]

when 0 then 'Disabled'

when 1 then 'Enabled'

else 'Other'

end as LogStatus,

sig.CVECode,

sigDesc.TextValue as SignatureDesc

FROM

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

=============================

END QUERY - all sigantures w/ conversion

=============================

===================================

BEGIN QUERY - Enabled Sigantures ONLY (no conversion)

===================================

select

sig.SignatureID,

sig.SignatureTypeID,

sig.Category,

sig.IsLogEnabled,

sig.IsCreateLocalExEnabled,

sig.SeverityLevel,

sig.CVECode,

sig.MinContentVersion,

sig.IsDeleted,

sigName.SignatureName as SignatureName,

sigDesc.TextValue as SignatureDesc

FROM

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

WHERE

sig.SeverityLevel not like '0'

===================================

END QUERY - Enabled Sigantures ONLY (no conversion)

===================================

===================================

BEGIN QUERY - Disabled Sigantures ONLY (no conversion)

===================================

select

sig.SignatureID,

sig.SignatureTypeID,

sig.Category,

sig.IsLogEnabled,

sig.IsCreateLocalExEnabled,

sig.SeverityLevel,

sig.CVECode,

sig.MinContentVersion,

sig.IsDeleted,

sigName.SignatureName as SignatureName,

sigDesc.TextValue as SignatureDesc

 

FROM

 

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

 

WHERE

sig.SeverityLevel = '0'

===================================

END QUERY - Disabled Sigantures ONLY (no conversion)

===================================

===================================

BEGIN QUERY - Windows Sigantures ONLY (no conversion)

===================================

select

sig.SignatureID,

sig.SignatureTypeID,

sig.Category,

sig.IsLogEnabled,

sig.IsCreateLocalExEnabled,

sig.SeverityLevel,

sig.CVECode,

sig.MinContentVersion,

sig.IsDeleted,

sigName.SignatureName as SignatureName,

sigDesc.TextValue as SignatureDesc

FROM

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

WHERE

sig.SignatureTypeID = '1'

===================================

END QUERY - Windows Sigantures ONLY (no conversion)

===================================

==========================================

BEGIN QUERY - Signatures for latest Content Version (no conversion)

==========================================

select

sig.SignatureID,

sig.SignatureTypeID,

sig.Category,

sig.IsLogEnabled,

sig.IsCreateLocalExEnabled,

sig.SeverityLevel,

sig.CVECode,

sig.MinContentVersion,

sig.IsDeleted,

sigName.SignatureName as SignatureName,

sigDesc.TextValue as SignatureDesc

FROM

HIP8_Signature as sig

LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

WHERE

sig.MinContentVersion = '8.0.0.4933' /* Enter the latest content version number here to see all sigs for that release or releases, depending on query */

==========================================

END QUERY - Signatures for latest Content Version (no conversion)

==========================================