cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

How to map NSP signatures

For version 6.4.17.22

There are 4,779 document on attack in McAfee attackencyclopedia

-> \Network Security Central Manager\App\jboss-4.2.3\server\default\deploy\intruvert.war\attackEncyclopedia

there are 4  category

1) Exploit category

  • Buffer Overflow
  • Code/Script Execution
  • DDoS Agent Activity
  • DoS
  • Evasion Attempt
  • Privileged Access
  • Probe
  • Protocol Violation
  • Read Exposure
  • Remote Access
  • Shellcode Execution
  • Trojan
  • Unassigned
  • Virus
  • Worm
  • Write Exposure
  • Artemis
  • Backdoor
  • Bot
  • Custom Fingerprinting
  • Malware Being Redownloaded

2)Volume DOS category

  • Over Threshold
  • Statistical Deviation

3)Reconnaissance category

  • Brute Force
  • OS Fingerprinting
  • Host Sweep
  • Port Scan
  • Service Sweep

4)Policy Violation category

  • Audit
  • Command Shell
  • Covert Channel
  • Non-standard Port
  • Phishing
  • Potentially Unwanted Program
  • Restricted Access
  • Restricted Application
  • Sensitive Content
  • Unauthorized IP

My question how to map all those signature to these category? Is there a way?

14 Replies
Highlighted
Level 8
Report Inappropriate Content
Message 2 of 15

Re: How to map NSP signatures

Not sure if i have read your question correctly but the signatures are already mapped to a category.

The majority of the signatures will be grouped within the Exploit and Policy Violation catagories with the Volume and a large number of the Recon attacks being threshold based.

The category is defined within the attack description for the signature in question and if you open the TA, right click on the title bar and select "show column", one of the columns is entitled "Category" and there is another titled "sub category" - if you select these within the TA it will let you know which of the headings that you have listed below that the signature falls under

Is that what you were after?

Highlighted

Re: How to map NSP signatures

yes it's already mapped..

i think i need to repharase my question..

How do i list these signature by category & sub category??

I can do one by one but there 4k document that i need to go through..

i would think to check this via policy but it's not shown in the policy either

the problem is when i generate executive report

for example there 200k alert trigger under category "Policy Violation category" with subcategory "Restricted Access"

how to check which signature has been fired for this alert?

Highlighted
Level 8
Report Inappropriate Content
Message 4 of 15

Re: How to map NSP signatures

Ah ha!

Unfortunately I think the easiest way to achieve what you are after is to do the following:

  • go in to the policy editor
  • select the policy you wish to see (If you want all events then the "All inclusive with Audit" is the best option)
  • Double click on the "All Protocols"
  • Select the top most alert and then select all (ctrl + A)
  • Copy the alerts (ctrl + C)
  • Paste the information into excel or whatever spreadsheet program you use

This will give you all the information within the policy - In fact if you do the All inclusive with audit policy then it will give you all of the information on all of the signatures on the system

Just remember that when you install a new signature set, you will have more signatures to import - but that is easily done using the search feature within the policy and selecting the latest signature set option

Hope this helps

Highlighted

Re: How to map NSP signatures

I knew this but ONLY this field will be list

Attack   EnabledAlert EnabledAttack NameAttack IDSeverityCustomizedPacket LoggingSensor ActionsBlockingNotificationsM 4.1.11.11M 5.1.7.7

There are no Category or subcategory listed.

Still i need to check one by one..

what a great gui..

Highlighted
Level 7
Report Inappropriate Content
Message 6 of 15

Re: How to map NSP signatures

Hi,

From my short research, mapping out every singnature under one nice form is not possible.

DB only provides reference for category and sub-category information.

However it is the actual signature file that contains information about the signature is under what category and sub-category.

Highlighted

Re: How to map NSP signatures

Thanks,

I  wonder if i can get attack count report on category & sub category via executive report..

Tehnically, i should be able to drill down the specific alert was triggred for this category & sub category isn't...

look like i need to dig more on the intrushield db structure..

Highlighted

Re: How to map NSP signatures

Hi,

digging on the NSP database structure should be quite straight forward .. we did this ourselves too. Anyway, if you do scripting on the db, you should be aware of structural changes which might come with an update of NSM.

Cheers, Adrian

Level 9
Report Inappropriate Content
Message 9 of 15

Re: How to map NSP signatures

It seems that the iv_attacks table doesn't correlate to the iv_categories and iv_subcategories. Only the iv_alert correlate with the categories tables, meaning that there is no way to list the attacks based on their category.

AFAIK you can only list the categories and subcategories of alerts (detected attacks).

RD

Message was edited by: epo909 on 10/21/10 5:25:54 AM CDT
Highlighted

Re: How to map NSP signatures

That what i suspect too..

wonder why you create category & subcategory if you can't used it for efficiently..

Thanks..

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community