For version 188.8.131.52
There are 4,779 document on attack in McAfee attackencyclopedia
-> \Network Security Central Manager\App\jboss-4.2.3\server\default\deploy\intruvert.war\attackEncyclopedia
there are 4 category
1) Exploit category
2)Volume DOS category
4)Policy Violation category
My question how to map all those signature to these category? Is there a way?
Not sure if i have read your question correctly but the signatures are already mapped to a category.
The majority of the signatures will be grouped within the Exploit and Policy Violation catagories with the Volume and a large number of the Recon attacks being threshold based.
The category is defined within the attack description for the signature in question and if you open the TA, right click on the title bar and select "show column", one of the columns is entitled "Category" and there is another titled "sub category" - if you select these within the TA it will let you know which of the headings that you have listed below that the signature falls under
Is that what you were after?
yes it's already mapped..
i think i need to repharase my question..
How do i list these signature by category & sub category??
I can do one by one but there 4k document that i need to go through..
i would think to check this via policy but it's not shown in the policy either
the problem is when i generate executive report
for example there 200k alert trigger under category "Policy Violation category" with subcategory "Restricted Access"
how to check which signature has been fired for this alert?
Unfortunately I think the easiest way to achieve what you are after is to do the following:
This will give you all the information within the policy - In fact if you do the All inclusive with audit policy then it will give you all of the information on all of the signatures on the system
Just remember that when you install a new signature set, you will have more signatures to import - but that is easily done using the search feature within the policy and selecting the latest signature set option
Hope this helps
I knew this but ONLY this field will be list
|Attack Enabled||Alert Enabled||Attack Name||Attack ID||Severity||Customized||Packet Logging||Sensor Actions||Blocking||Notifications||M 184.108.40.206||M 220.127.116.11|
There are no Category or subcategory listed.
Still i need to check one by one..
what a great gui..
From my short research, mapping out every singnature under one nice form is not possible.
DB only provides reference for category and sub-category information.
However it is the actual signature file that contains information about the signature is under what category and sub-category.
I wonder if i can get attack count report on category & sub category via executive report..
Tehnically, i should be able to drill down the specific alert was triggred for this category & sub category isn't...
look like i need to dig more on the intrushield db structure..
digging on the NSP database structure should be quite straight forward .. we did this ourselves too. Anyway, if you do scripting on the db, you should be aware of structural changes which might come with an update of NSM.
It seems that the iv_attacks table doesn't correlate to the iv_categories and iv_subcategories. Only the iv_alert correlate with the categories tables, meaning that there is no way to list the attacks based on their category.
AFAIK you can only list the categories and subcategories of alerts (detected attacks).
RDMessage was edited by: epo909 on 10/21/10 5:25:54 AM CDT