Showing results for 
Search instead for 
Did you mean: 
Level 9

How to map NSP signatures

For version

There are 4,779 document on attack in McAfee attackencyclopedia

-> \Network Security Central Manager\App\jboss-4.2.3\server\default\deploy\intruvert.war\attackEncyclopedia

there are 4  category

1) Exploit category

  • Buffer Overflow
  • Code/Script Execution
  • DDoS Agent Activity
  • DoS
  • Evasion Attempt
  • Privileged Access
  • Probe
  • Protocol Violation
  • Read Exposure
  • Remote Access
  • Shellcode Execution
  • Trojan
  • Unassigned
  • Virus
  • Worm
  • Write Exposure
  • Artemis
  • Backdoor
  • Bot
  • Custom Fingerprinting
  • Malware Being Redownloaded

2)Volume DOS category

  • Over Threshold
  • Statistical Deviation

3)Reconnaissance category

  • Brute Force
  • OS Fingerprinting
  • Host Sweep
  • Port Scan
  • Service Sweep

4)Policy Violation category

  • Audit
  • Command Shell
  • Covert Channel
  • Non-standard Port
  • Phishing
  • Potentially Unwanted Program
  • Restricted Access
  • Restricted Application
  • Sensitive Content
  • Unauthorized IP

My question how to map all those signature to these category? Is there a way?

0 Kudos
14 Replies
Level 8

Re: How to map NSP signatures

Not sure if i have read your question correctly but the signatures are already mapped to a category.

The majority of the signatures will be grouped within the Exploit and Policy Violation catagories with the Volume and a large number of the Recon attacks being threshold based.

The category is defined within the attack description for the signature in question and if you open the TA, right click on the title bar and select "show column", one of the columns is entitled "Category" and there is another titled "sub category" - if you select these within the TA it will let you know which of the headings that you have listed below that the signature falls under

Is that what you were after?

0 Kudos
Level 9

Re: How to map NSP signatures

yes it's already mapped..

i think i need to repharase my question..

How do i list these signature by category & sub category??

I can do one by one but there 4k document that i need to go through..

i would think to check this via policy but it's not shown in the policy either

the problem is when i generate executive report

for example there 200k alert trigger under category "Policy Violation category" with subcategory "Restricted Access"

how to check which signature has been fired for this alert?

0 Kudos
Level 8

Re: How to map NSP signatures

Ah ha!

Unfortunately I think the easiest way to achieve what you are after is to do the following:

  • go in to the policy editor
  • select the policy you wish to see (If you want all events then the "All inclusive with Audit" is the best option)
  • Double click on the "All Protocols"
  • Select the top most alert and then select all (ctrl + A)
  • Copy the alerts (ctrl + C)
  • Paste the information into excel or whatever spreadsheet program you use

This will give you all the information within the policy - In fact if you do the All inclusive with audit policy then it will give you all of the information on all of the signatures on the system

Just remember that when you install a new signature set, you will have more signatures to import - but that is easily done using the search feature within the policy and selecting the latest signature set option

Hope this helps

0 Kudos
Level 9

Re: How to map NSP signatures

I knew this but ONLY this field will be list

Attack   EnabledAlert EnabledAttack NameAttack IDSeverityCustomizedPacket LoggingSensor ActionsBlockingNotificationsM

There are no Category or subcategory listed.

Still i need to check one by one..

what a great gui..

0 Kudos
Level 7

Re: How to map NSP signatures


From my short research, mapping out every singnature under one nice form is not possible.

DB only provides reference for category and sub-category information.

However it is the actual signature file that contains information about the signature is under what category and sub-category.

0 Kudos
Level 9

Re: How to map NSP signatures


I  wonder if i can get attack count report on category & sub category via executive report..

Tehnically, i should be able to drill down the specific alert was triggred for this category & sub category isn't...

look like i need to dig more on the intrushield db structure..

0 Kudos

Re: How to map NSP signatures


digging on the NSP database structure should be quite straight forward .. we did this ourselves too. Anyway, if you do scripting on the db, you should be aware of structural changes which might come with an update of NSM.

Cheers, Adrian

0 Kudos
Level 9

Re: How to map NSP signatures

It seems that the iv_attacks table doesn't correlate to the iv_categories and iv_subcategories. Only the iv_alert correlate with the categories tables, meaning that there is no way to list the attacks based on their category.

AFAIK you can only list the categories and subcategories of alerts (detected attacks).


Message was edited by: epo909 on 10/21/10 5:25:54 AM CDT
0 Kudos
Level 9

Re: How to map NSP signatures

That what i suspect too..

wonder why you create category & subcategory if you can't used it for efficiently..


0 Kudos