1 2 Previous Next 14 Replies Latest reply on Nov 25, 2010 12:58 AM by obelicks

    How to map NSP signatures

      For version 6.4.17.22

       

      There are 4,779 document on attack in McAfee attackencyclopedia

      -> \Network Security Central Manager\App\jboss-4.2.3\server\default\deploy\intruvert.war\attackEncyclopedia

       

      there are 4  category

       

      1) Exploit category

      • Buffer Overflow
      • Code/Script Execution
      • DDoS Agent Activity
      • DoS
      • Evasion Attempt
      • Privileged Access
      • Probe
      • Protocol Violation
      • Read Exposure
      • Remote Access
      • Shellcode Execution
      • Trojan
      • Unassigned
      • Virus
      • Worm
      • Write Exposure
      • Artemis
      • Backdoor
      • Bot
      • Custom Fingerprinting
      • Malware Being Redownloaded

       

      2)Volume DOS category

      • Over Threshold
      • Statistical Deviation

       

      3)Reconnaissance category

      • Brute Force
      • OS Fingerprinting
      • Host Sweep
      • Port Scan
      • Service Sweep

       

      4)Policy Violation category

      • Audit
      • Command Shell
      • Covert Channel
      • Non-standard Port
      • Phishing
      • Potentially Unwanted Program
      • Restricted Access
      • Restricted Application
      • Sensitive Content
      • Unauthorized IP

       

      My question how to map all those signature to these category? Is there a way?

        • 1. Re: How to map NSP signatures

          Not sure if i have read your question correctly but the signatures are already mapped to a category.

          The majority of the signatures will be grouped within the Exploit and Policy Violation catagories with the Volume and a large number of the Recon attacks being threshold based.

           

          The category is defined within the attack description for the signature in question and if you open the TA, right click on the title bar and select "show column", one of the columns is entitled "Category" and there is another titled "sub category" - if you select these within the TA it will let you know which of the headings that you have listed below that the signature falls under

           

          Is that what you were after?

          • 2. Re: How to map NSP signatures
            SGROSSEN

            Concur with Sweep... The category listing you are referencing are shown in the the Threat Analyzer (TA) using the Category and Sub Category columns.

            You can also see the attack description in the Policy Editor if you have questions about a specific alert while working with it via Policy Editor.

            • 3. Re: How to map NSP signatures

              yes it's already mapped..

              i think i need to repharase my question..

               

              How do i list these signature by category & sub category??

              I can do one by one but there 4k document that i need to go through..

               

              i would think to check this via policy but it's not shown in the policy either

               

              the problem is when i generate executive report

              for example there 200k alert trigger under category "Policy Violation category" with subcategory "Restricted Access"

              how to check which signature has been fired for this alert?

              • 4. Re: How to map NSP signatures

                the TA is not helpful enough compare to other competitor such as SiteProtector..

                 

                not very helful..

                 

                I'm looking a database or spreadsheet that list all those signature with category and subcategory..

                 

                Looks like either i have to hack into intrushield mysql database and create my own sql query or dump the enclopedia to my own database and do mapping from there.. to list all related signatures.

                • 5. Re: How to map NSP signatures

                  Ah ha!

                   

                  Unfortunately I think the easiest way to achieve what you are after is to do the following:

                   

                  • go in to the policy editor
                  • select the policy you wish to see (If you want all events then the "All inclusive with Audit" is the best option)
                  • Double click on the "All Protocols"
                  • Select the top most alert and then select all (ctrl + A)
                  • Copy the alerts (ctrl + C)
                  • Paste the information into excel or whatever spreadsheet program you use

                   

                  This will give you all the information within the policy - In fact if you do the All inclusive with audit policy then it will give you all of the information on all of the signatures on the system

                   

                  Just remember that when you install a new signature set, you will have more signatures to import - but that is easily done using the search feature within the policy and selecting the latest signature set option

                   

                  Hope this helps

                  • 6. Re: How to map NSP signatures

                    I knew this but ONLY this field will be list

                     

                    Attack   EnabledAlert EnabledAttack NameAttack IDSeverityCustomizedPacket LoggingSensor ActionsBlockingNotificationsM 4.1.11.11M 5.1.7.7

                     

                    There are no Category or subcategory listed.

                     

                    Still i need to check one by one..

                    what a great gui..

                    • 7. Re: How to map NSP signatures

                      Hi,

                       

                      From my short research, mapping out every singnature under one nice form is not possible.

                      DB only provides reference for category and sub-category information.

                      However it is the actual signature file that contains information about the signature is under what category and sub-category.

                      • 8. Re: How to map NSP signatures

                        Thanks,

                         

                        I  wonder if i can get attack count report on category & sub category via executive report..

                         

                        Tehnically, i should be able to drill down the specific alert was triggred for this category & sub category isn't...

                         

                        look like i need to dig more on the intrushield db structure..

                        • 9. Re: How to map NSP signatures

                          Hi,

                           

                          digging on the NSP database structure should be quite straight forward .. we did this ourselves too. Anyway, if you do scripting on the db, you should be aware of structural changes which might come with an update of NSM.

                           

                          Cheers, Adrian

                          1 2 Previous Next