Not sure if i have read your question correctly but the signatures are already mapped to a category.
The majority of the signatures will be grouped within the Exploit and Policy Violation catagories with the Volume and a large number of the Recon attacks being threshold based.
The category is defined within the attack description for the signature in question and if you open the TA, right click on the title bar and select "show column", one of the columns is entitled "Category" and there is another titled "sub category" - if you select these within the TA it will let you know which of the headings that you have listed below that the signature falls under
Is that what you were after?
Concur with Sweep... The category listing you are referencing are shown in the the Threat Analyzer (TA) using the Category and Sub Category columns.
You can also see the attack description in the Policy Editor if you have questions about a specific alert while working with it via Policy Editor.
yes it's already mapped..
i think i need to repharase my question..
How do i list these signature by category & sub category??
I can do one by one but there 4k document that i need to go through..
i would think to check this via policy but it's not shown in the policy either
the problem is when i generate executive report
for example there 200k alert trigger under category "Policy Violation category" with subcategory "Restricted Access"
how to check which signature has been fired for this alert?
the TA is not helpful enough compare to other competitor such as SiteProtector..
not very helful..
I'm looking a database or spreadsheet that list all those signature with category and subcategory..
Looks like either i have to hack into intrushield mysql database and create my own sql query or dump the enclopedia to my own database and do mapping from there.. to list all related signatures.
Unfortunately I think the easiest way to achieve what you are after is to do the following:
- go in to the policy editor
- select the policy you wish to see (If you want all events then the "All inclusive with Audit" is the best option)
- Double click on the "All Protocols"
- Select the top most alert and then select all (ctrl + A)
- Copy the alerts (ctrl + C)
- Paste the information into excel or whatever spreadsheet program you use
This will give you all the information within the policy - In fact if you do the All inclusive with audit policy then it will give you all of the information on all of the signatures on the system
Just remember that when you install a new signature set, you will have more signatures to import - but that is easily done using the search feature within the policy and selecting the latest signature set option
Hope this helps
I knew this but ONLY this field will be list
Attack Enabled Alert Enabled Attack Name Attack ID Severity Customized Packet Logging Sensor Actions Blocking Notifications M 18.104.22.168 M 22.214.171.124
There are no Category or subcategory listed.
Still i need to check one by one..
what a great gui..
From my short research, mapping out every singnature under one nice form is not possible.
DB only provides reference for category and sub-category information.
However it is the actual signature file that contains information about the signature is under what category and sub-category.
I wonder if i can get attack count report on category & sub category via executive report..
Tehnically, i should be able to drill down the specific alert was triggred for this category & sub category isn't...
look like i need to dig more on the intrushield db structure..
digging on the NSP database structure should be quite straight forward .. we did this ourselves too. Anyway, if you do scripting on the db, you should be aware of structural changes which might come with an update of NSM.