3 Replies Latest reply: Sep 19, 2013 7:52 AM by dcobes RSS

    Question about Signature KB Article

    greatscott

      I have some questions about this KB Article:

       

      https://kc.mcafee.com/corporate/index?page=content&id=KB55119

       

      It states that in the "SignatureTypeID" field, that 1=windows, 2=solaris, and 3= linux. When I run the query, I have some that are 4. What does the number 4 correspond to in the SignatureTypeID field?

       

      It also states that in the "Category" field, that 0= HIPS, 1= NIPS. When I run the query, I have some that are 2. What does the number 2 correspond to in the Category field?

       

      Thanks in advance if anyone knows.

        • 1. Re: Question about Signature KB Article
          Kary Tankink

          SignatureTypeID 4 are for disabled signatures no longer applicable to the product.

           

          Examples:

          SignatureIDSignatureTypeIDIsDeletedSignatureName
          190141Link to dev
          190241Program Execution with Binary Arguments
          190341Link to Critical System File Created   

           

           

           

           


          "Category 2" is custom IPS Signatures 4000-5999.

          • 2. Re: Question about Signature KB Article
            greatscott

            Thank you.

            • 3. Re: Question about Signature KB Article
              dcobes

              For anyone that doesn't want to do the definition conversion (ie 1 = windows, etc) after they export the sigantures from the database, I've gone ahead and created a query that will do it for you. So you have your signature export and your conversion in one step. I hate doing things twice. I've also created I few for other queries for additional uses, which may work for someone else.

               

              NOTE: The below queries will only work for those running HIPS 8.x

              =============================

              BEGIN QUERY - all sigantures w/ conversion

              =============================

              select

              case [SeverityLevel]

              when 4 then 'HIGH'

              when 3 then 'MED'

              when 2 then 'LOW'

              when 1 then 'INFO'

              else 'DISABLED'

              end as SeverityLevel,

              sig.SignatureID,

              case [SignatureTypeID]

              when 1 then 'Windows'

              when 2 then 'Solaris'

              when 3 then 'Linux'

              else 'Other'

              end as SigPlatform,

              sigName.SignatureName as SignatureName,

              sig.MinContentVersion,

              case [Category]

              when 0 then 'HIPS'

              when 1 then 'NIPS'

              when 2 then 'CUSTOM'

              else 'Other'

              end as Category,

              case [IsLogEnabled]

              when 0 then 'Disabled'

              when 1 then 'Enabled'

              else 'Other'

              end as LogStatus,

              sig.CVECode,

              sigDesc.TextValue as SignatureDesc

               

              FROM

               

              HIP8_Signature as sig

              LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

              LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

              =============================

              END QUERY - all sigantures w/ conversion

              =============================

               

              ===================================

              BEGIN QUERY - Enabled Sigantures ONLY (no conversion)

              ===================================

              select

              sig.SignatureID,

              sig.SignatureTypeID,

              sig.Category,

              sig.IsLogEnabled,

              sig.IsCreateLocalExEnabled,

              sig.SeverityLevel,

              sig.CVECode,

              sig.MinContentVersion,

              sig.IsDeleted,

              sigName.SignatureName as SignatureName,

              sigDesc.TextValue as SignatureDesc

               

              FROM

               

              HIP8_Signature as sig

              LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

              LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

               

              WHERE

              sig.SeverityLevel not like '0'

              ===================================

              END QUERY - Enabled Sigantures ONLY (no conversion)

              ===================================

               

              ===================================

              BEGIN QUERY - Disabled Sigantures ONLY (no conversion)

              ===================================

              select

              sig.SignatureID,

              sig.SignatureTypeID,

              sig.Category,

              sig.IsLogEnabled,

              sig.IsCreateLocalExEnabled,

              sig.SeverityLevel,

              sig.CVECode,

              sig.MinContentVersion,

              sig.IsDeleted,

              sigName.SignatureName as SignatureName,

              sigDesc.TextValue as SignatureDesc

               

              FROM

               

              HIP8_Signature as sig

              LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

              LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

               

              WHERE

              sig.SeverityLevel = '0'

              ===================================

              END QUERY - Disabled Sigantures ONLY (no conversion)

              ===================================

               

              ===================================

              BEGIN QUERY - Windows Sigantures ONLY (no conversion)

              ===================================

              select

              sig.SignatureID,

              sig.SignatureTypeID,

              sig.Category,

              sig.IsLogEnabled,

              sig.IsCreateLocalExEnabled,

              sig.SeverityLevel,

              sig.CVECode,

              sig.MinContentVersion,

              sig.IsDeleted,

              sigName.SignatureName as SignatureName,

              sigDesc.TextValue as SignatureDesc

               

              FROM

               

              HIP8_Signature as sig

              LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

              LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

               

              WHERE

              sig.SignatureTypeID = '1'

              ===================================

              END QUERY - Windows Sigantures ONLY (no conversion)

              ===================================

               

              ==========================================

              BEGIN QUERY - Signatures for latest Content Version (no conversion)

              ==========================================

              select

              sig.SignatureID,

              sig.SignatureTypeID,

              sig.Category,

              sig.IsLogEnabled,

              sig.IsCreateLocalExEnabled,

              sig.SeverityLevel,

              sig.CVECode,

              sig.MinContentVersion,

              sig.IsDeleted,

              sigName.SignatureName as SignatureName,

              sigDesc.TextValue as SignatureDesc

               

              FROM

               

              HIP8_Signature as sig

              LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

              LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

               

              WHERE

              sig.MinContentVersion = '8.0.0.4933' /* Enter the latest content version number here to see all sigs for that release or releases, depending on query */

              ==========================================

              END QUERY - Signatures for latest Content Version (no conversion)

              ==========================================