Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
874 Views 3 Replies Latest reply: Sep 19, 2013 7:52 AM by dcobes RSS
greatscott Champion 287 posts since
Jul 18, 2011
Currently Being Moderated

Mar 5, 2013 9:44 AM

Question about Signature KB Article

I have some questions about this KB Article:

 

https://kc.mcafee.com/corporate/index?page=content&id=KB55119

 

It states that in the "SignatureTypeID" field, that 1=windows, 2=solaris, and 3= linux. When I run the query, I have some that are 4. What does the number 4 correspond to in the SignatureTypeID field?

 

It also states that in the "Category" field, that 0= HIPS, 1= NIPS. When I run the query, I have some that are 2. What does the number 2 correspond to in the Category field?

 

Thanks in advance if anyone knows.

  • Kary Tankink McAfee Employee 654 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Mar 5, 2013 12:32 PM (in response to greatscott)
    Re: Question about Signature KB Article

    SignatureTypeID 4 are for disabled signatures no longer applicable to the product.

     

    Examples:

    SignatureIDSignatureTypeIDIsDeletedSignatureName
    190141Link to dev
    190241Program Execution with Binary Arguments
    190341Link to Critical System File Created   

     

     

     

     


    "Category 2" is custom IPS Signatures 4000-5999.

  • dcobes The Place at McAfee Member 38 posts since
    Nov 1, 2012
    Currently Being Moderated
    3. Sep 19, 2013 7:52 AM (in response to greatscott)
    Re: Question about Signature KB Article

    For anyone that doesn't want to do the definition conversion (ie 1 = windows, etc) after they export the sigantures from the database, I've gone ahead and created a query that will do it for you. So you have your signature export and your conversion in one step. I hate doing things twice. I've also created I few for other queries for additional uses, which may work for someone else.

     

    NOTE: The below queries will only work for those running HIPS 8.x

    =============================

    BEGIN QUERY - all sigantures w/ conversion

    =============================

    select

    case [SeverityLevel]

    when 4 then 'HIGH'

    when 3 then 'MED'

    when 2 then 'LOW'

    when 1 then 'INFO'

    else 'DISABLED'

    end as SeverityLevel,

    sig.SignatureID,

    case [SignatureTypeID]

    when 1 then 'Windows'

    when 2 then 'Solaris'

    when 3 then 'Linux'

    else 'Other'

    end as SigPlatform,

    sigName.SignatureName as SignatureName,

    sig.MinContentVersion,

    case [Category]

    when 0 then 'HIPS'

    when 1 then 'NIPS'

    when 2 then 'CUSTOM'

    else 'Other'

    end as Category,

    case [IsLogEnabled]

    when 0 then 'Disabled'

    when 1 then 'Enabled'

    else 'Other'

    end as LogStatus,

    sig.CVECode,

    sigDesc.TextValue as SignatureDesc

     

    FROM

     

    HIP8_Signature as sig

    LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

    LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

    =============================

    END QUERY - all sigantures w/ conversion

    =============================

     

    ===================================

    BEGIN QUERY - Enabled Sigantures ONLY (no conversion)

    ===================================

    select

    sig.SignatureID,

    sig.SignatureTypeID,

    sig.Category,

    sig.IsLogEnabled,

    sig.IsCreateLocalExEnabled,

    sig.SeverityLevel,

    sig.CVECode,

    sig.MinContentVersion,

    sig.IsDeleted,

    sigName.SignatureName as SignatureName,

    sigDesc.TextValue as SignatureDesc

     

    FROM

     

    HIP8_Signature as sig

    LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

    LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

     

    WHERE

    sig.SeverityLevel not like '0'

    ===================================

    END QUERY - Enabled Sigantures ONLY (no conversion)

    ===================================

     

    ===================================

    BEGIN QUERY - Disabled Sigantures ONLY (no conversion)

    ===================================

    select

    sig.SignatureID,

    sig.SignatureTypeID,

    sig.Category,

    sig.IsLogEnabled,

    sig.IsCreateLocalExEnabled,

    sig.SeverityLevel,

    sig.CVECode,

    sig.MinContentVersion,

    sig.IsDeleted,

    sigName.SignatureName as SignatureName,

    sigDesc.TextValue as SignatureDesc

     

    FROM

     

    HIP8_Signature as sig

    LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

    LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

     

    WHERE

    sig.SeverityLevel = '0'

    ===================================

    END QUERY - Disabled Sigantures ONLY (no conversion)

    ===================================

     

    ===================================

    BEGIN QUERY - Windows Sigantures ONLY (no conversion)

    ===================================

    select

    sig.SignatureID,

    sig.SignatureTypeID,

    sig.Category,

    sig.IsLogEnabled,

    sig.IsCreateLocalExEnabled,

    sig.SeverityLevel,

    sig.CVECode,

    sig.MinContentVersion,

    sig.IsDeleted,

    sigName.SignatureName as SignatureName,

    sigDesc.TextValue as SignatureDesc

     

    FROM

     

    HIP8_Signature as sig

    LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

    LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

     

    WHERE

    sig.SignatureTypeID = '1'

    ===================================

    END QUERY - Windows Sigantures ONLY (no conversion)

    ===================================

     

    ==========================================

    BEGIN QUERY - Signatures for latest Content Version (no conversion)

    ==========================================

    select

    sig.SignatureID,

    sig.SignatureTypeID,

    sig.Category,

    sig.IsLogEnabled,

    sig.IsCreateLocalExEnabled,

    sig.SeverityLevel,

    sig.CVECode,

    sig.MinContentVersion,

    sig.IsDeleted,

    sigName.SignatureName as SignatureName,

    sigDesc.TextValue as SignatureDesc

     

    FROM

     

    HIP8_Signature as sig

    LEFT JOIN HIP8_SigNameXlate as sigName on sig.SignatureID=sigName.SignatureID and sigName.LanguageID=1033

    LEFT JOIN HIP8_LongTextXlate as sigDesc ON sig.SignatureID=sigDesc.KeyID and sigDesc.KeyType='SD' and sigDesc.LanguageID=1033

     

    WHERE

    sig.MinContentVersion = '8.0.0.4933' /* Enter the latest content version number here to see all sigs for that release or releases, depending on query */

    ==========================================

    END QUERY - Signatures for latest Content Version (no conversion)

    ==========================================

     


     

     

     


     

     


More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points