Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Searching specific signature id in SEPM reporting

  • 1.  Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 06:27 AM

    Do we have any reporting option in SEPM to generate the logs for specific signature id for IPS. It is possible by following way. However, I need to get for the allowed traffic. Is it possible through the existing reports or Do we have any query to generate this.

     

    Monitors tab -- Logs

    Set log type to network threat protection

    Set log content to attacks



  • 2.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 06:29 AM

    This is the only way in SEPM. You can also set Event Type to Intrusion Prevention to narrow it down a bit more.

    To get more advanced you could probably query the DB directly if you knew what you're looking for.

    Symantec Endpoint Protection Database Schema

    Symantec Endpoint Protection 12.1.5 Database Schema



  • 3.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 07:53 AM

    You sould query the AGENT_SECURITY_LOG_1 table, for name and ID this is the query.

     

    select  CIDS_SIGN_ID,STR_CIDS_SIGN_ID from AGENT_SECURITY_LOG_1

    are you using SQL or embedded database?



  • 4.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 08:20 AM

    SQL database



  • 5.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 08:21 AM

    You'll need to query it for the info you need.



  • 6.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 08:21 AM

    That should still work... have you tried?



  • 7.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 08:56 AM

    Hi Secin,

    This is easily accomplished with exported "IPS attacks" logs.  In MS Excel, check or uncheck the SID you are interested in:

    filter_by_sid.png

     

    However, I need to get for the allowed traffic.

    Is it the audit signatures that you are interested in, if the traffic was detected but allowed?

    Please update the thread if you need more assistance!  This article may be worth a look...

    Two Reasons why IPS is a "Must Have" for your Network

    https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

     

    With thanks and best regards,

    Mick

     

     



  • 8.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 08:57 AM

    I ran the query and I cam see few signature name and ID. I would like to know few things on this.

    1) Is everything shown like what ever it got allowed and blocked

    2)Is it showing the detected signatures

     



  • 9.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 09:03 AM

    Hi Mick,

    I have added few signatures in Intrusion Prevention Exceptions and the action is allow. I would like to know whether there was any traffic detected for that signature.



  • 10.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 09:03 AM

    IPS will block unless you specify otherwise.

    It shows the SID in the name itself.



  • 11.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 09:04 AM

    It would still show in the logs, whether set to block or allow (if you changed this action).

     



  • 12.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 09:11 AM

    those were the onces which agents used to block .. detection IPS

    if you dont see your custom IPS then it was not used for any detection



  • 13.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 09:12 AM

    which logs



  • 14.  RE: Searching specific signature id in SEPM reporting

    Posted Nov 19, 2014 09:14 AM

    On the client check the security log

    If SEPM, the one you posted above in your original post