How to exclude a single or multiple signatures from the events report?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Is it possible to run a signature report but not display certain signatures. Usually I would put ! in front of the signatures I don't want shown.
Photo of Andy

Andy

  • 44 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 1
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 390 Posts
  • 8 Reply Likes
It is possible to hardcode these signatures in the Security :: by Signature report.

To view the syntax that was used to generate the report that you are currently viewing, click More Actions on the report menu bar and select Report Syntax. The code that was used to query the database and extract the results is displayed.

This feature may be useful for advanced users who wish to create custom reports.

In the example below I have excluded a single signature from the report - sid 2011938

Query event [aid##app], [sid#Signature#signature], [prio#Priority#prio], [count(eid)#Total#total] sort=2,-3 where 1=1 & sid ! 2011938 & {timestamp#t#Time#date#} & {senid#senid#Sensor#sensor#} & {aid#aid#Application#app#} & {sid#sid#Signature#number#} & {src#src#Source IP/Subnet#subnet#} & {dst#dst#Destination IP/Subnet#subnet#} & {prio#prio#Priority#number#}
Link down.png View_detailed_event_list /netmon/view.cgi?View=1&rid=81&t=$t&aid=$0&sid=$1&src=$src&dst=$dst&prio=$prio&senid=$senid 4
Link down.png Breakdown_by_source_IP /netmon/view.cgi?View=1&rid=130&t=$t&aid=$0&sid=$1&src=$src&dst=$dst&senid=$senid
Link down.png Breakdown_by_destination_IP /netmon/view.cgi?View=1&rid=106&t=$t&aid=$0&sid=$1&src=$src&dst=$dst&senid=$senid
Link info.png View/Mark_this_signature /ids/editrule.cgi?sid=$1&aid=$0&senid=$senid 2
Graph bar z=3 y=1 x=0,1 title=Events

To exclude multiple signatures, the syntax is & sid ! 491 &