Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
248
Views
0
Helpful
2
Replies

Custom Signatures not importing to database on Director

crossmanj
Level 1
Level 1

‎09-18-2002 10:49 AM - edited ‎03-09-2019 12:21 AM

I noticed today that none of the custom signatures are in my Oracle database. All of the detects before and after from that sensor are there but none of the custom signatures. I tried searching for signature ID's, and then again using timeframe and source IP address. Is there an additional step that I missed way back when I originally built my sensor? (And is that also why I never can import the detect context either?)

What info can I provide to get help in solving this?

Labels:
0 Helpful
2 Replies 2

marcabal
Cisco Employee
Cisco Employee
In response to smahbub

‎09-25-2002 08:41 AM

I'm not sure why the alarms for custom signatures are not making it into the database.

You amy want to try adding you custom signatures to the /usr/nr/etc/signatures file and then as user netrangr execute:

/usr/nr/bin/sap/sapx_main /usr/nr/etc/signatures 5 1

This should load all the signatures with your added custom signatures to the database.

As for why the context data isn't loaded. This is the default configuration.

Try editing /usr/nr/bin/load_run.sh and commenting out the line:

export SAP_EXCLUDE_CONTEXT=

With the line uncommented, the script is telling sapx_main to not load the context data. If you comment out the line, then the context data will be loaded.

There are also the following similar lines:

export SAP_EXCLUDE_TCPCONN= (prevents the 3000,port# alarms from being loaded. These alarms are low severity alarms based off SYN packets to the port number)

#export SAP_EXCLUDE_ALARM= (this is commented out by default, but when uncommented would prevent any level 2 or higher alarms from being loaded)

export SAP_EXCLUDE_ALARM_1= (prevents level 1 alarms from being loaded)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents