How to delete existing Signature Sets from the Trellix IPS Manager
Technical Articles ID:
KB57814
Last Modified: 6/8/2023
Environment
Trellix Intrusion Prevention System (Trellix IPS) Manager
IMPORTANT:
- The IPS Manager is transitioning from MySQL to MariaDB.
- The database used in Manager 9.1 changes to MariaDB with release 9.1.7.77. Manager 10.x also uses MariaDB.
Summary
You might need to remove Signature Sets ( sigsets) from the Manager for the following reasons:
- There are too many sigsets present in the Manager from previous downloads.
- You're unable to push an update from the Manager to the Sensor.
- You see the following error if you try to import IPS signatures from a local source or Product Downloads site: Failed to read file.
- You've been directed to do so for troubleshooting or upgrade reasons.
IMPORTANT:
- This process removes all signatures from the Manager and deletes any existing User Defined Signatures (UDSs). Make a backup of any UDSs that you'll need in the future.
- Always make a backup of your IPS policies and your Custom Attacks (UDS/SNORT) that you might require in the future.
- All attacks that are detected while the sigset doesn't exist in the Manager are shown as HIGH severity. So, make sure that you've stopped the Manager Service.
- Although this process removes all sigsets and custom attacks (UDS/SNORT) from the Manager, the Sensors that are currently deployed continue to function as normal. It's only when the Manager pushes out an update that the Sensors are affected by this change.
- FIPS ONLY: Deleting all signatures from the Manager prevent the Manager service from starting because of file hash/key protections.
After you delete the signatures, you must manually import a signature set into the Manager.
Solution
1
To delete the sigsets from Manager 8.x, 9.1 earlier than 9.1.7.77 and 9.2:
- Right-click the IPS icon and select Stop Manager.
- Click Start, Run, type cmd, and click OK.
- Change the directory to $Network Security Manager\App\db\testing\mysql.
- Type \mysql\bin\mysql -r <database_name> -u<username> -p<password> and press Enter.
NOTE: There's no space between the -u switch and the username, and no space between the -p switch and the password.
Example syntax: d:\mysql\bin\mysql -r lf -uroot -pabc123
This command logs on to the Manager main MySQL database lf (lowercase 'l' as in Lima and 'f' as in Foxtrot) as the root user using password abc123.
- At the MySQL> prompt, type source deleteattacks.sql; and press Enter.
Or, use the following syntax to run the command from your installation directory:
Type source <installation directory>/McAfee/Network Security Manager/App/db/testing/mysql/deleteattacks.sql; and press Enter.
For example: source C:/Program Files/McAfee/Network Security Manager/App/db/testing/mysql/deleteattacks.sql;
This command displays several rows of the line: Query OK, #### rows affected (#.## sec)
- At the MySQL> prompt, type source deleteuds.sql; and press Enter.
Or, use the following syntax to run the command from your installation directory:
Type source <installation directory>/McAfee/Network Security Manager/App/db/testing/mysql/deleteuds.sql; and press Enter.
For example: source C:/Program Files/McAfee/Network Security Manager/App/db/testing/mysql/deleteuds.sql;
This command displays several rows of the line: Query OK, #### rows affected (#.## sec)
- Right-click the IPS icon and select Start Manager.
- Import the latest sigset to the Manager and push it to the Sensor:
- Select Manager, Update Server, Import, browse for the new sigset file, and click Apply.
- Select <Sensor_Name>, Update, and click Update.
IMPORTANT: For an FIPS Manager, you must manually perform this import using the signaturesetimport.bat utility. Otherwise, you can't start the Manager service.
- Download the signature set IVU file and place it on the Manager server in the NSMAPP$\bin directory.
- Open a command prompt in the same folder.
- Type signaturesetimport.bat <sigset.ivu> and press Enter.
NOTE: Here, sigset.ivu is the signature set that you downloaded such as sigset9.8.8.3.ivu.
Solution
2
To delete the sigsets from Manager 9.1.7.77 and later and 10.x:
- Right-click the IPS icon and select Stop Manager.
- Click Start, Run, type cmd, and click OK.
- Change the directory to $:\MariaDB\bin (for example, c:\MariaDB\bin).
- Type $\MariaDB\bin\mysql -r <database_name> -u<username> -p<password> and press Enter.
NOTE: There's no space between the -u switch and the username, and no space between the -p switch and the password.
Example syntax: d:\MariaDB\bin\mysql -r lf -uroot -pabc123
This command logs on to the Manager main MySQL database lf (lowercase 'l' as in Lima and 'f' as in Foxtrot) as the root user using password abc123.
- At the MariaDB> prompt, type source deleteattacks.sql; and press Enter.
Or, use the following syntax to run the command from your installation directory:
Type source <installation directory>/McAfee/Network Security Manager/App/db/testing/MariaDB/deleteattacks.sql; and press Enter.
For example: source C:/Program Files/McAfee/Network Security Manager/App/db/testing/MariaDB/deleteattacks.sql;
This command displays several rows of the line: Query OK, #### rows affected (#.## sec)
- At the MariaDB> prompt, type source deleteuds.sql; and press Enter.
Or, use the following syntax to run the command from your installation directory:
Type source <installation directory>/McAfee/Network Security Manager/App/db/testing/MariaDB/deleteuds.sql; and press Enter.
For example: source C:/Program Files/McAfee/Network Security Manager/App/db/testing/MariaDB/deleteuds.sql;
This command displays several rows of the line: Query OK, #### rows affected (#.## sec)
- Right-click the IPS icon and select Start Manager.
- Import the latest sigset to the Manager and push it to the Sensor:
- Select Manager, Update Server, Import, browse for the new sigset file, and click Apply.
- Select <Sensor_Name>, Update, and click Update.
IMPORTANT: For an FIPS Manager, you must manually perform this import using the signaturesetimport.bat utility. Otherwise, you can't start the Manager service.
- Download the signature set IVU file and place it on the Manager server in the NSMAPP$\bin directory.
- Open a command prompt in the same folder.
- Type signaturesetimport.bat <sigset.ivu> and press Enter.
NOTE: Here, sigset.ivu is the signature set that you downloaded, such as sigset9.8.8.3.ivu.
Previous Document ID
(Secured)
KB45170
|
