You would like to query on specific Symantec Endpoint Protection (SEP Collector) Intrusion vendor signature in reports, however the "Vendor Signature"field doesn't contain the signature. The signature is contained in the description field.


 

You will need to run LiveUpdate and update the SEP Collector up to the March 2009 update. All IDS/IPS Signatures captured by SEP Collector will have the vendor_code field populated with the format <SID> instead of AgentSecurity:206.

The SEP product names its IDS/IPS Signatures with this format:

[SID:sid_number_goes_here]long_name_goes_here.
E.g: [SID: 23225] HTTP MS IE Embed Src BO.

The SEP IDS/IPS signature name will be stored in the intrusion_vendor_sig ssim field whereas the SID associated to the SEP IDS/IPS signature will be stored in the vendor_code ssim field. This SID is the numeric ID number that correlates to the SEP IDS/IPS signature (which for informational purposes, also represents the corresponding signature in SNS).

Changes made to the collector with the Liveupdate are:

vendor_code is now a numeric ID
intrusion_vendor_sig holds the SEP IDS/IPS Signature Name

References
You can find current security updates signatures for SEP at this location

You can review all the updates for the SEP Collector released the March 2009 in the attached file.



Reference: 1515565 SEP 4.3 Collector - How to filter on specific vendor signature in reports