You would like to query on specific Symantec Endpoint Protection (SEP Collector) Intrusion vendor signature in reports, however the "Vendor Signature"field doesn't contain the signature. The signature is contained in the description field.
You will need to run LiveUpdate and update the SEP Collector up to the March 2009 update. All IDS/IPS Signatures captured by SEP Collector will have the vendor_code field populated with the format <SID>
The SEP product names its IDS/IPS Signatures with this format:
The SEP IDS/IPS signature name will be stored in the intrusion_vendor_sig ssim field whereas the SID associated to the SEP IDS/IPS signature will be stored in the vendor_code ssim field. This SID is the numeric ID number that correlates to the SEP IDS/IPS signature (which for informational purposes, also represents the corresponding signature in SNS).
Changes made to the collector with the Liveupdate are:
You can find current security updates signatures for SEP at this location