Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Custom Signatures not importing to database on Director

I noticed today that none of the custom signatures are in my Oracle database. All of the detects before and after from that sensor are there but none of the custom signatures. I tried searching for signature ID's, and then again using timeframe and source IP address. Is there an additional step that I missed way back when I originally built my sensor? (And is that also why I never can import the detect context either?)

What info can I provide to get help in solving this?

Cisco Employee

Re: Custom Signatures not importing to database on Director

I'm not sure why the alarms for custom signatures are not making it into the database.

You amy want to try adding you custom signatures to the /usr/nr/etc/signatures file and then as user netrangr execute:

/usr/nr/bin/sap/sapx_main /usr/nr/etc/signatures 5 1

This should load all the signatures with your added custom signatures to the database.

As for why the context data isn't loaded. This is the default configuration.

Try editing /usr/nr/bin/ and commenting out the line:


With the line uncommented, the script is telling sapx_main to not load the context data. If you comment out the line, then the context data will be loaded.

There are also the following similar lines:

export SAP_EXCLUDE_TCPCONN= (prevents the 3000,port# alarms from being loaded. These alarms are low severity alarms based off SYN packets to the port number)

#export SAP_EXCLUDE_ALARM= (this is commented out by default, but when uncommented would prevent any level 2 or higher alarms from being loaded)

export SAP_EXCLUDE_ALARM_1= (prevents level 1 alarms from being loaded)