How could I retrieve IPS sig policy?

Unanswered Question
Sep 24th, 2007
User Badges:

Hi,


I would like to find out if it is possible to retrieve an active IPS signature policy from the device? I would like to obtain a complete policy currently running on the sensor not via CLI.


P.S. I was under the assumption that the sensor will store its policy in XML format on the file system.


Thanks in advance!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Mon, 09/24/2007 - 09:42
User Badges:
  • Blue, 1500 points or more

Yes, but you have to merge the default policy XML with the instance policy XML(you may also have to uncompress the files)


You can use the service account and scp. The relevant files are:


policy name = sig0

/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml

/usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig0.xml


You can also fetch them via HTTP(s), but you still have to merge them to get a complete configuration. If you want the POST examples on how to do this, let me know.

gdntsoc Mon, 09/24/2007 - 11:11
User Badges:

the POST example would be helpful. (A GET would be best.)


Also, is there an xsd/dtd for this xml?


thanks in advance for the help.


mhellman Mon, 09/24/2007 - 11:20
User Badges:
  • Blue, 1500 points or more

I don't believe you can use a GET, but not sure. If you find a way to do this using GET or without having to merge, I'd love to know. Anyway, here is the POST to get sig0:


POST https://192.168.0.1:443/cgi-bin/transaction-server?command=getConfigDelta HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.0.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 281

Cookie: userToken=6ae4bce4e291a20ecc8676bc071e507c;dummy


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >sig0


If memory serves, you can add credentials to the request URL and then not have to worry about messing about with cookies.


I've also attached a curl sample. It's for a different function, but I think you get the drift.

gdntsoc Mon, 09/24/2007 - 12:29
User Badges:

Sorry, a side question:


Could you also tell me if a license status (expiration date) could be retrieved or obtained as a file or query from the IPS sensor?


Thanks for all your help!

mhellman Mon, 09/24/2007 - 12:45
User Badges:
  • Blue, 1500 points or more

From the CLI service account...not sure.


POST https://192.168.0.1:443/cgi-bin/transaction-server?command=getVersion HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.0.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 165

Cookie: userToken=b073d751b70c5c9d0e311baf11f9239a;dummy


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >

gdntsoc Mon, 09/24/2007 - 12:56
User Badges:

I get an error from a CIDS v6.x when issuing /cgi-bin/transaction-server?command=getVersion



<?xml version="1.0" encoding="UTF-8" standalone="yes"?>http://www.cisco.com/cids/idiom" schemaVersion="2.00">XML Parser error at line: 1, at character: -1: no element found


gdntsoc Mon, 09/24/2007 - 13:02
User Badges:

I answered my own question.


For future references, the license details are stored under


/usr/cids/idsRoot/shared/ips.lic

gdntsoc Tue, 10/02/2007 - 07:33
User Badges:

You've mentioned in your previous post that policy sig0 could be retrieved via HTTP post method or scp a copy of the individual files (default.xml).


I am able to pull instance policy XML by referencing getConfigDelta from the transaction server.


Could you provide an example on how would one go about fetching default policy from the sensor via HTTP post or other methods?


Looking at the default.xml file, it appears to be encrypted or compressed?


Thanks in advance,

Michael

mhellman Thu, 10/04/2007 - 06:10
User Badges:
  • Blue, 1500 points or more

it is compressed. you can get it via scp here:


/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml


and via an HTTP POST:

POST https://192.168.1.1:443/cgi-bin/transaction-server?command=getDefaultConfig HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.1.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 252

Cookie: userToken=zzz;dummy


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >signatureDefinition


Actions

This Discussion