Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How could I retrieve IPS sig policy?

Hi,

I would like to find out if it is possible to retrieve an active IPS signature policy from the device? I would like to obtain a complete policy currently running on the sensor not via CLI.

P.S. I was under the assumption that the sensor will store its policy in XML format on the file system.

Thanks in advance!

12 REPLIES
Gold

Re: How could I retrieve IPS sig policy?

Yes, but you have to merge the default policy XML with the instance policy XML(you may also have to uncompress the files)

You can use the service account and scp. The relevant files are:

policy name = sig0

/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml

/usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig0.xml

You can also fetch them via HTTP(s), but you still have to merge them to get a complete configuration. If you want the POST examples on how to do this, let me know.

New Member

Re: How could I retrieve IPS sig policy?

the POST example would be helpful. (A GET would be best.)

Also, is there an xsd/dtd for this xml?

thanks in advance for the help.

Gold

Re: How could I retrieve IPS sig policy?

I don't believe you can use a GET, but not sure. If you find a way to do this using GET or without having to merge, I'd love to know. Anyway, here is the POST to get sig0:

POST https://192.168.0.1:443/cgi-bin/transaction-server?command=getConfigDelta HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.0.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 281

Cookie: userToken=6ae4bce4e291a20ecc8676bc071e507c;dummy

http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >sig0

If memory serves, you can add credentials to the request URL and then not have to worry about messing about with cookies.

I've also attached a curl sample. It's for a different function, but I think you get the drift.

Gold

Re: How could I retrieve IPS sig policy?

curl example.

Gold

Re: How could I retrieve IPS sig policy?

let's try this again.

New Member

Re: How could I retrieve IPS sig policy?

Sorry, a side question:

Could you also tell me if a license status (expiration date) could be retrieved or obtained as a file or query from the IPS sensor?

Thanks for all your help!

Gold

Re: How could I retrieve IPS sig policy?

From the CLI service account...not sure.

POST https://192.168.0.1:443/cgi-bin/transaction-server?command=getVersion HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.0.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 165

Cookie: userToken=b073d751b70c5c9d0e311baf11f9239a;dummy

http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >

New Member

Re: How could I retrieve IPS sig policy?

I get an error from a CIDS v6.x when issuing /cgi-bin/transaction-server?command=getVersion

http://www.cisco.com/cids/idiom" schemaVersion="2.00">XML Parser error at line: 1, at character: -1: no element found

New Member

Re: How could I retrieve IPS sig policy?

I answered my own question.

For future references, the license details are stored under

/usr/cids/idsRoot/shared/ips.lic

Gold

Re: How could I retrieve IPS sig policy?

good to know.

New Member

Re: How could I retrieve IPS sig policy?

You've mentioned in your previous post that policy sig0 could be retrieved via HTTP post method or scp a copy of the individual files (default.xml).

I am able to pull instance policy XML by referencing getConfigDelta from the transaction server.

Could you provide an example on how would one go about fetching default policy from the sensor via HTTP post or other methods?

Looking at the default.xml file, it appears to be encrypted or compressed?

Thanks in advance,

Michael

Gold

Re: How could I retrieve IPS sig policy?

it is compressed. you can get it via scp here:

/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml

and via an HTTP POST:

POST https://192.168.1.1:443/cgi-bin/transaction-server?command=getDefaultConfig HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.1.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 252

Cookie: userToken=zzz;dummy

http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >signatureDefinition

347
Views
0
Helpful
12
Replies
CreatePlease to create content