Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

csids signature xml files

Which xml file (with its path in the sensor) contains the most updated signature information? I am trying to setup a script that automatically parse the file when it changes due to a signature update. Thanks.

  • Other Security Subjects
6 REPLIES
Cisco Employee

Re: csids signature xml files

I will warn you that to access this file through the file system will require using the service account.

The service account is intended to only be used under TAC supervision for troubleshooting.

So using the service account could cause your sensor to not be supported by the TAC should a problem arise.

Also the name and location of this file may change in future versions.

File Name:

/usr/cids/idsRoot/etc/VS-Config/virtualSensor.xml

It contains both Cisco's default signatures along with any tunings you may have made.

New Member

Re: csids signature xml files

I plan to parse the file (after scp-ing it to other system) to keep the signature data in our reporting database updated. If you think that this might cause problem in the future, could you recommend other options that I can use to accomplish this? Thanks

Cisco Employee

Re: csids signature xml files

You could write your own RDEP client to request a copy of the same file.

The RDEP client would be an HTTPS client capable of connecting to the sensor over an SSL/TLS connection and sending URL requests.

Most scripting programs like TCL or Perl have libraries to help in initiating the connection.

You would need to contact the TAC and ask for a copy of the RDEP spec (it is on CCO, but I don't remember the location).

You would also need to then ask the TAC for the Control Transaction to request the virtualSensor.xml from the sensor. This Control Transaction is in the IDIOM specification which is not on CCO, but which the TAC may be able to get from the developers.

New Member

Re: csids signature xml files

I got a copy of the RDEP and IDIOM spec already before. So, I will look into it. Thanks for your input!

New Member

Re: csids signature xml files

Ok. I got it working. One more question though.

I also need the defSigCategoriesConfig.xml that contains the categorization of the signatures. I can't seems to find the relevant control transaction command for it. Can you help me out here? Thanks!

Cisco Employee

Re: csids signature xml files

I am not aware of any method for getting this file through RDEP. The file is for internal IDM so wasn't designed to be retrievable through RDEP.

I suggest contacting the TAC and asking that they enter an enhancement request to make the file accessible through RDEP.

Note sure if it would be implemented, but it doesn't hurt to ask.

114
Views
0
Helpful
6
Replies