03-09-2004 02:07 AM - edited 03-09-2019 06:41 AM
Dear list,
Sorry for the newbie questions lately. I am quite unfamiliar with the version 4.1 sensors and am still learning my way around.
I am looking for a way to quickly grab a list of all signatures (NOT THE GUI) that are enabled/disabled that could be imported in to excel.
With version 3.1 sensors, it was quite easy to go and get the packetd.conf file and find the information there.
Is there a similar file somewhere in version 4.1 on the sensor?
I would like to do a comparison between the default signatures that are enabled with version 3.1 as compared to the default 4.1 after the 4.1(3)-s61 SP update
Solved! Go to Solution.
03-10-2004 11:41 AM
Here are two quick-and-dirty ways to dump it, if you don't mind using the GUI for this part.
Method A:
1) Login to a sensor that has the appropriate signature pack via the Web-based IDM.
2) Click on the "NSDB" link at the top of the screen.
3) In the NSDB Web page that pops up, copy and paste the list of sigs, or save the page as a text file and parse it with a script.
Method B:
(This works with Internet Explorer, but may not with other browsers.)
1) Login to a sensor that has the appropriate signature pack via the Web-based IDM.
2) Choose Configuration -> Sensing Engine -> Signature Configuration Mode.
3) Select the "All Signatures" group, then for "Rows Per Page", select "All".
4) Highlight the table of signatures in the Web page, and hit Ctrl-C to copy. Then open Excel, and Paste. The table will be reproduced in Excel, row-for-row and column-for-column. You can then manipulate it in Excel as desired.
Hope this helps.
03-09-2004 10:50 AM
It is the "imported in to excel" that will cause you the problem.
The configuration in 4.x is not in a columnar format that allows easy import into excel.
You have 2 options for viewing the information you are asking for:
1) If you are experienced with XML then you can create a "service" account on the sensor. Login as the "service" account and go in and grab a copy of the defVirtualSensorConfig.xml file from the /usr/cids/idsRoot/etc directory.
You will need to write a script to convert the XML file into a format similar to the 3.x packetd.conf
2) Get a listing from the CLI by executing the following commands:
configure terminal
service virtual-sensor-config virtualSensor
tune-micro-engines
show settings | include SIGID|Enabled|AlarmSeverity
The output will be a long listing similar to:
ATOMIC.ARP
-----------------------------------------------
signatures (min: 0, max: 1000, current: 4)
-----------------------------------------------
SIGID: 7101
AlarmSeverity: informational
Enabled: True
-----------------------------------------------
SIGID: 7102
AlarmSeverity: informational
Enabled: True
-----------------------------------------------
SIGID: 7104
AlarmSeverity: informational
Enabled: False
-----------------------------------------------
SIGID: 7105
AlarmSeverity: informational
Enabled: False
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
As you can see it is not like the 3.x packetd.conf with one line for each signature. Instead the signature settings for a single signature are across multiple lines.
You would have to copy all ofthe show settings output and paste into a text file.
Then write a script to parse through the file and put into a format similar to 3.x so you could upload it into Excel.
03-10-2004 12:48 AM
Would you know where there is a list of all default signatures for version 3.1 and 4.1s61?
Does this list exist?
03-10-2004 11:41 AM
Here are two quick-and-dirty ways to dump it, if you don't mind using the GUI for this part.
Method A:
1) Login to a sensor that has the appropriate signature pack via the Web-based IDM.
2) Click on the "NSDB" link at the top of the screen.
3) In the NSDB Web page that pops up, copy and paste the list of sigs, or save the page as a text file and parse it with a script.
Method B:
(This works with Internet Explorer, but may not with other browsers.)
1) Login to a sensor that has the appropriate signature pack via the Web-based IDM.
2) Choose Configuration -> Sensing Engine -> Signature Configuration Mode.
3) Select the "All Signatures" group, then for "Rows Per Page", select "All".
4) Highlight the table of signatures in the Web page, and hit Ctrl-C to copy. Then open Excel, and Paste. The table will be reproduced in Excel, row-for-row and column-for-column. You can then manipulate it in Excel as desired.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide