Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
3
Helpful
3
Replies

How to determine using CLI which signature are en/dis-abled ver_4.1 sensors

Go to solution
darin.marais
Level 4
Level 4

‎03-09-2004 02:07 AM - edited ‎03-09-2019 06:41 AM

Dear list,

Sorry for the newbie questions lately. I am quite unfamiliar with the version 4.1 sensors and am still learning my way around.

I am looking for a way to quickly grab a list of all signatures (NOT THE GUI) that are enabled/disabled that could be imported in to excel.

With version 3.1 sensors, it was quite easy to go and get the packetd.conf file and find the information there.

Is there a similar file somewhere in version 4.1 on the sensor?

I would like to do a comparison between the default signatures that are enabled with version 3.1 as compared to the default 4.1 after the 4.1(3)-s61 SP update

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
smithmb
Level 1
Level 1
In response to darin.marais

‎03-10-2004 11:41 AM

Here are two quick-and-dirty ways to dump it, if you don't mind using the GUI for this part.

Method A:

1) Login to a sensor that has the appropriate signature pack via the Web-based IDM.

2) Click on the "NSDB" link at the top of the screen.

3) In the NSDB Web page that pops up, copy and paste the list of sigs, or save the page as a text file and parse it with a script.

Method B:

(This works with Internet Explorer, but may not with other browsers.)

1) Login to a sensor that has the appropriate signature pack via the Web-based IDM.

2) Choose Configuration -> Sensing Engine -> Signature Configuration Mode.

3) Select the "All Signatures" group, then for "Rows Per Page", select "All".

4) Highlight the table of signatures in the Web page, and hit Ctrl-C to copy. Then open Excel, and Paste. The table will be reproduced in Excel, row-for-row and column-for-column. You can then manipulate it in Excel as desired.

Hope this helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎03-09-2004 10:50 AM

It is the "imported in to excel" that will cause you the problem.

The configuration in 4.x is not in a columnar format that allows easy import into excel.

You have 2 options for viewing the information you are asking for:

1) If you are experienced with XML then you can create a "service" account on the sensor. Login as the "service" account and go in and grab a copy of the defVirtualSensorConfig.xml file from the /usr/cids/idsRoot/etc directory.

You will need to write a script to convert the XML file into a format similar to the 3.x packetd.conf

2) Get a listing from the CLI by executing the following commands:

configure terminal

service virtual-sensor-config virtualSensor

tune-micro-engines

show settings | include SIGID|Enabled|AlarmSeverity

The output will be a long listing similar to:

ATOMIC.ARP

-----------------------------------------------

signatures (min: 0, max: 1000, current: 4)

-----------------------------------------------

SIGID: 7101

AlarmSeverity: informational

Enabled: True

-----------------------------------------------

SIGID: 7102

AlarmSeverity: informational

Enabled: True

-----------------------------------------------

SIGID: 7104

AlarmSeverity: informational

Enabled: False

-----------------------------------------------

SIGID: 7105

AlarmSeverity: informational

Enabled: False

-----------------------------------------------

-----------------------------------------------

-----------------------------------------------

As you can see it is not like the 3.x packetd.conf with one line for each signature. Instead the signature settings for a single signature are across multiple lines.

You would have to copy all ofthe show settings output and paste into a text file.

Then write a script to parse through the file and put into a format similar to 3.x so you could upload it into Excel.

Go to solution
darin.marais
Level 4
Level 4
In response to marcabal

‎03-10-2004 12:48 AM

Would you know where there is a list of all default signatures for version 3.1 and 4.1s61?

Does this list exist?

0 Helpful

Go to solution
smithmb
Level 1
Level 1
In response to darin.marais

‎03-10-2004 11:41 AM

Here are two quick-and-dirty ways to dump it, if you don't mind using the GUI for this part.

Method A:

1) Login to a sensor that has the appropriate signature pack via the Web-based IDM.

2) Click on the "NSDB" link at the top of the screen.

3) In the NSDB Web page that pops up, copy and paste the list of sigs, or save the page as a text file and parse it with a script.

Method B:

(This works with Internet Explorer, but may not with other browsers.)

1) Login to a sensor that has the appropriate signature pack via the Web-based IDM.

2) Choose Configuration -> Sensing Engine -> Signature Configuration Mode.

3) Select the "All Signatures" group, then for "Rows Per Page", select "All".

4) Highlight the table of signatures in the Web page, and hit Ctrl-C to copy. Then open Excel, and Paste. The table will be reproduced in Excel, row-for-row and column-for-column. You can then manipulate it in Excel as desired.

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents