Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS 4.0 signature config file

Does anyone know if there is a file in IDS 4.0 where you can manually change the action for each signature ID? IDM can be a little tedious when you have 946 signatures to change. In version 3.1 packetd.conf had all the signature configurations in one file which could easily be modified by a text editor. Is there an equilelent file in IDS version 4.0?

Thanks,

Joel

6 REPLIES
Cisco Employee

Re: IDS 4.0 signature config file

Hi Joel,

4.0 is totally different from the 3.x There is no concept of the conf files as in 3.x

The configuration files are now all xml files which should not be tampered with.

What issue are you facing doing it via IDM or the IDS MC, if you havee that?

Thanks,

yatin

Cisco Employee

Re: IDS 4.0 signature config file

Additonally you could try using the CLI.

Once you understand how to use the CLI to edit the configuration, it can sometimes be faster than IDM.

Once you become accustomed to the CLI you can even begin doing things faster by pasting in multiple commands.

So if you figure out the commands to change the config on one sensor, you can usually paste those commands into the CLI of the next sensor.

For example:

To enable signature 3550 you can copy and paste these commands (note all commands can be copied and pasted at once, you do not have to copy and paste each command by itself):

conf t

serv virtual virtualSensor

tune

OTHER

sig sig 993

sig sig 3050

enabled true

exit

exit

exit

yes

exit

exit

NOTE: the "yes" in the above commands will answer yes to the question that comes up and asks if you want to save the configuration. If the previous commands did not change the configuration (the configuration was already that way) then the "yes" will simpy create a CLI unknown command error that you can ignore.

NOTE2: If you notice there is the word OTHER before the signature line. This is needed to designate which engine the signature is in. You will need to know the engine of the signature you want to edit.

Another hint for you:

Many times you can use the output from "more current-config" to show you what CLI commands you will want to use.

Make one or two edits in IDM, then check "more current-config" to see which CLI commands corresponded.

New Member

Re: IDS 4.0 signature config file

Thanks for the useful info. Copying and pasting the config in multiple sensor will greatly mitigate the task of configuring the signatures.

Thanks,

Joel

New Member

Re: IDS 4.0 signature config file

This entire process seems quite a bit tedious just to enable one signature...

I enjoy the CLI look since I am familiar with it... but come on, to enable signatures in this fashion is so crazy... I would prefer a 'conf' file myself...

atleast then i only have to edit one file and make tons of changes, instead of tons of commands just to change one signature... but that is me..

Cisco Employee

Re: IDS 4.0 signature config file

Joel / Thomas,

Should have mentioned before; Throughthe IDSMC you CAN enable multiple signatures and change their severity in one stroke.

In the list of signatures under configuration, check all the signatures that you need to, click the Edit button, then check theEnable box, you could also change the Severity for all of these selected signatures.

Thanks,

yatin

Cisco Employee

Re: IDS 4.0 signature config file

Side Note for advanced users.

Use the copy command to copy the current-config to your own ftp or scp server.

"copy current-config scp://me@mymachine/myconfig"

Edit the file using any text editor to put in the commands for the config changes you want.

"vi myconfig"

Use the copy command to copy your edited configuration in as the current-config.

"copy scp://me@mymachine/myconfig current-config"

or

"copy /erase scp://me@mymachine/myconfig current-config"

Once you become familiar with the CLI commands this becomes a fairly easy process, and is consistent with other Cisco network devices.

For users who like configuration files, it is a configuration file with the parameters in the form of CLI commands.

For really advanced users:

The sensor does support editing of the XML configuration file.

We have published the RDEP specification that documents how to connect and send control transactions to the sensor.

The IDIOM specification (which is still in review) will document the different control transactions possible on the sensor. One of these control transactions is to pull down the current XML configuration of sensorApp. You can then edit the XML file, and send the configuration back to sensorApp through another control transaction.

I don't usually recommend users do this because the XML can change slightly between versions. Also you miss out on the error checking that the CLI/IDM/IDSMC will do for you in validating your configuration changes.

But if you are a pwer user then you may want to talk with your Cisco rep and request a draft copy of the IDIOM specification, or wait until IDIOM is finalized and published on Cisco's web site.

NOTE: Access to RDEP and IDIOM specification will require you to sign some sort of license, not sure what that is or where they are located on CCO.

If you are an advanced users willing to put forth the extra effort to create your own RDEP client, then yes you can edit a single XML configuration file to make your changes.

Another possibility for you if you do want to edit the sensor's xml file:

124
Views
25
Helpful
6
Replies
CreatePlease login to create content