Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Signature List

I am trying to find a complete and current listing of signatures and their corresponding numbers. Does anyone know where I can find one?

TIA

5 REPLIES
Cisco Employee

Re: Signature List

If you have loaded the latest signature update on an appliance sensor then the list can be found in the file /usr/nr/etc/signatures and also in /usr/nr/etc/wgc/templates/signatures.

They can be found in the same files on a Unix Director that has been upgraded with the latest signature update. They are also available on the Unix Director by pointing your web browser to the /usr/nr/html/all_sigs_index.html file, or by opening the /usr/nr/html/all_sigs_index.txt file with a text editor.

They can also be found on a CSPM box that has been upgraded with the latest signature update. Point you web browser to the \Report\nsdb\all_sigs_index.html or open the all_sigs_index.txt file in the same directory with wordpad.

If you don't have access to the CSPM box, Unix Director, or Sensor then you can download the CSPM signature update and unzip it with winzip. It also contains the all_sigs_index.html and all_sigs_index.txt files. you can just unzip it and place on your own desktop machine for quick and easy access to the NSDB.

The Signature Updates for all the mentioned products are available at:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids.shtml

New Member

Re: Signature List

to marcabel: I'm going to give you a big 'No, they are not'.

My Solaris stuff is current on Sensor and Director up through S9, and there are signatures that alert for us that are NOT in the NSDB.

I am loading S10, so hopefully that will be corrected.

I think maybe what the original poster was asking is something I have wanted for a while - a spot outside the IDS that I can research from my desk. My IDS setup is locked in a cold room (literally) and I would love to have just the NSDB available somewhere where I could access it from say, home.

I do not know if the NSDB is available on the Cisco site somewhere but I haven't found it if it is.

New Member

Re: Signature List

well..yes actually it IS there...however its in the /usr/nr/etc/html/ folder

-also, as root on the director, check /usr/ciscosec/nsdb/html/

Cisco CCO also offers a Cisco Secure Encylopedia site which can be useful to reference as well

Cisco Employee

Re: Signature List

Places to look:

Unix Director: /usr/nr/html/all_sigs_index.html /usr/nr/etc/signatures

Sensor: /usr/nr/etc/signatures

CSPM: all_sigs_index.html in the directory where the NSDB is placed.

For use at your personal desktop, you could also download the CSPM update and unzip it into a folder on your harddrive. It is a zip file of the NSDB and a few CSPM files which you can ignore.

If a signature is missing from the NSDB index page then you have found a bug. The signatures file and all_sigs_index.html should have the same current list of signatures. If you find one missing then please let us know so that we can create a DDTS Issue to fix the problem.

New Member

Re: Signature List

We have run into this problem also. I can think of at least two signatures that have been triggered, but have no NSDB entry: 5121 and 3453.

217
Views
0
Helpful
5
Replies
CreatePlease to create content