Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
5
Helpful
3
Replies

Signature Location

csmeriglio
Level 1
Level 1

‎02-24-2004 12:56 PM - edited ‎03-09-2019 06:32 AM

Is there a file that contains all the signature info on 4.x that would compare to packetd.conf on 3.x???

Looking for a printable version on each sensor.

Labels:
0 Helpful
3 Replies 3

klwiley
Cisco Employee
Cisco Employee

‎02-24-2004 01:59 PM

The answer is yes, but it is an XML documet that is quite large. The file is located in /usr/cids/idsRoot/etc/VS-Config and is called virtualSensor.xml. All of the information you are looking for is in this file and more. You can skip down to the part of the file that is delineated with the tag.

0 Helpful

csmeriglio
Level 1
Level 1
In response to klwiley

‎02-25-2004 01:26 PM

What do you recommend using to read this document???

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to csmeriglio

‎02-25-2004 02:55 PM

You would either need to purchase or download a free XML parser from somewhere on the Internet; or use the CLI of the IDS sensor itself.

In the CLI of the sensor you can enter the following commands:

configure terminal

service virtual-sensor-configuration virtualSensor

tune-micro-engines

show settings

The above "show settings" command will parse that file and show it to you in a readable format.

NOTE: If you are only interested in certain lines like the AlarmSeverity then you can use the include option to limit what is shown (separate the keywords you want to see by a "|"):

"show settings | include SIGID|AlarmSeverity"

NOTE2: Also the "show settings" command is available in other sub-modes as well. So you can enter the other sub-modes like ATOMIC.ICMP to limit your output to just alarms in the ATOMIC.ICMP engine.

Many users are just interested in the changes that they have made from the default configuration.

To see just the changes you can just type "show configuration". It will parse through the signature file as well as the other configuration files on the sensor and just show you what is different from the default configuration.

Customers Also Viewed These Support Documents