topic Re: How could I retrieve IPS sig policy? in Network Security

How could I retrieve IPS sig policy?

gdntsoc — Sun, 10 Mar 2019 10:48:30 GMT

Hi,

I would like to find out if it is possible to retrieve an active IPS signature policy from the device? I would like to obtain a complete policy currently running on the sensor not via CLI.

P.S. I was under the assumption that the sensor will store its policy in XML format on the file system.

Thanks in advance!

Re: How could I retrieve IPS sig policy?

mhellman — Mon, 24 Sep 2007 16:42:35 GMT

Yes, but you have to merge the default policy XML with the instance policy XML(you may also have to uncompress the files)

You can use the service account and scp. The relevant files are:

policy name = sig0

/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml

/usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig0.xml

You can also fetch them via HTTP(s), but you still have to merge them to get a complete configuration. If you want the POST examples on how to do this, let me know.

Re: How could I retrieve IPS sig policy?

gdntsoc — Mon, 24 Sep 2007 18:11:23 GMT

the POST example would be helpful. (A GET would be best.)

Also, is there an xsd/dtd for this xml?

thanks in advance for the help.

Re: How could I retrieve IPS sig policy?

mhellman — Mon, 24 Sep 2007 18:20:25 GMT

I don't believe you can use a GET, but not sure. If you find a way to do this using GET or without having to merge, I'd love to know. Anyway, here is the POST to get sig0:

POST https://192.168.0.1:443/cgi-bin/transaction-server?command=getConfigDelta HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.0.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 281

Cookie: userToken=6ae4bce4e291a20ecc8676bc071e507c;dummy

http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >sig0

If memory serves, you can add credentials to the request URL and then not have to worry about messing about with cookies.

I've also attached a curl sample. It's for a different function, but I think you get the drift.

Re: How could I retrieve IPS sig policy?

mhellman — Mon, 24 Sep 2007 18:22:15 GMT

curl example.

Re: How could I retrieve IPS sig policy?

mhellman — Mon, 24 Sep 2007 18:24:42 GMT

let's try this again.

Re: How could I retrieve IPS sig policy?

gdntsoc — Mon, 24 Sep 2007 19:29:40 GMT

Sorry, a side question:

Could you also tell me if a license status (expiration date) could be retrieved or obtained as a file or query from the IPS sensor?

Thanks for all your help!

Re: How could I retrieve IPS sig policy?

mhellman — Mon, 24 Sep 2007 19:45:07 GMT

From the CLI service account...not sure.

POST https://192.168.0.1:443/cgi-bin/transaction-server?command=getVersion HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.0.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 165

Cookie: userToken=b073d751b70c5c9d0e311baf11f9239a;dummy

http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >

Re: How could I retrieve IPS sig policy?

gdntsoc — Mon, 24 Sep 2007 19:56:13 GMT

I get an error from a CIDS v6.x when issuing /cgi-bin/transaction-server?command=getVersion

http://www.cisco.com/cids/idiom" schemaVersion="2.00">XML Parser error at line: 1, at character: -1: no element found

Re: How could I retrieve IPS sig policy?

gdntsoc — Mon, 24 Sep 2007 20:02:50 GMT

I answered my own question.

For future references, the license details are stored under

/usr/cids/idsRoot/shared/ips.lic

Re: How could I retrieve IPS sig policy?

mhellman — Mon, 24 Sep 2007 20:09:29 GMT

good to know.

Re: How could I retrieve IPS sig policy?

gdntsoc — Tue, 02 Oct 2007 14:33:20 GMT

You've mentioned in your previous post that policy sig0 could be retrieved via HTTP post method or scp a copy of the individual files (default.xml).

I am able to pull instance policy XML by referencing getConfigDelta from the transaction server.

Could you provide an example on how would one go about fetching default policy from the sensor via HTTP post or other methods?

Looking at the default.xml file, it appears to be encrypted or compressed?

Thanks in advance,

Michael

Re: How could I retrieve IPS sig policy?

mhellman — Thu, 04 Oct 2007 13:10:42 GMT

it is compressed. you can get it via scp here:

/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml

and via an HTTP POST:

POST https://192.168.1.1:443/cgi-bin/transaction-server?command=getDefaultConfig HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.1.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 252

Cookie: userToken=zzz;dummy

http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >signatureDefinition