03-21-2011 12:29 AM - edited 03-10-2019 05:18 AM
Hi Guys,
I am in need of entire cisco ips signature list as pdf.
Can anybody help me find out by providing a link or pdf??
Thanks All,
Jv
Solved! Go to Solution.
03-21-2011 02:15 AM
Hi,
I couldn't find any method to export the signature list. This could be because there are thousands of them.
However, you can use the following link to search for particulars signatures.
http://tools.cisco.com/security/center/home.x
Paps
03-21-2011 05:23 PM
jvalin_ccie wrote:
So we have to do it once and just monitor the alarms. thats it.
Yeah, wouldn't we all love it if it worked like that?
Unfortunately, that's not the way it works with IDS/IPS. Configuration and tuning of IPS signatures is an ongoing process that doesn't really "end". Consider just deploying signature updates. Each update can add or update 20+ signatures, each of which should be reviewed for possible tuning.
Cisco has stated previously - on this forum - that the default configuration is the "Cisco recommended" configuration for most networks. However, some tuning will still be required. This question has been asked often, and that's the standard reply they've given.
As for a complete list of signatures, I agree with Paps - the easiest method is to do an export from the "All Signatures" section in IME or IDM. It will export the current configuration, which would be considered "Cisco recommended" at its default. I would recommend exporting it as "CSV", though, which can be opened in MS Excel or similar. You can save that document as a PDF.
BTW - the full signature database as of 7.0 (E4 engine), with update S553, is 5142 signatures.
03-21-2011 02:15 AM
Hi,
I couldn't find any method to export the signature list. This could be because there are thousands of them.
However, you can use the following link to search for particulars signatures.
http://tools.cisco.com/security/center/home.x
Paps
03-21-2011 02:25 AM
Hi Pdatta,
I had a pdf before which had 65k signatures based on the engines, but right now I am unable to find it on the cisco site.
the link which you gave me is indeed a handy tool but still I require the pdf..
Anywas thanks for your help.
Regards,
Jv
03-21-2011 02:44 AM
Hi,
You can try Policies --> Sig0 --> All signatures --> Export --> HTML. Convert this into PDF.
Or, in all signatures, select the topmost signature, press the shift key, select the bottommost signature, and you have all of them selected/highlighted. Now copy/paste as we normally do.
Paps
03-21-2011 02:50 AM
Hi Padatta,
Well that is a nice idea, my main concern is to find the best practices for cisco ips as to what al signatures to be enabled and disabled.
Do you have any idea regarding best practices to be followed for configuring cisco ips sensor on asa 5500.
Regards,
Jv
03-21-2011 03:03 AM
Hi Jv,
The list of signatures that need to be enabled/disabled/tuned widely vary from network to network. This is the cycle usually followed in IPS deployment.
Deploy --> ensure latest signature update --> Observe for false positives, false negatives --> Tune the signatures involved in previous step --> Observe --> Update signature --> Repeat the cycle.
This list varies from network to network.
However, configs like 'logging packets' as an action for many signatures might have its toll on CPU and inturn on IPS functionality.
Best Regards,
Paps
03-21-2011 03:09 AM
Hi Padatta,
Thats a good one..But do have any cisco pdf for best pratices for the same, Actually the cycle which you gave cant be done in our network as its cost effective and there is not field visit required.
So we have to do it once and just monitor the alarms. thats it. Although regularly the signature update would be done.
Regards,
Jv
03-21-2011 05:23 PM
jvalin_ccie wrote:
So we have to do it once and just monitor the alarms. thats it.
Yeah, wouldn't we all love it if it worked like that?
Unfortunately, that's not the way it works with IDS/IPS. Configuration and tuning of IPS signatures is an ongoing process that doesn't really "end". Consider just deploying signature updates. Each update can add or update 20+ signatures, each of which should be reviewed for possible tuning.
Cisco has stated previously - on this forum - that the default configuration is the "Cisco recommended" configuration for most networks. However, some tuning will still be required. This question has been asked often, and that's the standard reply they've given.
As for a complete list of signatures, I agree with Paps - the easiest method is to do an export from the "All Signatures" section in IME or IDM. It will export the current configuration, which would be considered "Cisco recommended" at its default. I would recommend exporting it as "CSV", though, which can be opened in MS Excel or similar. You can save that document as a PDF.
BTW - the full signature database as of 7.0 (E4 engine), with update S553, is 5142 signatures.
03-21-2011 07:53 PM
Hi Michael,
Thanks for the info. I will surely take it into consideration. Can you please tell me how do you come to know 5142 total no. of signatures in S553?
Regards,
Jvalin
03-21-2011 08:04 PM
Hi Michael,
Would like your suggestion regarding the setup. Its a streaming video behind the firewall with 2 servers and 10 cctv cameras and people are going to access those camera on their ipad through internet.
Now do you think I would need 5142 signatures for this network setup? obviously no. So I would like to disable/retire those unnecessary signatrues all in one shot and enable/un-retire only those which are responsible for the streaming video traffic and some server updates which will be normal port 80 and 443. streaming video has only 10 ports in total thats it
Regards,
Jvalin
03-21-2011 08:23 PM
Can you please tell me how do you come to know 5142 total no. of signatures in S553?
In the IME client, choose "Configuration > Signature Definitions > sig0 > All Signatures" (or other signature policy, if not "sig0"). At the bottom of the signatures pane, just above the "MySDN" area, it states "Total Signatures: ####" and "Enabled Signatures: ####". As of the S553 update, that number is 5142.
I would provide a screenshot example, but strangely, Cisco doesn't include any screenshots in their IME or IDM configuration guides. Weird.
03-21-2011 10:22 PM
Hi All,
Would like your suggestion regarding the setup. Its a streaming video behind the firewall with 2 servers and 10 cctv cameras and people are going to access those camera on their ipad through internet.
Now do you think I would need 5142 signatures for this network setup? obviously no. So I would like to disable/retire those unnecessary signatrues all in one shot and enable/un-retire only those which are responsible for the streaming video traffic and some server updates which will be normal port 80 and 443. streaming video has only 10 ports in total thats it
Regards,
Jvalin
05-29-2015 08:45 AM
4 years later I am looking for the same. I am doing an audit regarding logging.
What I have found was that support can't help, pre-sales can't help, and regional sales aren't help. No one could give me an answer to this.
I asked for a composite list of IPS signatures. Explaining this is what the database that I am querying against is using. Located here. http://tools.cisco.com/security/center/ipshome.x?i=62&shortna=CiscoIPSSignatures#CiscoIPSSignatures
This tool is great after running a diff command and seeing what is unique and then being able to categorize it. Here are some lists of recent signatures I found. However they aren't a complete list however up to date. http://tools.cisco.com/security/center/ipshome.x?i=62&shortna=CiscoIPSSignatures#~IPSTemplates
If anyone needs to audit their ASA they are in luck and this is well documented here.
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html
Dear Cisco, please follow the prior link to get an idea on the look and format that select people like me are looking for but with IPS and now NGIPS signatures.
Cheers,
M
06-01-2015 06:46 AM
Hello
There are many ways to figure out what signatures are on your Cisco IPS sensors.
If http://tools.cisco.com/security/center/ipshome.x?i=62 isn't doing what you want, some other options are
Note that we do not support most of the custom reporting I describe below and some of these methods are somewhat involved and require use of XML technologies like xquery/xpath for creating your reports.
Keep in mind that a sensor can have both official cisco-released signatures and also custom signatures (sig-id > 60,000).
Get Signatures from a running IPS
One way is to use IDM:
Under the hood, IDM talks to the sensor with an XML RPC language that you can observe if you proxy IDM. You would find that a script like this lets you get the installed cisco signatures with getDefaultConfig and any local modifications or custom sigs with getConfigDelta
user= <your user> pass= <your pass> sensor=<name or ip of your sensor> mode=<ssl mode, try -1 if -3 doesn't work> #action="getConfigDelta" action="getDefaultConfig" curl -k -$mode -u $user:$pass -HContent-Type:Text/XML -d@- https://$sensor/cgi-bin/transaction-server?command=$action <<HERE <?xml version="1.0" encoding="UTF-8"?> <id:request xmlns="http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" > <$action/> </id:request> HERE
You can also get signature list via CLI with
conf t service signature-definition sig0 show settings
Finally, if you have access to the service account on a sensor you can also pull the default.xml (actually its a .xml.gz) from
/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml
Get Signatures from a Signature Update File
Cisco distributes several different signature packages with different formats and contents, but here I will explain what to do with the normal IPS-sig-S870-req-E4.pkg packages.
If you have a signature update file like IPS-sig-S870-req-E4.pkg, you can get the xml of the incremental signature definitions with the following commands:
gpg -d IPS-sig-S870-req-E4.pkg | tar -xzf - view ./files/common/edc.full.xml
be careful to note that edc.full.xml has a section for each signature release containing not only new full signatures, but also partial updates to overlay on existing signatures from previous releases. edc.full.xml only goes back to S480 -- the base IPS sensor comes with a cumulative default.xml for < S480.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: