cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21074
Views
34
Helpful
13
Replies

Cisco IPS Signatures list

jvalin_ccie
Level 1
Level 1

Hi Guys,

I am in need of entire cisco ips signature list as pdf.

Can anybody help me find out by providing a link or pdf??

Thanks All,

Jv

2 Accepted Solutions

Accepted Solutions

padatta
Level 1
Level 1

Hi,

I couldn't find any method to export the signature list. This could be because there are thousands of them.

However, you can use the following link to search for particulars signatures.

http://tools.cisco.com/security/center/home.x

Paps

View solution in original post

jvalin_ccie wrote:

So we have to do it once and just monitor the alarms. thats it.    

Yeah, wouldn't we all love it if it worked like that?

Unfortunately, that's not the way it works with IDS/IPS.  Configuration and tuning of IPS signatures is an ongoing process that doesn't really "end".  Consider just deploying signature updates.  Each update can add or update 20+ signatures, each of which should be reviewed for possible tuning.

Cisco has stated previously - on this forum - that the default configuration is the "Cisco recommended" configuration for most networks.  However, some tuning will still be required.  This question has been asked often, and that's the standard reply they've given.

As for a complete list of signatures, I agree with Paps - the easiest method is to do an export from the "All Signatures" section in IME or IDM.  It will export the current configuration, which would be considered "Cisco recommended" at its default.  I would recommend exporting it as "CSV", though, which can be opened in MS Excel or similar.  You can save that document as a PDF.

BTW - the full signature database as of 7.0 (E4 engine), with update S553, is 5142 signatures.

View solution in original post

13 Replies 13

padatta
Level 1
Level 1

Hi,

I couldn't find any method to export the signature list. This could be because there are thousands of them.

However, you can use the following link to search for particulars signatures.

http://tools.cisco.com/security/center/home.x

Paps

Hi Pdatta,

I had a pdf before which had 65k signatures based on the engines, but right now I am unable to find it on the cisco site.

the link which you gave me is indeed a handy tool but still I require the pdf..

Anywas thanks for your help.

Regards,

Jv

Hi,

You can try Policies --> Sig0 --> All signatures --> Export --> HTML. Convert this into PDF.

Or, in all signatures, select the topmost signature, press the shift key, select the bottommost signature, and you have all of them selected/highlighted. Now copy/paste as we normally do.

Paps

Hi Padatta,

Well that is a nice idea, my main concern is to find the best practices for cisco ips as to what al signatures to be enabled and disabled.

Do you have any idea regarding best practices to be followed for configuring cisco ips sensor on asa 5500.

Regards,

Jv

Hi Jv,

The list of signatures that need to be enabled/disabled/tuned widely vary from network to network. This is the cycle usually followed in IPS deployment.

Deploy --> ensure latest signature update --> Observe for false positives, false negatives --> Tune the signatures involved in previous step --> Observe --> Update signature --> Repeat the cycle.

This list varies from network to network.

However, configs like 'logging packets' as an action for many signatures might have its toll on CPU and inturn on IPS functionality.

Best Regards,

Paps

Hi Padatta,

Thats a good one..But do have any cisco pdf for best pratices for the same, Actually the cycle which you gave cant be done in our network as its cost effective and there is not field visit required.

So we have to do it once and just monitor the alarms. thats it. Although regularly the signature update would be done.

Regards,

Jv

jvalin_ccie wrote:

So we have to do it once and just monitor the alarms. thats it.    

Yeah, wouldn't we all love it if it worked like that?

Unfortunately, that's not the way it works with IDS/IPS.  Configuration and tuning of IPS signatures is an ongoing process that doesn't really "end".  Consider just deploying signature updates.  Each update can add or update 20+ signatures, each of which should be reviewed for possible tuning.

Cisco has stated previously - on this forum - that the default configuration is the "Cisco recommended" configuration for most networks.  However, some tuning will still be required.  This question has been asked often, and that's the standard reply they've given.

As for a complete list of signatures, I agree with Paps - the easiest method is to do an export from the "All Signatures" section in IME or IDM.  It will export the current configuration, which would be considered "Cisco recommended" at its default.  I would recommend exporting it as "CSV", though, which can be opened in MS Excel or similar.  You can save that document as a PDF.

BTW - the full signature database as of 7.0 (E4 engine), with update S553, is 5142 signatures.

Hi Michael,

Thanks for the info. I will surely take it into consideration. Can you please tell me how do you come to know 5142 total no. of signatures in S553?

Regards,

Jvalin

Hi Michael,

Would like your suggestion regarding the setup. Its a streaming video behind the firewall with 2 servers and 10 cctv cameras and people are going to access those camera on their ipad through internet.

Now do you think I would need 5142 signatures for this network setup? obviously no. So I would like to disable/retire those unnecessary signatrues all in one shot and enable/un-retire only those which are responsible for the streaming video traffic and some server updates which will be normal port 80 and 443. streaming video has only 10 ports in total thats it

Regards,

Jvalin

Can you please tell me how do you come to know 5142 total no. of signatures in S553?

In the IME client, choose "Configuration > Signature Definitions > sig0 > All Signatures" (or other signature policy, if not "sig0").  At the bottom of the signatures pane, just above the "MySDN" area, it states "Total Signatures: ####" and "Enabled Signatures: ####".  As of the S553 update, that number is 5142.

I would provide a screenshot example, but strangely, Cisco doesn't include any screenshots in their IME or IDM configuration guides.  Weird.

Hi All,

Would like your suggestion regarding the setup. Its a streaming video behind the firewall with 2 servers and 10 cctv cameras and people are going to access those camera on their ipad through internet.

Now do you think I would need 5142 signatures for this network setup? obviously no. So I would like to disable/retire those unnecessary signatrues all in one shot and enable/un-retire only those which are responsible for the streaming video traffic and some server updates which will be normal port 80 and 443. streaming video has only 10 ports in total thats it

Regards,

Jvalin

On3moda00
Level 1
Level 1

4 years later I am looking for the same. I am doing an audit regarding logging.

What I have found was that support can't help, pre-sales can't help, and regional sales aren't help. No one could give me an answer to this.

I asked for a composite list of IPS signatures. Explaining this is what the database that I am querying against is using. Located here. http://tools.cisco.com/security/center/ipshome.x?i=62&shortna=CiscoIPSSignatures#CiscoIPSSignatures

This tool is great after running a diff command and seeing what is unique and then being able to categorize it. Here are some lists of recent signatures I found. However they aren't a complete list however up to date. http://tools.cisco.com/security/center/ipshome.x?i=62&shortna=CiscoIPSSignatures#~IPSTemplates

If anyone needs to audit their ASA they are in luck and this is well documented here.

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logsevp.html

Dear Cisco, please follow the prior link to get an idea on the look and format that select people like me are looking for but with IPS and now NGIPS signatures.

 

Cheers,

M

 

Hello

There are many ways to figure out what signatures are on your Cisco IPS sensors.

If http://tools.cisco.com/security/center/ipshome.x?i=62 isn't doing what you want, some other options are

  • get the signatures from a running ips
  • get the signatures from a signature package file

 

Note that we do not support most of the custom reporting I describe below and some of these methods are somewhat involved and require use of XML technologies like xquery/xpath for creating your reports.

Keep in mind that a sensor can have both official cisco-released signatures and also custom signatures (sig-id > 60,000).

 

Get Signatures from a running IPS

One way is to use IDM:

  • connect to a sensor with IDM and go to
  • configuration-> policies -> signature definitions -> sig0 -> All signatures
  • right click in the sig pane and export to csv for a list of some attributes of every sig (sigid, engine, etc)

Under the hood, IDM talks to the sensor with an XML RPC language that you can observe if you proxy IDM. You would find that a script like this lets you get the installed cisco signatures with getDefaultConfig and any local modifications or custom sigs with getConfigDelta

user= <your user>
pass= <your pass>
sensor=<name or ip of your sensor>
mode=<ssl mode, try -1 if -3 doesn't work>

#action="getConfigDelta"
action="getDefaultConfig"

curl -k -$mode -u $user:$pass -HContent-Type:Text/XML -d@- https://$sensor/cgi-bin/transaction-server?command=$action <<HERE
<?xml version="1.0" encoding="UTF-8"?>
<id:request xmlns="http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >
  <$action/>
</id:request>
HERE

You can also get signature list via CLI with

conf t

service signature-definition sig0

show settings

Finally, if you have access to the service account on a sensor you can also pull the default.xml (actually its a .xml.gz) from

/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml

 

Get Signatures from a Signature Update File

Cisco distributes several different signature packages with different formats and contents, but here I will explain what to do with the normal IPS-sig-S870-req-E4.pkg packages.

 

If you have a signature update file like IPS-sig-S870-req-E4.pkg, you can get the xml of the incremental signature definitions with the following commands:

gpg -d IPS-sig-S870-req-E4.pkg | tar -xzf -
view ./files/common/edc.full.xml

be careful to note that edc.full.xml has a section for each signature release containing not only new full signatures, but also partial updates to overlay on existing signatures from previous releases.  edc.full.xml only goes back to S480 -- the base IPS sensor comes with a cumulative default.xml for < S480.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: