cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1135
Views
0
Helpful
12
Replies

How could I retrieve IPS sig policy?

gdntsoc
Level 1
Level 1

Hi,

I would like to find out if it is possible to retrieve an active IPS signature policy from the device? I would like to obtain a complete policy currently running on the sensor not via CLI.

P.S. I was under the assumption that the sensor will store its policy in XML format on the file system.

Thanks in advance!

12 Replies 12

mhellman
Level 7
Level 7

Yes, but you have to merge the default policy XML with the instance policy XML(you may also have to uncompress the files)

You can use the service account and scp. The relevant files are:

policy name = sig0

/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml

/usr/cids/idsRoot/etc/config/signatureDefinition/instances/sig0.xml

You can also fetch them via HTTP(s), but you still have to merge them to get a complete configuration. If you want the POST examples on how to do this, let me know.

the POST example would be helpful. (A GET would be best.)

Also, is there an xsd/dtd for this xml?

thanks in advance for the help.

I don't believe you can use a GET, but not sure. If you find a way to do this using GET or without having to merge, I'd love to know. Anyway, here is the POST to get sig0:

POST https://192.168.0.1:443/cgi-bin/transaction-server?command=getConfigDelta HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.0.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 281

Cookie: userToken=6ae4bce4e291a20ecc8676bc071e507c;dummy

http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >sig0

If memory serves, you can add credentials to the request URL and then not have to worry about messing about with cookies.

I've also attached a curl sample. It's for a different function, but I think you get the drift.

curl example.

let's try this again.

Sorry, a side question:

Could you also tell me if a license status (expiration date) could be retrieved or obtained as a file or query from the IPS sensor?

Thanks for all your help!

From the CLI service account...not sure.

POST https://192.168.0.1:443/cgi-bin/transaction-server?command=getVersion HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.0.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 165

Cookie: userToken=b073d751b70c5c9d0e311baf11f9239a;dummy

http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >

I get an error from a CIDS v6.x when issuing /cgi-bin/transaction-server?command=getVersion

http://www.cisco.com/cids/idiom" schemaVersion="2.00">XML Parser error at line: 1, at character: -1: no element found

I answered my own question.

For future references, the license details are stored under

/usr/cids/idsRoot/shared/ips.lic

good to know.

You've mentioned in your previous post that policy sig0 could be retrieved via HTTP post method or scp a copy of the individual files (default.xml).

I am able to pull instance policy XML by referencing getConfigDelta from the transaction server.

Could you provide an example on how would one go about fetching default policy from the sensor via HTTP post or other methods?

Looking at the default.xml file, it appears to be encrypted or compressed?

Thanks in advance,

Michael

it is compressed. you can get it via scp here:

/usr/cids/idsRoot/etc/config/signatureDefinition/default.xml

and via an HTTP POST:

POST https://192.168.1.1:443/cgi-bin/transaction-server?command=getDefaultConfig HTTP/1.1

Accept: text/xml

Content-type: xml/txt

Accept-Charset: iso-8859-1,*,utf-8

User-Agent: CIDS Client/4.0

Host: 192.168.1.1

Pragma: no-cache

Cache-Control: no-cache

Proxy-Connection: keep-alive

Content-Length: 252

Cookie: userToken=zzz;dummy

http://www.cisco.com/cids/idconf" xmlns:id="http://www.cisco.com/cids/idiom" >signatureDefinition

Review Cisco Networking for a $25 gift card