IOS IPS Restore Deleted Signatures

paul.kyte · ‎01-18-2006

I have a router with IOS IPS and manage this using SDM.

I have deleted a signature from the router and would now like to re-install it.

Using SDM import feature I have looked for the deleted signature in the 256mb.sdf that I've downloaded from the Cisco website. It doesn't appear in the list of signatures. I've tried the attck-drop.sdf and the local ios sdmips.sdf but the signature is not listed.

does anyone have any idea how I can get it back?

The deleted signature is 4050 UDP Bomb.

Thanks

vkapoor5 · ‎01-24-2006

4050 UDP bomb is a built-in signature within the IOS. Some 100 odd signatures (version dependent) are loaded into the router by default when your IOS has the IDS image. Look under the ATOMIC.UDP signatures for 4050.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm#wp1000985

You may be able to re-enable your signature using the following command on the CLI.

"no ip audit signature 4050 disable"

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_d1g.htm#wp1073162

paul.kyte · ‎01-25-2006

hi,

Thanks for your reply.

I've not tried what you have suggested because I resolved the problem myself before you posted it.

They way I resolved it was to download the IOS-S208.zip file, extract the virtualsensor.xml file, rename this to .sdf and then open it in the import in SDM. Hey presto, the 4050 signature was there for selection.

Thanks for your help and suggestion.

If I ever delete a signature again I'll try your suggested solution.

Regards,

Paul