cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
376
Views
5
Helpful
2
Replies

IDS Signature Updates & Signature Groups

ThorsonMacAoidh
Level 1
Level 1

When updating signautures I can look at the Readme.txt to identify what signatures are enabled/disabled by defualt, however there is not any information included regarding which signature group each new signature is a member of.

To modify the signature config via the command shell you have to enter somthing like:

service virtual-sensor-configuration <sensor>

tune-micro-engines

<SIG-GROUP>

signatures SIGID <sigid> SubSig <sub>

CapturePacket True

exit

exit

How can I modify the default signature config (e.g. add CapturePacket True) via the command shell without knowing what group the signature is a member of?

TM

2 Replies 2

flyingmunk
Level 1
Level 1

frustrating, isn't it?

if you are doing this command line, try this:

guardian1# conf t

guardian1(config)# service virtual-sensor-configuration virtualSensor

guardian1(config-vsc)#tune

guardian1(config-vsc-virtualSensor)#

****let's say you want to find/modify 6251, and you don't know which engine it's in******

guardian1(config-vsc-virtualSensor)# show settings | include 6251

STRING.TCP

-----------------------------------------------

signatures (min: 0, max: 1000, current: 323)

-----------------------------------------------

SIGID: 6251

in other words, from here:

guardian1(config-vsc-virtualSensor)#

use the command:

show settings | include 6251

this will give you the engine that it is in, and then you can go in and make your changes.

hope this helps,

chris

Absolutely!

Thank You for the information.

TM