In Cisco IOS® Release 12.4(11)T and later,
Cisco IOS Intrusion Prevention System (IPS) provides support for the Cisco IPS
software version 5.x signature format. The 5.x signature format is a
version-based signature definition XML format also used by other Cisco
appliance-based IPS products. Support for signatures and signature definition
files (SDFs) in Cisco IPS version 4.x are discontinued in this and further
Cisco IOS T-Train software releases.
Customers that run Cisco IOS IPS with Version 4.x signature format SDFs
can reconfigure Cisco IOS IPS to use Cisco predefined signature categories,
Basic and Advanced signature sets, or the Cisco IOS IPS migration utility in
order to migrate previous version 4.x SDF files into Cisco IPS Version 5.x
format signature sets.
This document describes how to migrate from a Cisco IPS 4.x format SDF
and enable the migrated signature set in Cisco IOS Release 12.4(11)T or later.
For more information on how to configure Cisco IOS IPS in Cisco IOS Release
12.4(11)T or later, refer to
5.x Signature Format Support and Usability Enhancements.
Note: Cisco recommends that you run the Cisco IOS IPS migration before you
upgrade to a Cisco IOS Release 12.4(11)T or later image.
There are no specific requirements for this document.
The information in this document is based on Cisco IOS Release
12.4(11)T or later.
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
The migration script requires a Cisco IPS 4.x format SDF file and
(optionally) the CLI configuration file that contains Cisco IOS IPS
configuration information used on a router thatrunsa release earlier than Cisco
IOS Release 12.4(11)T.
The migration script searches for commands that contain ip
ips signature <sigid>
[<sigsubid>] disabled within the
router configuration file. If the configuration file does not contain this CLI
command, there is no need for the migration script to read the CLI
configuration file. Conversion of signatures, as such, are based solely on the
If you run the migration script before you upgrade Cisco IOS IPS to
Cisco IOS Release 12.4(11)T or later, follow the process in
Execute the Cisco IOS IPS Migration Script.
If you run the migration script after you upgrade Cisco IOS IPS to
Cisco IOS Release 12.4(11)T or later, complete these steps:
Verify any need to convert CLI commands, ip ips
[<sigsubid>] disabled, as mentioned
Use the command copy running-config
flash:ipscfg.cfg in order to save the router's CLI configuration
to a file.
This command backs up the existing router configuration to flash in a
file named ipscfg.cfg. The migration process uses this
file for full 4.x to 5.x signature format conversion.
Proceed to Execute the Cisco IOS IPS
The migration script is available from Cisco.com at this URL:
Save the migration script to the router's flash or to a router-accessible
location, such as a Trivial File Transfer Protocol (TFTP) server.
The migration script converts an SDF from Cisco IPS Version 4.x format
to Version 5.x format. The migration script supports only these signature
In addition, the migration script can also read from an IOS IPS
configuration fileand migrate disabled signatures that were configured by the
CLI ip ips signature <sigid> <sigsubid>
disabled command in releases earlier than Cisco IOS Release
Note: Custom (non Cisco) signatures are not converted with this script.
This example shows how to migrate the IPS 4.x formatted file
sdmips.sdf to Cisco IOS IPS in Cisco IOS Release 12.4(11)T
with Cisco IOS IPS 5.x signature format support.
This migration script will migrate Signature Definition Files
from 4.x format to 5.x format.
The migration script will migrate only the following signature
parameters - severity, action, enabled - for Cisco (non-custom) signatures.
Do you want to continue? [y/n] y
Please choose an IOS config file from which to migrate IOS IPS configuration.
Config File: [startup-config]
The following SDF locations were found configured in startup-config:
Please provide SDF to migrate from the above list or of your own
choice: flash:// sdmips.sdf
Migrating following SDF file (this will a take few minutes):
Time Elapsed: 0:02:23
Migration completed successfully. The migrated file is
First, the migration script displays a brief text about its function.
Next, the script provides an option to choose a location from where to read the
current (pre-migration) configuration for Cisco IOS IPS. The default reads from
the startup configuration. If you have previously saved a configuration to a
TFTP server or the router's flash, specify the location at the prompt.
Use tftp:// 192.168.1.5/<router CLI
configuration> in order to notify the script to
load a CLI configuration from TFTP server 192.168.1.5.
in order to read from a file saved on flash.
After signature migration is complete, upgrade the router's image to
Cisco IOS Release12.4(11)T if you have not already done so. Once the router is
reloaded, complete these steps.
Enable Cisco IOS IPS.
This output shows how to enable Cisco IOS IPS on a Cisco 2821 router.
For more information on how to configure Cisco IOS IPS, refer to
5.x Signature Format Support and Usability Enhancements.
Create directory filename [ips]?
Created dir flash:ips
Enter configuration commands, one per line. End with CNTL/Z.
C2821(config)#ip ips name MYIPS
C2821(config)#ip ips config location ips
C2821(config)#ip ips signature-category
Do you want to accept these changes? [confirm]y
Copy and paste this key into the router in order to configure the
crypto signature public key.
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
Enable Cisco IOS IPS on interfaces as shown in this example:
C2821(config)#interface gigabitEthernet 0/0
C2821(config-if)#ip ips MYIPS in
C2821(config-if)#ip ips MYIPS out
Use the copy command in order to load the
latest signature package:
C2821#copy tftp://192.168.1.5/IOS-S253-CLI.pkg idconf
This command loads signatures from the signature package
IOS-S253-CLI.pkg into Cisco IOS IPS.
ios-ips signature category all was
configured in step 1, which retires all signatures. After the signature package
is successfully loaded, no signatures are selected and compiled.
Use this command in order to load the migrated XML file to Cisco IOS
copy flash:C2821-sigdef-delta.xml idconf
Once the router parses the version 5.x formatted signature file,
migration is complete.
Use the show ip ips signature count
command in order to check signature summary status, and then use the
show ip ips signature details command in order to
view specific details on all signatures.