Starting with Cisco IOS® Software Release 12.4(11)T, Cisco IOS Intrusion Prevention System (IPS) introduces support for the Cisco IPS Software Version 5.x signature format. The 5.x signature format is a version-based signature definition XML format also used by other Cisco appliance-based IPS products. Support for signatures and signature definition files (SDFs) in Cisco IPS Version 4.x are discontinued in this and further Cisco IOS T-Train Software releases.
Customers running Cisco IOS IPS with Version 4.x signature format SDFs can reconfigure Cisco IOS IPS to use Cisco predefined signature categories-Basic and Advanced signature sets-or use the Cisco IOS IPS migration utility to migrate previous Version 4.x SDF files into Cisco IPS Version 5.x format signature sets.
This document details the steps for migrating from a Cisco IPS 4.x format SDF and enabling the migrated signature set in Cisco IOS Software Releases 12.4(11)T or later. For more details on how to configure Cisco IOS IPS in Cisco IOS Software Release 12.4(11)T or later, please refer to the Cisco IOS IPS Configuration Guide at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t11/ips_v5.htm.
It is highly recommended to run Cisco IOS IPS migration before upgrading to Cisco IOS Software Release 12.4(11)T or a later image.
Steps to Migrate Version 4.x SDF Files
The migration script requires a Cisco IPS 4.x format SDF file and optionally the CLI configuration file that contains Cisco IOS IPS configuration information used on a router that was running a Cisco IOS Software release earlier than 12.4(11)T. The migration script searches for commands containing ip ips signature <sigid> [<sigsubid>] disabled within the router configuration file. If the configuration file does not contain this CLI command(s), there is no need for the migration script to read the CLI configuration file. Conversion of signatures, as such, will be based solely on the SDF.
If running the migration script before upgrading Cisco IOS IPS to Cisco IOS Software
Release 12.4(11)T or later, follow the process "Executing Cisco IOS IPS Migration Script".
If running the migration script after upgrading Cisco IOS IPS to Cisco IOS Software Release 12.4(11)T or later:
1. Verify any need to convert CLI commands, ip ips signature <sigid> [<sigsubid.]disabled as mentioned above.
2. Save the router's CLI configuration to a file, for example, use the command copy running-config flash:ipscfg.cfg. This command will back up the existing router configuration to flash in a file named ipscfg.cfg. The migration will use this file later for full 4.x to 5.x signature format conversion. The process "Executing Cisco IOS IPS Migration Script" can then be followed.
Executing Cisco IOS IPS Migration Script
The migration script is available from Cisco.com at: http://www.cisco.com/cgi-bin/tablebuild.pl/ios-v5sigup. Save the migration script to the router's flash or to a router-accessible location, such as a Trivial File Transfer Protocol (TFTP) server.
The migration script will convert an SDF from Cisco IPS Version 4.x format to Version 5.x format. The migration script supports only the following signature parameters:
severity
action
enabled.
In addition, the migration script can also read from a pre- Cisco IOS Software Release 12.4(11)T IOS IPS configuration file and migrate disabled signatures that were configured by the CLI ip ips signature <sigid> <sigsubid> disabled command.
Note: Custom (non Cisco) signatures will not be converted using this script.
Following is an example to migrate the IPS 4.x formatted file sdmips.sdf to Cisco IOS IPS in Cisco IOS Software Release 12.4(11)T with Cisco IOS IPS 5.x signature format support.
C2821#tclsh flash:ios-ips-migrate.tbc
This migration script will migrate Signature Definition Files from 4.x format to 5.x format.
The migration script will migrate only the following signature parameters - severity, action, enabled - for Cisco (non-custom) signatures.
Do you want to continue? [y/n] y
Please choose an IOS config file from which to migrate IOS IPS configuration.
Config File: [startup-config]
The following SDF locations were found configured in startup-config:
flash://sdmips.sdf
Please provide SDF to migrate from the above list or of your own choice: flash:// sdmips.sdf
Migrating following SDF file (this will a take few minutes):
flash://sdmips.sdf
Time Elapsed: 0:02:23
Migration completed successfully. The migrated file is
C2821-sigdef-delta.xml
C2821#
The migration script will first display a brief text about its function. Next, the script provides an option to choose a location from where to read the current (pre-migration) configuration for Cisco IOS IPS. The default reads from the startup configuration. If you have previously saved a configuration to a TFTP server or the router's flash, specify the location at the prompt.
For example
Use tftp:// 192.168.1.5/<router CLI configuration> to tell the script to load a CLI configuration from TFTP server 192.168.1.5.
Use flash://<saved-configuration> to read from a file saved on flash.
Loading Migrated Signatures into Cisco IOS IPS in Cisco IOS Software Release 12.4(11)T
After signature migration is complete, upgrade the router's Cisco IOS image to 12.4(11)T if you have not already done so. Once the router is reloaded, perform the following steps.
This command will load signatures from signature package IOS-S253-CLI.pkg into Cisco IOS IPS. Please note that ios-ips signature categoryall was configured in Step 1; this retired all signatures. After the signature package is successfully loaded, no signatures will be selected and compiled.
3. Load Migrated Signatures The last step is to load the migrated signatures. Use the following command to load the migrated XML file (<router-hostname>-sigdef-delta.xml) to Cisco IOS IPS.
copy flash:C2821-sigdef-delta.xml idconf
Once the router has parsed the Version 5.x formatted signature file, successful migration is complete. Use show ip ips signature count to check signature summary status and show ip ips signature details to view specific details on all signatures.
