IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Viewing Cisco NSDB information

From: "shannong" <shannon () gillenwater name>
Date: Sun, 25 Jan 2004 10:20:23 -0600
What software are you using with the sensors? 

The easiset way to do it without installing any software would be to get the
CiscoWOrks VMS updates for the IDSMC.  The zip files have all the NSDB HTML
files tarred into a single file.

The IEV is a free tool from Cisco to work with the sensors.  It also stores
all the NSDB files in a local folder that you can grab.  It also stores all
alerts in a mysql database which might have other uses for you as well. 

-----Original Message-----
From: Jonathan Lowther [mailto:jon.lowther () activis com] 
Sent: Friday, January 23, 2004 10:23 AM
To: focus-ids () securityfocus com
Subject: Viewing Cisco NSDB information



Is there a way of accessing the .html files that make up the NSDB on a Cisco
sensor?? I mean the files called expsig_<ID>.html.



My company has its own internal knowledgebase of alerts, and I wanted to
import the data from the Cisco NSDB into our own database (we do something
similar for ISS alerts).



We used to do this with version 3.x (this was before my time) but we needed
to install the updates to the Cisco Secure Policy Manager and we could then
get the .html files.



However, we are now migrating to 4.1 and I don't want to have Cisco Secure
Policy manager (or any other system) just to be able to view the NSDB.



I know that I can view the NSDB by logging into the sensor, but I am not
really able to access the files themselves because the command line
interface is all menu driven. For example, I can't log on to the sensor and
just FTP the .html files to my desktop where I run my import script.



I had the idea that the .html files must be contained in the update files
(for example, IDS-sig-4.1-3-S66.rpm.pkg), but I can't seem to unpack them. I
managed to get a utility to extract RPMs, but I am not able to extract the
.pkg file.



Has anyone got any ideas of how I can obtain the .html files from the NSDB?
If I can obtain from direct from a signature update file then that would be
best because I could probably automate the process.



FYI. I have a Cisco 4210 Sensor running 4.1(3)S61



Thanks in advance,



Jonathan Lowther

---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: