Cisco IDS signature update vs. Snort
Greetings all
I have a question for anyone using any Cisco IDS products.
How often the Cisco IDS/IDSM update it's signatures and are the updates
comparable to Snort? Example: An exploit is known...Snort publishes an
update...can a similar update be found for Cisco IDS?
Regards
Fredrik Hofgren
Cisco does not update as frequently or completely as Snort. Cisco also tends to give much higher priority to releasing signatures on vulnerabilities that affect their own products. There are also many signatures released for Snort that never seem to make their way to Cisco from what we have seen.
Similar Messages
-
The IDS signature update S(184) included [MS plug and play - 6131] This particulare SIG ID is disable, and the severity is Information. is there is any one know how to enable it and change it to high?
thnak youYou can use IDM (https://) to change the severity and enable the signature. The other management platforms also provide you a meands to change it as well.
-
When I update my IDS sensors using the IDS MC 3 of my 4 sensors hang. They never restart all of the services. When I telnet to them I get the message "Error: Cannot communicate with system processes. Please contact your system admi
nistrator.". The IDS MC progress veiwer shows 100% but with errors. It's errors are :Sensor Int_IDS1: Signature Update Process
An error occurred while running the update script on the sensor named Int_IDS1. Detail = An RDEP communication error occurred during the update. Exception message = org.apache.commons.httpclient.HttpRecoverableException: Error in parsing the status line from the response: unable to find line starting with "HTTP"
One sensor works fine with no problems.
I have tried upgrading the sensors individually through IDSMC and the same 3 fail with the same error message. I have tried doing it through command line and ftp and the same 3 fail. The 3 sensors that fail are 4235's and the successful sersor is a 4250 XL.If you are not running the 'f' patch on your sensors, 4.1.4(f), you should download and install that patch. It fixes some out-of-memory on upgrade issues that are most likely the cause of your problem.
The patch location is posted in another thread. -
How often does Cisco release signature updates?
Hi, i would like to know how often does Cisco release updates for the Signature engine for the IPS appliances? I was not sure to make the auto update from Cisco.com to be every-day, every-hour or once a week?
Also can you advise me of the recommended setting for Bypass feature for the interfaces?Since the auto-update checks go out the management interface it maybe better to have it set for every hour. That way you wont have delays in the critical updates. Assuming you are in inline traffic mode, setting the bypass to "auto" is the recommended setting for interfaces. That is also the default.
Madhu -
Just a quick question, will there be a charge for upgrading the signatures? In other words will you have to pay to download the new updates as they come out?
What about the IOS IPS with 5.x? It looks like the IOS IPS doesn;t support the 5.x signatures due to current engine support, yet I havn't been able to find an EOL on IOS IPS.
-
Problem updating signature updates in IDS 4215
Problem upgrading the signatures of IDS 4215
I have to upgrade the signature file of ids 4215. The latest signature update version is IDS-sig-4.1-5-S252. To upgrade the signature file I install the service pack IDS-K9-sp-4.1-5-S189. The service pack was installed properly but while updating the signatures it is giving the following error
Error: Cannot communicate with mainApp (getVersion). Please contact your system
Administrator.
Would you like to run cidDump? [No]:
Procedure Followed
I installed a ftp server in the network and put the signature update file there. I then issued the command
upgrade ftp://[email protected]/5Dp--5-S2s52.ir
Pmg.pk-g4.1-5-S252.rpm.pkg
After that it gave me the above error
Question
How can I recover the image while recovery partition is already there?
The snapshot of the procedure that I followed is given below
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use. Delivery
of Cisco cryptographic products does not imply third-party authority to import,
export, distribute or use encryption.
http://www.cisco.com/wwl/export/crypto
If you require further assistance please contact us by sending email to
[email protected].
customer-ids4215#
customer-ids4215# sh ver
customer-ids4215# sh version
Application Partition:
Cisco Systems Intrusion Detection Sensor, Version 4.1(5)S189
OS Version 2.4.26-IDS-smp-bigphys
Platform: IDS-4215
Using 424386560 out of 460161024 bytes of available memory (92% usage)
Using 4.4G out of 17G bytes of available disk space (27% usage)
MainApp 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
unning
AnalysisEngine 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
unning
Authentication 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
unning
Logger 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
unning
NetworkAccess 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
unning
TransactionSource 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
unning
WebServer 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
unning
CLI 2005_Aug_02_10.53 (Release) 2005-08-02T10:25:35-0500
Upgrade History:
* IDS-sig-4.1-4-S119 17:29:28 UTC Sat Oct 16 2004
IDS-K9-sp-4.1-5-S189.rpm.pkg 09:28:03 UTC Wed Dec 27 2006
Recovery Partition Version 2.4 - 4.1(4)S91
customer-ids4215#
customer-ids4215#
customer-ids4215# conf t
customer-ids4215(config)#
customer-ids4215(config)# upgrade
<source-url> Location of upgrade
customer-ids4215(config)# upgrade ftp://[email protected]/5Dp--5-S2s52.ir
pmg.pk-g4.1-5-S252.rpm.pkg
Password:
Warning: Executing this command will apply a signature update to the application
partition.
Continue with upgrade? : yes
Broadcast message from root (Sun Jan 7 14:46:24 2007):
Applying update IDS-sig-4.1-5-S252. This may take several minutes.
Please do not reboot the sensor during this update.
login: cisco
Password:
***NOTICE***
This product contains cryptographic features and is subject to United States
and local country laws governing import, export, transfer and use.http://www.cisco.com/wwl/export/crypto
If you require further assistance please contact us by sending email to
[email protected].
Error: Cannot communicate with mainApp (getVersion). Please contact your system
administrator.
Would you like to run cidDump?[no]:
Connection to host lost.
C:\>Just so you know, you will need to update your IPS from 4.1-5 to 5.0-1 to get signatures up to 217. To get a signature beyond 217, you'll need to upgrade to 5.0-5. This isn't that lengthy of a process, but it is required if you want to go beyond 217. Also, 252 is an older signature, 265 is been out now for a few. Just an idea of how fast these signatures update. Shoot a reply back if you don't know how to upgrade.
-
Signatur updates for Cisco IPS 4510
Hi there.
I one question to all cisco IDS/IPS professionals. If the management port only accept inbound traffic how can I then activate my Cisco 4510 IPS appliance to get automatically signature updates from cisco.com ? That one requires outbound traffic too.
Thanks.You Management0/0-port only supports "to-the-box" traffic which means that you can't use that port for an inline pair or a vlan-pair. But with the IP on that port configured, you can not only connect to your sensor, the sensor can also initiate connection to the rest of the network and so you can reach your update-destionations.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
This isnt ment to be a flame thread. During a security audit our vendor said that the Cisco IDS's we use are not really that good and we should move to SNORT.
Is SNORT a good product to use in conjuction with the Cisco IDS or just by itself replacing out the Cisco IDS's? We have always stuck to CISCO equipment, and never really did anything else. Mainly because of the reliability and performance it offers.In my experience, the statement that "SNORT is better than " is usually the result of 1) No experience with said commercial product and 2) a bias favouring anything Open Source.
IMNSHO, both products are excellent; they're just different. Cisco, at least when compared to the last version of SNORT I played with (1.9, 2.0), was better at both IP fragment and TCP session reassembly. Furthermore, you generally don't get contractually obligated support with SNORT (unless of course you buy Sourcefire, but that's not really the same thing...).
Snort's biggest advantages, again IMNSHO, are cost (generally hardware only, if you don't factor in configuration and maintenance man power costs...) and flexibility. By flexibility, I mean that you can deploy it on just about anything running Linux (desktop, server, inline) and you can choose to use it as either an IPS (Snort-inline), NNIDS (Snort running on a desktop or server) or NIDS (Snort on a system acting as a purpose-built sensor).
Both of them are fairly easy to modify with custom signatures and new signatures are coming out very frequently (user community for Snort, vendor-supplied for Cisco IDS), so neither has a distinct advantage here.
That's just a quick response. There is usually a deeper philosophical discussion here, but this goes back to my "bias favouring anything Open Source" comment.
I hope this helps,
Alex Arndt -
Problem updating IDS signatures
I have a IDS-4215 sensor with version 5.1(5)E1S333V1.2
I tried several times updating signatures with next version on it but it doesnot get updated and only the local MC gets upgraded. I have other IDS sensors also but I dont have any problem updating signatures with them.
Why are the signatures not getting updated on this Sensor.
Help me with a solution. All helpful posts will be rated.Did you try applying S355 directly to the sensor using the CLI or IDM rather than the MC?
Sometimes you don't get good error messages when trying to apply through the MC.
If you apply through CLI or IDM did you get any messages back from the sensor?
Did you get a success messgae? If doing it from the CLI did it come back to a CLI prompt?
If no error messages come back when trying the upgrade, then it will require looking at a "show tech" from your sensor to try and see what is going on.
You would not want to copy that output to this forum, so your best bet would be to open up a TAC case and provide them the output from when you tried applying the update through the CLI or IDM, as well as the output from the "show tech" taken immediately after the failed upgrade attempt.
I am not currently aware of any situation where the upgrade would fail without some type of error message being returned.
Here, however, are some common errors that should return an error message (I don't remember the exact wording of the error messages):
1) sensorApp/analysis engine is Not Running
(you can check "show version" before doing the upgrade to make sure it is Running).
2) sensorApp/analysis engine is not responding (you can do a "show stat vi" before trying the upgrade to ensure it is responding to statistic requests before trying the upgrade)
3) license has expired (you can do a "show ver" and make sure the license has not expired)
4) Signature Update already installed - This is a tricky one. This can happen when a previous attempt to update at that same signature level failed, but left some remnants around. The second attempt to install the same update detects the remains of the previous failure and incorrectly thinks that the update is already installed. There are 2 ways to recover from this. Save off the config, and do a recover-application command to re-image the sensor, then re-apply the config. Or wait till the next signature update S356 comes out and try it with the newer sig update. I haven't seen this problem in a long time, and I am not sure if it can happen anymore. Steps were taken to try and prevent this from happening.
5) sensorApp/analysis engine could stop During the signature update - This can happen on lower end sensors like the IDS-4215 especially when tunings have been made to the signatures or custom signatures have been created. The low end sensors have limited memory. When a new signature update is applied the sensor has to compile the new signatures. If using the standard set of signatures with no user tunings, then the signature update should apply fine. But if the customer has made tunings and/or added custom signatures, then this compiling of the new signatures could push the sensor above it's allowed memory limits. The kernel will then kill sensorApp/analysis engine. The signature update will never complete (never get an error OR a success message). And the sensor has to be rebooted to get it working again. If you are running into this issue you might need to remove some of your tunings and custom signatures, apply the signature update, and then re-apply your tunings. -
Cisco signature update site down?
I just noticed that I haven't been getting my daily updates since Sunday. I get the following error:
AutoDownload Job Report:
No files available for download.
Error: Unable to communicate with locator service to retrieve available files.
Has anyone else seen this?This seems to be an intermittent problem, becoming more visible today (not sure if it was occurring prior to today). If you urgently need a signature update file, for now (as a workaround), you can manually download the file from here:
http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips5-sigup
And, place it in the CSCOpx\MDC\ips\updates directory on your CSM (Cisco Security Manager) system.
If you have time, if you could let us know what www.cisco.com resolves to on your CSM system. ? This may help confirm/track down the source of the issue. You should be able to do this from a Command Prompt (cmd.exe) on the CSM system using the nslookup utility. Example:
C:\nslookup www.cisco.com -
Cisco 6500 IDSM Signature Updates
Hi,
One of my client has recently purchased Cisco IDSM-2 for their core router i.e. 7609, however the client has missed purchasing the SUSA licencing for signature updates.
Can the client still configure the IDSM-2 without Signatue updates( in any mode) and what would be the limitations if he does not buys the SUSA in future too.
ManmeetThe only thing that can not be done without the SUSA license (IPS Subscription license) is to update the signature to the latest signature update file.
You can still configure the IDSM2, the only thing that can't be performed is updating the signature to the latest.
Hope that answers your question. -
Cisco ips link update signature automatically ?
Dear all,
I would like to know what address or link that we need for update IPS 4240 signature automatically from cisco.
In our IPS config show this link. is it correct ?
user-name sabirins1978
cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
Thanks.
Regards,
BudyUmm, I tried to access both links..
I could access the page using the link with one slash (https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl), but I couldn't access the page using the link with two slashes (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) with the error message: "The Page you requsted is not available".
So, which on of the the correct one ?
Is the license just needed in automatically-updating the intrusion signature (not including firmware/engine update) ?
How long approximately is the signature update released periodically by Cisco ?
Regards,
Daniel -
Hi,
I have one question regarding signatures update, are the Cisco new signatures include the new updates plus the old ones or just the difference between the latest update and the previous one?
If I have an IPS which has never been updated for a year let's say, is it just enough to install the latest signature update and the latest Service pack? Does the service pack include signatures as well when applied?
Please advise!
Thanks,
HaithamA signature update will contain all Cisco signatures that have been released so far. A service pack will be bundled with a signature update, but not necessarily the latest one. So you should first apply the latest service pack and then apply the latest signature update.
-
MC-IDS - Error Updating Network IDS Signatures
MC for IDS Sensors
Update Network IDS Signatures
Error
Object update failed. The update package provided appears to be corrupt, or permission was denied for reading the file. Please verify the update package contents and retry the operation.
I verified the checksum of 4207248 matches the file I downloaded from CCO. We are running on Solaris. What userid is VMS using to read?
Any ideas ? -jason
root@bnavms # cd/opt/CSCOpx/MDC/etc/ids/updates/
root@bnavms # su jra
root@bnavms # ls -l
-rw-r--r-- 1 jra other 4207248 Jan 7 09:30 IDS-sig-4.1-4-S136.rpm.pkgYou need to get the .zip version of the update. It can be found on the same CCO download page under the IDSMC -> IDS Management Console link at the bottom of the page.
-
Is there a way to automate IOS IPS signature updates without CSM?
I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
Thanks in advance!From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
Here is the configuration guide for your reference:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659
Maybe you are looking for
-
I'm trying to set up Family Sharing. My settings show that the people I chose are there but I don't see any shared information. How do I access the shared info? All computers are using Yosemite 10.10.1 and are new 13" MacBook Pros.
-
Can you connect a Apple keyboard through blue tooth to Apple TV ?
-
I'm a beginner in Java and just learn about abstract method and class. However, i am wondering what is the point of using abstract method/class? Because when I delete the abstract method and change the class name to public class XXXX( changed from "a
-
CE 7.2 - VC Error (evaluation)
Hi I am trying to build the VC model in CE 7.2 in NWDS, I am getting following error, could you please suggest? [vcgen] Visual Composer ANT Task invoked successfully! [vcgen] ERROR: XGL file missing for de.sap.temp.34372261d7c211df9bc900215a2a
-
This thing is horrible. I rented a movie to watch later. Confirmed the movie was downloaded (available to watch) and when I hit "play" it tells me it will be ready to watch in 19-hours! What's up?