Customizing signatures question on AIP-SSM

Similar Messages

• Signature Updates for AIP-SSM 10

  Hi all how can i obtain Signature Updates for AIP-SSM 10 where i am having 60 day trial license with me

  Here is the main file download page for the IPS sensors.
  Find the section for the version you are running and click on the Latest Signature Updates link to take to you to the download page for signature updates.
  You can then download which ever signature update you want.
  NOTE1: Each Signature Updates contains all signatures from previous Sig levels. So you only need to download the latest one.
  NOTE2: Each signature update has a specific E (Engine) level requirement. You can execute "show ver" on your sensor to determine if it is at an E1 or E2 level. If it is at E1 and you want the latest sigs that require E2 then you will first need to install the E2 upgrade.
  On that main download page look for the "Latest Upgrades" link for your version, and look for the IPS-engine-E2-req-X.X-X.pkg file where the X.X-X matches your sensor version.
  If there is not an X.X-X matching your sensor version, then you may need to upgrade the software version for your sensor as well.
  NOTE3: Many of these links will also require an account on cisco.com. And for some of these files that account may also need to be verified for being from a country where the USA's export restrictions allow downloads for encryption. (Most countries qualify but you do have to go through that qualification step). It has been over 10 years that I have had do this so I am not sure of the latest procedures for getting an account or validating it for encrpytion downloads.

• Signature Update Version : AIP-SSM GUI

  How can I view the current signature version on AIP-SSM via GUI. Via CLI I can see it on 'show version' output.
  Thanks.

  You can view it via the Monitor tab. The exact location is:
  Monitoring >> Support Information >> System Information
  You can also view this information in IME.
  Please rate if helpful.
  Regards
  Farrukh

• Obtaining hardware and signature support for AIP SSM-10

  We have a 5510 which we have purchased an AIP SSM-10 card for the ASA which is already under a support contract. We now wish to add hardware maintenance for the new AIP SSM-10 card as well as signature updates. Our Cisco supplier will not confirm that we will receive signature updates with the hardware support though (we have been trying to get an answer from them since June or July now).
  Could someone let us know what the correct part number is so we can ask for the specific option that will provide both hardware cover and signature updates.

  i think this is what you need,
  CON-SU1-AS1A1PK9
  IPS SVC, AR NBD ASA5510-AIP10SP-K9
  cisco smartnet support

• Installing signature update for IDSM-2 on AIP-SSM

  Hi every one,im not sure about this question but i think its beter to ask you experts.i want to know that if i have signature update for example for my IDSM-2 can i instal this sig update on my AIP-SSM --> suppose that IPS software on both devices are same and also i have installed valid license key on AIP-SSM.now can i do this or no? and i know that if you have not valid license installed on IDSM-2 you cant instal any sig update on IDSM-2 but what about AIP-SSM?i mean can i instal sig update on AIP-SSM without installed valid license key on AIP-SSM? thanks

  There are 3 main types of Signature Updates.
  1) IPS Sensor Signature Updates
  2) CSM Signature Updates for IPS Sensors
  3) IOS IPS Signature Updates
  The IPS Signature Update filename is in the form: IPS-sig-Sxxx-req-Ey.pkg
  This is most likely what you are referrnig to in your post. This file can be installed on ANY IDS/IPS Appliance or Module.
  The Requirement here is not the platform but rather the Engine Level. The "req-Ey" portion of the filename tells you that the sensor must already be running the "y" Engine level of software.
  So an IPS-sig-S436-req-E3.pkg file can be installed on any IDS/IPS Appliance or Module so long as the software on that sensor is an "E3" version.
  The CSM updates, are signature updates for the Cisco Security Manager. They contain special files that CSM uses to update itself, and then also included within the CSM update is the actual sensor update described above. CSM unpackages the CSM update, updates itself, and then uses that embedded file to upgrade the actual sensor.
  The third type of file is for IOS Routers loaded with special IOS software that has the special IOS IPS features where the Router itself (instead of a separate IDS/IPS module) does the signature monitoring.
  These IOS IPS Signature Updates get installed on the actual router, and are not installed on the IDS/IPS Sensor Appliances or Modules.
  So in answer to your question, yes the same Signature Update for your IDSM-2 is the exact same Signature Update for your SSM modules.
  The exact same file is available through multiple different paths on cisco.com. But it doesn't matter through which cisco.com path you downloaded the file you can still install it on all IDS/IPS Appliances and Modules.
  As for licensing, the license works the same on all IDS/IPS Appliances and Modules. A license must be on the sensor for the Signature Update to be applied.
  NOTE: A Trial License is available from cisco.com for new sensors to allow you time to get everything setup correctly for your sensor to be covered by a service contract, and get the standard license from the service contract.

• AIP-SSM crash during S389 Signature upgrade

  Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
  1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• Upgrade AIP SSM with Signature Engine 4 file

  When I tried to upload Signature Engine 4 file (IPS-engine-E4-req-7.0-2.pkg),  using FTP server both by CLI and IDM, to new AIP SSM sensor, I got the following  error message:
  Cannot upgrade software on the sensor - socket error:110.
  When I tried to do the same by using these steps: IDM --> Configuration  --> Sensor Management --> Update Sensor --> choose Update is located on  this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update  Sensor" button, I got the following error message
  The current signature level is S480.The current signature level must be  less than s480 for this package to install.
  Here is the output for sh ver command
  AIP_SSM# sh version
  Application Partition:
  Cisco Intrusion Prevention System, Version 7.0(2)E4
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S480.0                   2010-03-24
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF1514BAHS
  Licensed, expires:      07-Jun-2012 UTC
  Sensor up-time is 21 days.
  Using 695943168 out of 1032495104 bytes of available memory (67% usage)
  system is using 17.4M out of 38.5M bytes of available disk space (45% usage)
  application-data is using 45.4M out of 166.8M bytes of available disk space (29% usage)
  boot is using 41.6M out of 68.6M bytes of available disk space (64% usage)
  application-log is using 123.5M out of 513.0M bytes of available disk space (24% usage)
  MainApp            B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
  AnalysisEngine     BE-BEAU_E4_2010_MAR_25_02_09_7_0_2   (Ipsbuild)   2010-03-25T02:11:05-0500   Running
  CollaborationApp   B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500   Running
  CLI                B-BEAU_2009_OCT_15_08_07_7_0_1_111   (Ipsbuild)   2009-10-15T08:09:06-0500
  Upgrade History:
    IPS-K9-7.0-2-E4   02:00:07 UTC Thu Mar 25 2010
  Recovery Partition Version 1.1 - 7.0(2)E4
  Host Certificate Valid from: 30-May-2011 to 30-May-2013
  Any idea what could be the problem?
  Regards,

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• IPS Signature DataBase - ASA IPS/IOS IPS/IPS 42xx/AIP-SSM

  Hi,
  Can anyone briefly tell me the signature database details (No of Signature) among the following devices,
  -->ASA IPS/IOS IPS/IPS 42xx/AIP-SSM.
  Thanks,

  IPS on ASA/PIX = just 50 or so common signatures
  AIP-SSM module = same signatures as Cisco 4200 series sensors. Little minor differences exist (like IPv6 signature support etc.)
  Please rate if helpful.
  Regards
  Farrukh

• AIP-SSM 20 questions

  Hi,
  we have this module on an ASA 5540, while the inspection load is reaching a max of 35% , the cpu is reaching 100% sometimes.
  1- how do i check the current bandwidth in Mbs being inspected ?
  2- how do i check if there is drops when cpu is reaching 100%
  3-if cpu hangs at 100% will fail-open work or will the module start dropping legitimate packets
  4- should i upgrade my card to AIP-SSM 40 allthough inspection load is still 35% ?
  Thank you

  To check if your sensor is dropping packets, get on the CLI and run
  show interface - This will show you an averaged packet loss across all interfaces since last reset and on a per-interface basis.
  show event stat past 01:00 inc missed - This will show you any peaks in your missed pckets over the last hour.

• Monitoring AIM-IPS-K9 and AIP-SSM-10

  Does anyone have any tips on monitoring the IPS devices for being up, healthy, not-in-bypass, and running normally, I had five of them fail after the E3 upgrade (one is still tweaked due what TAC has identified as a corrupt license issue). Although CSMARS 6.0 lists some unreachable devices once daily, it has all devices in the list making it less that useful information, but that is a different question.
  AIM-IPS-K9: 19 ea.
  AIP-SSM-10: 3 ea.

  Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
  You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

• IPS Labs using AIP SSM 10

  Hi,
  Can anybody send me a lab with a scenario for IPS using AIP SSM 10 and and if they could be for both CLI as well as by using ASDM. Also, when I was trying to access IPS using ASDM, I was getting an error message "Error connecting to sensor. Failed to load sensor-Error getting config data from following modules analysisEngine signatureDefinition networkAccess host". Can anybody please give me a solution for it.
  Thanks.

  Cisco had orginally planned to add a "keep alive" signature to 6.0. but that feature got dropped. The intent was to fire off a signature every few mins as long as the sensor was seeing valid traffic. The absence of seeing this signature should trigger some attention to a downed sensor.
  You can write a custom sig, but you have to be able to detect the loss of that event to be of value.

• Do I need two AIP-SSM modules if I am configuring failover?

  Is it possible to use a single AIP-SSM module in two ASA's that are configured in Active/Standby mode?
  I would like to configure the module in the first ASA with the fail-open setting.  Then, if the first ASA fails, I could then physically remove the AIP-SSM module and place it in the second ASA.
  Would there be any problems configuring it this way?
  Would the active/standby ASA's complain that there is only one AIP-SSM module?
  Thanks in advance.

  Hello Julio. My name is Rogelio, and I would appreciate your answer on a related matter, because I will have to execute the initial configuration of a failover pair, each one with its own IPS module.
  Question: let´s suppose that I execute a basic setup (admin username/password, IP address, mask, gateway), on the IPS module of the active ASA firewall. ¿Will this configuration be replicated to the IPS module of the secondary unit?
  Your kind answer will be greatly appreciated.
  Best regards...

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav

• How to block p2p applications(Bittorent like) with AIP-SSM-10?

  Hi,
  How to block p2p application using AIP-SSM-10 working with ASA5520?AIP is on promiscuous mode.
  Thanks,
  Siva

  There are several signatures that detect p2p, for bit torrent there is 11020.0
  Yahoo triggers: 5539.0, 11200.0, 11212.0, 11217.0 & 11219.0
  etc..
  Some are disabled by default though so please ensure you enable the ones that you need.
  If you want to block these then you will have to use event actions that work in promiscuous setup for example request block connection and tcp reset. Please note that care must be taken when using these event actions.
  For more information about the event actions please refer the link below:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmevtrul.htm#wp1069467

• AIP-SSM Upgrade Procedure

  Hi everybody!
  I have ASA5520 version 8.2(1) with AIP-SSM-20 module
  and I want to upgrade AIP-SSM-20 software from version 6.1(3)E3 to 7.0(2)E4
  I go to the download site and see the following list:
  Intrusion Prevention System (IPS) Recovery Software:
  IPS-K9-r-1.1-a-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS Recovery Image File
  Intrusion Prevention System (IPS) Signature Updates:
  IPS-sig-S481-req-E4.pkg
          Release Date: 31/Mar/2010
          E4 Signature Update S481
  Intrusion Prevention System (IPS) System Software:
  IPS-SSM_20-K9-sys-1.1-a-7.0-2-E4.img
          Release Date: 29/Mar/2010
          IPS-SSM_20 System Image File
  Intrusion Prevention System (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
          Release Date: 29/Mar/2010
          IPS 7.0 Major Upgrade File (All Supported Platforms Except AIM-IPS and NME-IPS)
  IPS-engine-E4-req-7.0-2.pkg
          Release Date: 29/Mar/2010
          IPS E4 Engine Update
  I am somewhat confused by the number of files and want to ask what the procedure/sequence I should follow to upgrade?

  This is the file that you would like to use to upgrade it:
  Intrusion Prevention System  (IPS) System Upgrades
  IPS-K9-7.0-2-E4.pkg
  To upgrade:
  1) Upload the "IPS-K9-7.0-2-E4.pkg" file through IDM
  2) IDM --> Configuration --> Sensor Management --> Update Sensor --> choose Update is located on this client --> choose the "IPS-K9-7.0-2-E4.pkg" file --> hit the "Update Sensor" button.
  It will take a while (around 20 minutes) to upgrade the sensor, so don't panic if it doesn't come back up in "UP" status straight away.
  Hope that helps.