Defect in current IPS signatures causing crashes

Similar Messages

• Where do IPS signature save at?

  Hi
  i successfully load the IOS IPS package into the router, verify via CLI and CCP the IPS signature did compile on the router. (advanced mode, around 588 signature is active)
  but it went gone (happened twice), i just want to ensure few things
  1. i did shut down my router, and migrate to production site, would it cause by the power off / on then IPS signature missing?
  2. i did remove the "ip ips iosips in/out" command that previous apply at my interface, would this cause the IPS disable and gone?
  just counldn't figure out why now my router only have 3 signature only..
  thanks

  1. Please use the doc below for reference on how to configure IOS-IPS on the router. I will try to answer your questions using this document.
  http://tools.cisco.com/squish/9Be6a
  2. You will see in step 2.1 we create directory on flash to store all the signature files and configurations.
  e.g:
  mkdir
  router#mkdir ips
  Create directory filename [ips]
  Created dir flash:ips
  3. In step 4.2 , we configure IPS signature storage location by referencing the directory we created above.
  e.g:
  ip ips config location flash:
  router(config)#ip ips config location flash:ips
  This is where the signature files will be stored.
  4. In step 5.1 we copy the signature files to the router.
  e.g:
               router#copy ftp://cisco:[email protected]/IOS-S310-CLI.pkg idconf
  Loading IOS-S310-CLI.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  [OK - 7608873/4096 bytes]
  The idconf command compiles the signature after the file is copied.
  5. If all the above steps are done correctly, you should see the following files in flash:
  router#dir ips
  Directory of flash:/ips/
  7 -rw- 203419 Feb 14 2008 16:45:24 -08:00 router-sigdef-default.xml  <----Contains factory default signature definitions.
  8 -rw- 271 Feb 14 2008 16:43:36 -08:00 router-sigdef-delta.xml
  9 -rw- 6159 Feb 14 2008 16:44:24 -08:00 router-sigdef-typedef.xml
  10 -rw- 22873 Feb 14 2008 16:44:26 -08:00 router-sigdef-category.xml
  11 -rw- 257 Feb 14 2008 16:43:36 -08:00 router-seap-delta.xml
  12 -rw- 491 Feb 14 2008 16:43:36 -08:00 router-seap-typedef.xml
  64016384 bytes total (12693504 bytes free)
  6. Make sure you do a 'Router#write memory' before you reload the router. This way the configuration done gets stored and is preserved after reboot.
  Also make sure your configuration register on the router is correctly set to 0x2102.
  Sid Chandrachud
  TAC security solutions

• Barn doors transition causes crash

  Dear Community,
  Applied barn doors transition to a project in CS4. Stored that project in 2010.
  Opened the project in CS6 CC - and barn doors caused crashes - so I cleaned off the old and applied replacement barn door transitions in CS6 CC.
  Once the wipe is applied - its fairly stable - sometime crashes sometimes doesn't.
  If I apply a broder colour to the wipe - all ok.
  If I then apply a border thickness - crash every time.
  System;
  Premiere Pro CS6 - 6.0.3 (001 (MC: 264587)) through cloud membership
  Updated and current
  Win 7 Pro - SP1 - 64 Bit
  Source footage SONY EX3 - .mp4 and still image .png's
  No error messages - just crash and need to restart PP CS6
  Try to apply colour and border to a barn door transition causes the error
  This worked before on the smae project when created in CS4
  Not running other software at the time
  NewBlueFX modules installed but not applied to this area of sequence
  i7 - 3.20GHz, 16GB RAM, SSD OS drive, 4 x drive RAID on LSI RAID card, - No I/O hardware
  I am using Are you using Mercury Playback Engine Acceleration and CUDA
  Problem occurs during normal edit - as soon as I start to adjust the barn doors wipe - I don't get to compression
  Thanks
  Dave

  Doies it help anyone that I just received this from the email address; [email protected];
  Hello,
  You have received this email because the content you posted below has been rejected by our moderators.
  Re: Barn doors transition causes crash
  posted Jun 5, 2013 5:15 PM  
  Since the original report earlier today - I now just have to put the timeline scrubber over the barn doors transition and PP CS6 closes without an error message and without saving. The unfortunate part here is there doesn't seem to be any record or log of the crashes to be able to disseminate whats going wrong.
    Barn doors worked in CS4 - and the only change in this project is the re-opening in CS6 CC."
  Question; Did I put something in there that was defammatory, rude, obnoxious, incorrect or un-helpful?
  If anyone here believes I did, I sincerely apologise for the need of moderators to have intervened... and for causing any offence.

• Photoshop CC Content - Aware Move Tool causes crash

  Does anyone have any ideas why this is happening? Content Aware Move tool causes crash every time so far with tiff and jpegs and its getting frustrating!
  I have Windows 8.1 Pro with 8GB RAM
  NVIDIA GeForce GT 650M Graphics
  Photoshop CC 64 bit

  Thanks for the reply JJMack - I have to be honest, i'm not exactly sure what i'm looking for here!
  Source
  Adobe Photoshop CC 2014
  Summary
  Stopped working
  Date
  06/04/2015 09:45
  Status
  Report sent
  Description
  Faulting Application Path: C:\Program Files\Adobe\Adobe Photoshop CC 2014\Photoshop.exe
  Problem signature
  Problem Event Name: APPCRASH
  Application Name: Photoshop.exe
  Application Version: 15.2.2.310
  Application Timestamp: 5480338c
  Fault Module Name: FaceDetection.dll
  Fault Module Version: 2.2.6.32411
  Fault Module Timestamp: 52e12400
  Exception Code: c0000005
  Exception Offset: 000000000001704d
  OS Version: 6.3.9600.2.0.0.256.48
  Locale ID: 2057
  Additional Information 1: e87c
  Additional Information 2: e87c816cbb2acbf5e54624fc2b1f98cc
  Additional Information 3: 1879
  Additional Information 4: 1879b998534215d47b0a850e45784427
  Extra information about the problem
  Bucket ID: 2dac81db98a57fddf5997edfd40ba6eb (85993531415)

• Anyone else notice IPS Signature 1802/0 firing frequently?

  We have seen IPS Signature 1802/0-"Ruby on Rails Remote Code Execution Vulnerability" trigger frequently on any webpage with XML with YAML content I'm wondering if anyone else has seen this new signature fire frequently.
  It looks to me that this signature has not been tuned correctly by Cisco. We don't use Ruby on Rails anywhere in our environment, so we went ahead and disabled the signature, I'm just wondering if anyone else has seen this too.

  Logged a TAC case and they are working on an update. You are correct this is a signature issue. No time table given. Since the new signature will replace the old one, they recomended we disable the current signature if the alerts were too much.

• IPS Signature Update - CSM v3.3 SP1

  Hi,
  I am getting the following error message when deploying IPS signature updates to some of my sensors via the CSM deployment tool:
  "Failed to generate edit config delta  for host component. Detail: Error while processing the host component with DNS,access-list or http-proxy"
  The signature update actually deploys, but I am wondering what is causing this message.  I get this with some 4240, 4255 and IDSM-II blades, but not with others and I can't see any config variances.
  Does anyone have any ideas what is causing this message?  The access ACLs are the same for each sensor.
  Many thanks

  Hi Liam,
  As you mentioned you are using a shared policy, and the access ACLs for all sensors are the same, I assume that you may be using an "Allowed Hosts" shared policy.
  In that case, how did you create that policy ?
  Did you create the policy from the policy view page, or did you right click on the "Allowed Hosts" setting of a device in device view and select "share policy" ?
  If you did the first, you may be running into a known issue. You can read more about this on the bug toolkit:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg02063
  This is the workaround that should work for you in case you are indeed running into this issue:
  1. Rediscover or newly add any one IPS device running 7.x version
  2. Create entries for "Allowed Hosts" according to requirements.
  3. Right click on "Allowed Hosts", select "Share Policy..." and specify a name for shared policy.
  4. Assign this "Allowed Hosts" shared policy to one or more devices.
  5. Deployment should now be successful for "Allowed Hosts".

• 2651XM IPS Signature Update?

  Hello,
  I have a 2651XM 256MB/32MB running 12.4(25) and I would like to update the IPS signature file.  I see that the last update for 256MB.sdf was from Aug 2008.  The latest IPS I found is IPS-sig-S518-req-E4.pkg from
  http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=277801011&treeName=Security&mdfLevel=Model&url=null&modelName=Cisco+2651XM+Multiservice+Router&isPlatform=N&treeMdfId=268438162&modifmdfid=278279418&imname=Cisco+IDS+Access+Router+Network+Module&hybrid=Y&imst=Y
  I've tried the command
  ip ips sdf location flash:\\IPS-sig-S518-req-E4.pkg
  ip ips sdf location flash:IPS-sig-S518-req-E4.pkg
  but when I apply IPS to an interface and run 'show ip ips all' no signatures load and I get a message 'invalid token'.
  I also tried seeing if the latest SDM will help but nothing.
  My question is, what is it that I am doing wrong or missing?  Is my router too old to be able to get the latest signature files?
  Any advice or guidance to the right direction is much appreciated.
  Thanks

  You have a version of IOS that includes the older version of the IOS IPS feature (referred to as v4).  This release only supports signature updates using the SDF formatted files.  These files are no longer updated.
  The signature update file you found (ending in .pkg) is the signature update package supported by Cisco's IPS appliances and is not compatible with the IOS IPS feature set.
  The current IOS IPS feature (referred to as v5) also makes use of .pkg files.  You will need to upgrade the IOS of your 2651 to a release in the T train such as 12.4(24)T2 to obtain the latest IOS IPS feature release.
  You can find out more about the IOS IPS feature set here:
  http://www.cisco.com/go/iosips
    For starting with IOS IPS v5:
  http://www.cisco.com/en/US/products/ps6634/products_tech_note09186a008097db66.shtml
  Scott

• IPS signature update

  i would like to get some idea for IOS IPS signature update.
  example currently the router fresh install using IOS-S416-CLI.pkg, IOS category ios_ips in advanced mode, with retired false.
  Just wonder what if next time download and loading with latest patch of the IOS-SXXX-CLI.pkg into the machine, what will effect on the current compiled signature?
  will it just loaded in incremental form?  (meaning is it the signature in latest patch will added as new enable signature), then what about the signature previously being modified and save one, any effect on it? (like re-write my previous save signature)
  with the new patch install, would it also effect on the router DRAM and flash size? (my router with 384 mb DRAM and 128mb flash)
  thanks

  Hi,
  When you compile a new signature package on a router that carries an existing signature database, the signature configuration in the new signature package will supersede the router's existing database's signature configuration. Thus, if you have made changes to the signature database on the your router, and you compile in an updated signature package that contradicts your changes, your changes will be overwritten!!, and will need to be re-created.
  You can avoid having to re-create your changes if you copy the "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" file to some other location on the router's local storage, and re-apply the original "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" to the updated signature database after you have compiled the updated signature package to the router's database.
  And don't forget, the basic signature category is appropriate for routers with less than 128 MB of flash memory, and the advanced signature category is appropriate for routers with more than 128 MB of flash memory.
  Hope this helps,
  Thank You,

• Mars box MARS box v4.3.5 (2838) IPS Signature Version 330 upgrade

  Hi, I have the software MARS box v4.3.5 (2838) IPS Signature Version 330
  Is there any upgrade available for it?
  Where can I found info for upgarding the software and IPS Signature on Cisco Web Site?
  I also want to integrate CiscoWorks, LMS 2.6 to sent SNMP Trap Notification to the MARS box v4.3.5 (2838) IPS Signature Version 330. Is it possible and what would be the port # on the MARS box?

  You are already running the latest software for the Generation 1 MARS appliances. You can find newer updates here:
  http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars
  For IPS, it is better to turn on automatic updates. Just go to:
  Admin >> System Setup >> IPS Signature Dynamic Update Settings
  The URL is already set there, just put your CCO username/password and click 'Update Now' then hit 'Submit'. I think the current Signature release is 352. You can manually downlaod them from here if you like:
  http://www.cisco.com/cgi-bin/tablebuild.pl/mars-ips-sigup
  Please rate if helpful.
  Regards
  Farrukh

• IPS Signature Update. The IPS is left hanging.

  I have performed a IPS signature ID update once the definition have been updated the IPS is left hanging and I need to perform a reload.  The config has been verified as not a possible cause for this adverse effect.  Have people had issue of this sort? What would cause the IPS to effectively stall when upgrade takes place? Any solutions?

  Please use the below troubleshoot guide
  http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html#troubleshoot

• Is it really possible to revert IPS signatures from CSM

  Hi folks,
  I've been trying to revert IPS signatures that I deployed through CSM Signature policies to the older release but it doesn't seem to be working. Contrary to it Cisco's CSM guide says:
  If you later decide that you did not want to apply a signature update, you can revert to the
  previous update level by selecting the Signatures policy on the device, clicking the View
  Update Level button, and clicking Revert
  I can't imagine it is possible as the signatures are normally compiled into xml files. How would the sensor do it ?
  Eugene

  During installation a copy of files that will be replaced or updated during the installation will be copied into a backup directory.
  The CLI has a "downgrade" command that can uninstall the last update, and the backup copies will be used to replace the files being removed.
  A few things to be aware of:
  1) Old configuration will be copied back. So changes made since the update may be lost.
  2) This works only for Engine Updates and Signature Updates. Major Updates, Minor Updates, and Service Packs replace the complete operating system so there is too much data to try and make backup copies for.
  3) This works only for the last update installed. Once you've downgraded the latest one, you can't downgrade the previous one.
  4) This can be done through CLI, and now also available in CSM.
  Here are some things to check in your situation where it appears to not be working.
  Login to the sensor and execute "show ver".
  Does the history in the "show ver" output show a Signature Update package as the last update installed?
  If not then either another downgrade was previously done, or a Major Update, Minor Update, or Service Pack was the last package installed and can't be downgraded.
  If it can't be done through CSM you might try the CLI' "downgrade" command and see if it works through the CLI or if the CLI gives you an error and explanation.

• Photoshop CS4 and graphic cards. Can cause crashing?

  Since upgrading to CS4 I seem to have increased crashing.
  Here are my system specs.
  Mac 2 x 2.66 GHz Dual-Core Intel Xeon
  9 GB of Ram
  250 GB internal dedicated scratch disc
  NVDIA GeForce 7300 GT with 256 VRAM
  After having endless techs look at my machine and upgrading everything. I am beginning to suspect the graphics card.
  With OpenGL can a underperforming video card cause crashing in photoshop especially with massive file sizes ( multilayered CMYK poster sized files the can exceed 7 GB)?

  Did you install the 11.0.1 update?
  Is your OS up to date with patches?
  Have you tried disabling OpenGL in preferences to avoid using the GPU/Graphics card?

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• AutoVue viewer caused crash while viewing .XSLX documents.

  We use AutoVue Desktop Deployment Viewer incorporated in our application (using JNI). When viewing XLSX (Microsoft Excel) documents on Windows 8.1 x64 system it caused crash of application. It's reproducible only on Windows 8 (8.1 or Server2012) systems. If we set compatibility mode (Windows 7) then problem isn't reproducible.

  I would recommend you log a ticket with customer support

• How to upgrade IPS Signature

  Can anyone help me with the steps of upgrading the IPS signature for the platform ASA SSM-20, IDS 4215, WV-SVC-IDSM-2 via IDM and IME. All the sensors are already upgraded with Engine E4 with signature S480.
  Can I upgrade the signature directly from S480 to S507? Please let me know the file which I need to download. Is there any impact while updating the signture like reboot?

  Hi Gangadaran,
  We can apply the same package on all the mentioned platforms. It can be applied to all below platforms:
  - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors
  - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230)
  - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2)
  - NM-CIDS IDS Network Module for Cisco 26xx, 3680, and 37xx Router Families.
  - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - AIM-IPS Cisco Advanced Integration Module for ISR Routers
  Refer the readme for all details:
  http://www.cisco.com/web/software/282549755/37074/IPS-sig-S507.readme.txt
  All the best!!
  Thanks,
  Prapanch