How to convert Cisco IPS signatures to a MARS events - no keyword search

Similar Messages

• User account to download Cisco IPS signature

  Hi All,
  I wanted to enable the Autoupdate in IPS but it asks for Cisco acc with cryptographic privileges to download Cisco IPS signature and signature engine updates from Cisco.com.
  is their any default acc for this ?
  I have CCO acc whether is this can be used ?
  You must have a Cisco.com user account with cryptographic privileges to download Cisco IPS signature and signature engine updates from Cisco.com.

  Using your cisco.com account go to this link and see if you can download the IPS-K9-6.1-2-E3.pkg file to your own desktop machine.
  http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=6.1%282%29E3&mdfid=280302728&sftType=Intrusion+Prevention+System+%28IPS%29+System+Upgrades&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+IPS+4260+Sensor&treeMdfId=278875311&treeName=Intrusion+Prevention+System+%28IPS%29&modifmdfid=null&imname=&hybrid=Y&imst=N&lr=Y
  If you can download this file with your account, then you can use that account and password when configuring the sensor for the cisco.com automatic upgrades.
  If you can not download the file with your account, then your account does not have the right settings.
  Either your account does not have crypto access or your account is not properly linked to your service contract for your sensors.
  There are a handfull of countries not allowed to have crypto access, users from all other countries would just need to get their account modified for crypto access (I am not sure what that procedure is).

• How often does Cisco release signature updates?

  Hi, i would like to know how often does Cisco release updates for the Signature engine for the IPS appliances? I was not sure to make the auto update from Cisco.com to be every-day, every-hour or once a week?
  Also can you advise me of the recommended setting for Bypass feature for the interfaces?

  Since the auto-update checks go out the management interface it maybe better to have it set for every hour. That way you wont have delays in the critical updates. Assuming you are in inline traffic mode, setting the bypass to "auto" is the recommended setting for interfaces. That is also the default.
  Madhu

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.

• IPS Signature Knowledge

  Hi Cisco,
  How we can see the detail of the Cisco IPS signature. If i want to see the the prriority(High/Medium/Low) of latest signature.
  E.g if i upgrade my IPS sensor with Latest signature and i want to see what are the High or critical signature Cisco updated in
  this signature then what is the process to check this or where?
  Kind Regards,
  Salman Ahmed

  You can check the release notes/read me file on the version that you upgrade it to, and it will advise if there is any changes to the existing signature.

• IPS Signature Detail

  Hi Cisco,
  How we can see the detail of the Cisco IPS signature. If i want to see the the prriority(High/Medium/Low) of latest signature.
  E.g if i upgrade my IPS sensor with Latest signature and i want to see what are the High or critical signature Cisco updated in
  this signature then what is the process to check this or where?
  Kind Regards,
  Salman Ahmed

  You can check the release notes/read me file on the version that you upgrade it to, and it will advise if there is any changes to the existing signature.

• Launchctl: how to convert a plist file (just to know)

  I bought my MacPro with OSX 10.5 and immediately converted it to 10.6 at the 1.st boot time, so I don't know if this "issue" was present in 10.5 too (if it cares).
  First of all: _it's NOT a problem_ (I guess) but I only wish to know *how to "convert xyz.plist to launchctl"* as I wandered the net searching for infos but found nearly nothing about it.
  Details: (+the Mac is performing really well, booting and shutting down correctly+ but) at boot time, which I do _every time in verbose mode_ (yes, I like it), I read every time launchctl complaining about three files to "convert":
  /etc/mach_init.d/chum.plist
  /etc/mach_init.d/dashboardadvisoryd.plist
  /etc/mach_init.d/pilotfish.plist
  cut(ting) one of them, chum.plist, seems to me that it's already "converted" into launchctl format:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>Command</key>
  <string>/usr/libexec/chum</string>
  <key>OnDemand</key>
  <true/>
  <key>ServiceName</key>
  <string>com.apple.chud.chum</string>
  </dict>
  </plist>
  so... what launchctl wants? and *HOW TO convert* this file (and the other two) to its format?
  It's a kind of curiosity. Even man launchctl didn't enlighten me enough.

  sky65 wrote:
  Thanks, I know it, but if the system complains about something, I think a problem should be fixed (by me or by someone).
  It will be, in due time. It isn't important that it be fixed right now or Apple would have done it for those items. The inetd method has not be deprecated and still functions as it has in unix for a long time.
  As a sort of "conversion" is requested I asked how to convert or a different solution to avoid the system's complain.
  (note: a "solution" is what really solves a problem, not just switch off the TV to avoid looking at something awful ;))
  And I gave you the path to the solution in the link I posted. There's a lot to learn if you want to convert those yourself.

• Cisco ips link update signature automatically ?

  Dear all,
  I would like to know what address or link that we need for update IPS 4240  signature automatically from cisco.
  In our IPS config show this link. is  it correct ?
  user-name sabirins1978
  cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  Thanks.
  Regards,
  Budy

  Umm, I tried to access both links..
  I could access the page using the link with one slash (https://198.133.219.25/cgi-bin/front.x/ida/locator/locator.pl), but I couldn't access the page using the link with two slashes (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) with the error message: "The Page you requsted is not available".
  So, which on of the the correct one ?
  Is the license just needed in automatically-updating the intrusion signature (not including firmware/engine update) ?
  How long approximately is the signature update released periodically by Cisco ?
  Regards,
  Daniel

• How to convert a pdf file with hand-written signature?

  How to convert a pdf file with hand-written signature?

  Hi Lotus1215,
  Once the document is signed we cannot edit that document, hence convertion is not possible
  Please see the article mentioned below
  http://forums.adobe.com/docs/DOC-1515
  Let me know if you have any other question.
  Regards,
  ~Pranav

• How to upgrade IPS Signature

  Can anyone help me with the steps of upgrading the IPS signature for the platform ASA SSM-20, IDS 4215, WV-SVC-IDSM-2 via IDM and IME. All the sensors are already upgraded with Engine E4 with signature S480.
  Can I upgrade the signature directly from S480 to S507? Please let me know the file which I need to download. Is there any impact while updating the signture like reboot?

  Hi Gangadaran,
  We can apply the same package on all the mentioned platforms. It can be applied to all below platforms:
  - IPS-42xx Cisco Intrusion Prevention System (IPS) sensors
  - IDS-42xx Cisco Intrusion Detection System (IDS) sensors (except the IDS-4220, and IDS-4230)
  - WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM2)
  - NM-CIDS IDS Network Module for Cisco 26xx, 3680, and 37xx Router Families.
  - ASA-SSM-10 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - ASA-SSM-20 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - ASA-SSM-40 Cisco ASA Advanced Inspection and Prevention Security Services Module (Requires ASA)
  - AIM-IPS Cisco Advanced Integration Module for ISR Routers
  Refer the readme for all details:
  http://www.cisco.com/web/software/282549755/37074/IPS-sig-S507.readme.txt
  All the best!!
  Thanks,
  Prapanch

• How many event actions filters a cisco ips can support

  we are running cisco ips 7.0(2) E4, and we are planning to tune some of the traffic everyday.......any idea how many event action filters can be applied to a sensor or is there is any maximum limit on the number of filters?

  There is no limit to how many event action filters you can configure. I assume that you also know that event action filters is ordered list:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_event_action_rules.html#wp2033432
  Also, found this bug FYI: bugID: CSCtf78755:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf78755
  (When over 495 event action filters are configured via CLI, it's corrupting "rules0.xml" file)
  Hope that answers your question.

• How to smartnet to update IPS signature

  I just get the Smartnet contract number from my vendor. But i am not sure how to use to update my IPS signature.
  Can anyone please point out?
  Regards, CT

  I had this same problem when trying to drag and drop an RSS feed gadget to a dashboard. I was able to get it to work by clicking the add button instead of doing a drag and drop. It still displays the error but it adds the gadget. Once the gadget has been added to the dashboard you can modify it by clicking the wrench icon.

• How often ARE those IPS virus signatures updated?

  I was looking at a "show version" on one of my current sensors and noticed that the last virus signature was over 7 months ago. Now, one of the big reasons I was told we had to pay for our 5.x licenses was these virus signatures. If that's true, and this is the additional value Trend Micro has brought to our sensors, should they get updated a little more frequently?
  (from my sensor)
  Cisco Intrusion Prevention System, Version 5.1(1p1)S235.0
  Host:
  Realm Keys key1.0
  Signature Definition:
  Signature Update S235.0 2006-06-22
  Virus Update V1.2 2005-11-24

  The Virus Signature from Trend was one reason for the licensing in 5.x, but was not the only reason and was not even the primary reason.
  Even as far back as version 2.x a Support Contract was required for downloading and installation of signature updates. But was not enforced by the software. We relied on the users keeping the support contracts up to date on their own. Many users downloaded and installed signature updates without paying for the support contract. And the vast majority did not realize that a support contract was needed to receive the signature updates.
  With the lack of support contract purchases it became difficult to continue fielding a team for writing IPS signature updates.
  So in version 5.x it was decided to begin enforcing the purchase of support contracts through the use of Signature Update Licenses as part of the Cisco Service for IPS Contracts. Thus ensuring funding for the signature team, and allowing the team to spread out world wide for 24 hour coverage.
  The additional cost of a Cisco Service for IPS contract when compared to standard SmartNET contracts for other Cisco products is for the specific funding of the Cisco signature team, and a small amount sent to Trend for assistance in signature creation. Only a small portion of the support contract is paid to Trend Micro for their support.
  The Virus signatures are part of the Cisco Incident Control System (Cisco ICS). With the purchase of ICS there is a faster deployment of signature for Virus/Worms. When a virus or worm reaches a critical level then TrendMicro can create their own Virus signatures and have Cisco ICS deploy those signature to the sensors as soon as they are written.
  Cisco then includes these Virus signatures in a later standard Cisco signature update.
  Now as for why there have not been any recent updates to the Virus Signatures is that there has not been a major out break in the past 6/7 months. The virus signatures are only created on an emergency basis when a virus or worm reaches a critical level. Cisco ICS was specifically designed for handling virus and worm outbreaks, and is referred to as Outbreak Prevention.
  If the virus/worm does not reach a critical level, then the emergency Virus signatures are not created.
  Instead the Cisco signature team will take care of them as part of the standard Cisco signatures that are included as part of the standard S updates.
  This doesn't mean that we are not receiving information from Trend. For Virus/Worms that do not reach that critical level, the Trend team will instead send information to Cisco for creation of standard Cisco signatures by the Cisco signature team. This way the Cisco team can create a mroe general signature designed to catch all attacks for a certain vulnerability that will catch that specific virus/worm as well as future virus/worms that may also attempt to exploit the same vulnerability. These signatures wind up as part of the standard S update. This method is used because the Cisco signature team has more in depth knowledge of the various engines in Cisco IPS and can often write signatures that the Trend engineers would not be able to.
  It is only when the Trend Micro engineers need to create an emergency update that they will create their V signatures for the specific virus/worm.
  Otherwise they share share the information with Cisco and the Cisco engineers creates the signature.

• Is it really possible to revert IPS signatures from CSM

  Hi folks,
  I've been trying to revert IPS signatures that I deployed through CSM Signature policies to the older release but it doesn't seem to be working. Contrary to it Cisco's CSM guide says:
  If you later decide that you did not want to apply a signature update, you can revert to the
  previous update level by selecting the Signatures policy on the device, clicking the View
  Update Level button, and clicking Revert
  I can't imagine it is possible as the signatures are normally compiled into xml files. How would the sensor do it ?
  Eugene

  During installation a copy of files that will be replaced or updated during the installation will be copied into a backup directory.
  The CLI has a "downgrade" command that can uninstall the last update, and the backup copies will be used to replace the files being removed.
  A few things to be aware of:
  1) Old configuration will be copied back. So changes made since the update may be lost.
  2) This works only for Engine Updates and Signature Updates. Major Updates, Minor Updates, and Service Packs replace the complete operating system so there is too much data to try and make backup copies for.
  3) This works only for the last update installed. Once you've downgraded the latest one, you can't downgrade the previous one.
  4) This can be done through CLI, and now also available in CSM.
  Here are some things to check in your situation where it appears to not be working.
  Login to the sensor and execute "show ver".
  Does the history in the "show ver" output show a Signature Update package as the last update installed?
  If not then either another downgrade was previously done, or a Major Update, Minor Update, or Service Pack was the last package installed and can't be downgraded.
  If it can't be done through CSM you might try the CLI' "downgrade" command and see if it works through the CLI or if the CLI gives you an error and explanation.

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.