IDS-MC signature upgrade

Similar Messages

• One person on one computer adding multiple electronic IDs or signatures to one document

  I recently created a simple form in Adobe LiveCycle Designer 8.  It has several places for signatures.  I sent along with the form the Adobe user guide instructions for creating electronic IDs and signatures.  However, in several instances, our executives have given their administrative assistants permission to sign for them.  The assistants are also required to add their own signatures.  Apparently, when they click on any signature field, their bosses' signatures come up.  Can someone tell me how one person can create multiple electronic signatures and be able to select from among them in order to fill out one of these forms?

  When a user is signing a form, the digital certificates that are installed (in Acrobat) on the computer being used to sign the PDF will be available to be used to create the signature.  If only the "bosses" certificate is on the machine, this will be the only on available.  Make sure all certificate that could be used to sign are installed on the machine being used to sign.
  This screen shot is from the security settings in Acrobat, it shows multiple certifcates are installed.
  And here is the signature dialog with the option to use one of the installed certificates on the machine...
  Hope this helps.
  Steve

• Filtering IPs on a IDS/IPS signature

  Forgive me, I am pretty green when it comes to manipulting IDS/IPS signatures.
  Is there a way to filter an IP or subnet from a IDS/IPS signature?
  Senario:
  We have 2 ASAs with IPS modules and 2 4260 IDS's, we use IPS Manager Express 6.1 to manage them. I keep getting a mail server that is triggering signature 5748-x because its sending a helo verb instead of a noop. This is fine for this paticular mail server. So i would like to remove its IP or filter its IP from the signature so when this happens the signature doesnt fire. However I dont want to disable the signature in case it happens somewhere else.
  any help is greatly appreciated.
  e-

  It's not really too bad. I would encourage you to read still though;-)
  Each signature can be configured with any number of actions. by default, a lot of them have the "product alert" action.
  event action filters are basically a way to suppress all or some actions based on various criteria, like sigid and source (attacker) ip address. I've attached an example.

• Is A NonDisruptive System/Signature Upgrade Possible?

  Reading the config guides I can't seem to accept that my colleague is correct in saying its possible to do a non disruptive system/signature upgrade on an ASA 5520 with an AIP-SSM-10 module.
  Can you do a nondisruptive system/signature upgrade?

  Short answer...depends on your definitions of non-disruptive and system.
  A more useful answer is that a signature update is designed to be as non-disruptive as possible to sensing. That is, traffic will continue to flow and sensing will continue to happen to as much extent as possible. It is possible that the signature update could siphon off enough processing power to start affecting sensing. If this happens, the sensor can cut in an auto bypass feature (configurable) to unload the CPU enough to get the update finished. Traffic will continue to flow, but sensing would be disrupted momentarily. When the update finishes the bypass is removed and sensing will recover.
  A system update (defined as an Engine Update, Service Pack, Minor, or Major release) will have a greater level of disruptive impact. An Engine Update will invoke bypass and stop sensing activity while the sensing binary (sensorApp) is replaced and restarted. Traffic will flow via the bypass until sensorApp is restarted and then sensing will continue. Service Packs and higher typically have to invoke a system reboot, which will disrupt traffic in the lower performance sensors. The two newest sensors (4260 and 4270) have hardware bypass on the Cu NICs and can invoke that bypass to keep traffic flowing if the network design is correct (inline interface pairs on the same interface card).
  Scott

• Update Network IDS/IPS Signatures

  In the IPS Manager (CSM 3.0) Configuration > Updates > Update Network IDS/IPS Signatures
  Clicking on Apply (For instance, Update File: IPS-sig-S242-minreq-5.0-6.pkg) it appears the following error:
  Object update failed. Unknown update type.
  What is the problem?

  It should be .zip file...
  you can download from the below link
  http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips-sigup-arch

• AIP-SSM crash during S389 Signature upgrade

  Our AIP-SSM [version 6.1(2)E3] crashed during a S389 Signature upgrade on Friday. Neither a "session 1" command from its host, an ASA5520, or a "reload" command of the ASA5520 succeeded in bringing back up the AIP-SSM. Fortunately, after the ASA's power was recycled, the AIP-SSM successfully booted, albeit not to S389, but to its previously loaded S383. I established an SR and supplied the "show tech" and "show config," but the Cisco tech replied "nothing stands out" in them and said just run the S389 update again and send the same info if it crashes. I have several problems with that approach: 1) he had replied that several other customers had had the same problem; 2) our current AIP-SSM is a replacement for an RMA'ed one which had choked on the E2 engine upgrade a few months ago; 3) if another S389 upgrade attempt fails, our client's network will be down because our security policy requires the ASA's bypass mode for the AIP-SSM to be "fail-close." My questions to the forum include:
  1) If the "show tech" command is run after an AIP-SSM has rebooted after a previously-attempted S389 upgrade, can it include any information specific to the previously-attempted S389 upgrade? 2) Could the hardware components of the AIP-SSM-10 be inadequate for the combination of the E3 engine plus the cumulative signatures? 3) If the answer to question 2 is "yes" or "possibly," could Cisco modularize the signatures, eg. provide an "only-activated-signatures" (ie smaller) file for customers like us and an "everything" for others? Advice and recommendations heartily requested.

  Based on your show version, you already have E4, what is it that you are trying to do?
  Mike

• IDS device signature import - some help

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";
  mso-fareast-font-family:"Times New Roman";}
  Hi there,
  Has anyone ever imported a signature set in an IDS device?
  So you can export signatures to a CSV, but can you import them back in this way? If not, when you create an ‘export file’ in CSM, can you merge that .cfg to the IDS and only affect the signature set?
  I am asking in order to do some deployments to multiple IDS sensors when CSM isn’t function / cant be used to deploy, but only to generate config file.
  Thanks guys!

  CSM has the concept of Signature Policies that do what you want.
  Take your reference sensor that has the signatures tuned the way you want and "share" that signature policy.
  Once shared your can apply this policy to as many other sensors you like. (don't forget to submit and deploy your changes)
  The CSV export is only for makeing spreadsheet or reports of your signature settings/policy.
  If you don;t have CSM you can spill the config of a sensor (show conf) and paste the signature configurations into another sensor via the command line.
  - Bob

• IPS(ASA moduel) signature upgrade cause users lost connectivity to outside

  Hi All:
  need you adivse.
  i have two ASA running A/S mode, both ASA have ASA-SSM-AIP-20-K9 inside with fail-open option and identical configuration
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:宋体;
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Any time i upgrade IPS signature/OS, users will experience around 1 minute downtime to outside.
  Is this a correct behavior?
  Thanks

  Jason;
    That is not expected behavior for signature updates.  On the AIP-SSM's configuration, have you changed the bypass mode to off?
    For software upgrades, which require the AIP-SSM to reboot, a failover of the ASA is expected if you have not disabled the IPS inspection service policy prior to performing the upgrade.
  Scott

• IMS 5.1 and iDS 4.13 Upgrade

  Hi all,
  I'm putting together an environment for testing an upgrade from iMS 5.1 through to the current JES versions and I can't locate a copy of iMS 5.1 and iDS 4.13 - does anyone have a URL that they can be downloaded from?
  I have them running in production but I'm looking for the original installation tar balls.
  Thanks.
  Cheers - Steve

  The migration path from 4.1x to JES is non-trivial. I believe it's a two-stage upgrade, first to iDS 5.2 and then to JES. If I had to do this, I'd start with a fresh install of JES and then import my user data. You'll probably need to add/replace some attributes and objectclasses, but the Directory Server Resource kit (DSRK) has some nifty tools for doing this.
  When I upgraded from 4.1x to iDS 5.2, I was migrating to a new box and it was just easier to do a fresh install. Besides, doing a fresh install means you can get away from the evil tarball and use the Sun package format and patch tools for future upgrades. Yes, there are patches for the tarball format, but I as I stated, I'm not a fan of the tarball install.
  Another piece of advice, stick with schema 1. Then if you have the need, migrate to schema 2. Sun did a nice job of making schema 2 a seprate entity (for lack of a better term). In that going to schema 2 is a seperate set of procedures that you can do any time.
  HTH,
  Roger S.

• Chase Freedom CLI and Visa Signature Upgrade

  I called Chase yesterday to request a CLI on my Freedom card.  She asked me why I wanted an increase and I was honest with her and told her I wanted it increased to be able to upgrade to the Visa Signature version.  So today I was on my Chase account and I am now getting an offer at the top for a free movie that is only for Visa Signature card members, but I don't show a CLI on my card.  Hopefully this means it was approved, it just hasn't gone through!

  kdm31091 wrote:
  Sorry you took a HP for 800 dollar CLI. Its not usually worth bothering with Chase. Even with the HP they rarely give big bumps.
  The best thing is definitely to do the limit transfer, though you dont want to do it repeatedly or youll raise flags. However, its ridiculous to me that that is really the only way to get a decent CLI with them, and its a workaround, not an actual CLI!
  Very very occasionally people get auto CLI but its rare. To me with Chase you just assume and expect that the starting limit is basically the forever limit.With every post like this that I read I'm getting less and less interested in Chase and their policies... Citi too for that matter.

• Does getting a Smartnet contract also give you IDS/IPS signature updates?

  A client of mine is looking into getting an ASA5510 with AIP-SSM module. I realize that with IDS/IPS systems, it is *crucial* to always keep signature files up-to-date. Does purchasing the Smartnet contract for the bundle give me signature file updates or is there some other package I need to buy?
  I see references to "Cisco Services for IPS" but that seems to be mainly for router/IOS-based firewall/IDS packages.

  There is not a Smartnet contract for the ASA/AIP-SSM bundle.
  The only SmartNET contract for SSM bundles are with the CSC-SSM and not the AIP-SSM.
  When purchasing an ASA/AIP-SSM bundle you will need to purchase a bundle maintenance contract. The bundle maintenance contracts are Cisco Service for IPS contracts and include the signature support for the AIP-SSM as well as the software and hardware support on both the AIP-SSM and ASA (the software and hardware support is what it is normally part of SmartNET).
  For the bundles you will want to purchase a Cisco Service for IPS maintenance contract using one of the following part number formats:
  CON-SUw-ASxAyKz
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "x" will be either 1 for the 5510, 2 for the 5520, or 4 for the 5540.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  The z will be either 8 or 9 depending on the encryption level.
  So for example:
  CON-SU2-AS2A20K9 - Would be 8X5X4 support for the ASA-5520 bundled with the AIP-SSM-20 with the higher encryption.
  NOTE: There are also SP contracts for purchase by Service Providers that follow a slightly different format.
  There are a few users who have purchased the ASA and AIP-SSM separately.
  When purcahsed separately you would need to purchase a SmartNET contract for the ASA, and a separate Cisco Service for IPS maintenance contract for the AIP-SSM.
  The AIP-SSM maintenane contract will be in the following format:
  CON-SUw-ASIPyK9
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  So for example:
  CON-SU2-ASIP20K9 would be 8X5X4 support for the AIP-SSM-20.
  What you will find is that purchasing a separate SmartNET for the ASA and Cisco Service for IPS for the AIP-SSM will be more expensive than purchasing a single Cisco Service for IPS for the ASA/AIP-SSM bundle. This is because there is a discount when purchasing by the bundle.

• Signature upgrade while IPS licensed expired

  Dear All,
  I have IDSM-2 module in 6513 switch. One IPS licensed is expired. Other IPS licensed is still valid to 2 months.
  Can I still upgrade the signature of this expired(licensed) IPS?
  Please advice
  Regards,
  Anser

  Thanks.
  How much sensor inspection load in % consider as normal. Sometime it becomes for than 60% and I see the delay of 15ms to 20ms in the local network druing load on sensors.
  Please suggest.
  Regards,
  Anser

• IDS/IPS signatures to monitor streaming audio/video applications

  Hi folks,
  Can someone advise on the names or signatures that could be successfully used to monitor the usage of streaming applications on the network. The plan is to feed them to MARS and then create reports on streaming applications utilization to use it later for creation a security policy preventing bandwidth stealing.
  Perhaps any suggestions on how to create a custom signature to monitor audio and video streams would be appreciated.
  Eugene

  Hi Blayne,
  I really appreciate your answers and time you spent. I wish this would be helpful not to me only. I'm still confused by all the intrinsic details of how to make a good custom signature. Is there any good guide? May be TAC has its internal guide on how to troubleshoot and create custom signatures based on regex and content type. I'm looking at the TCP packets of the capture made while watching youtube video and this is what comes from the server:
  HTTP/1.1 200 OK
  Date: Mon, 05 Jul 2010 23:58:12 GMT
  Server: wiseguy/0.6.2
  X-Content-Type-Options: nosniff
  Content-Encoding: gzip
  Set-Cookie: watched_video_id_list=5097f00beb9a2acf9d11293e6452d9adWwMAAABzCwAAAE9UeklpcE45UGg4cwsAAABvOS1VX0l2ME83OHMLAAAAS0V4c0FTRDAtOTg=; path=/; domain=.youtube.com
  Expires: Tue, 27 Apr 1971 19:44:06 EST
  X-YouTube-MID: pcVY4SnBmeDVtZHpoUkNiVkVOZmpxQzR4SDZFZXMwOWxYeFk3QXk4TVhpWjRKRkNUX2I5U1lB
  Cache-Control: no-cache
  Content-Type: text/html; charset=utf-8
  Content-Length: 17503
  q2Lz6;>
  }-yXBYycO1`'ky]\P,$E`:wH)U~UZ_kk;o)#zLV19V^&X]~I7T/?L}s^\16o?}H7|2;B77z9%,$(T_%?s'cUd0nTr$l4N~&uHzG@D9kJhaa l,gIs)u2C_%iA+0JII,Q{1'Ih`T1\z7{X+/cy&2z%NvKW4awwIhT
  d@,#LBOqz}r+Su8*I86f(6
  ^odcJ8uaIab0xH|{*JkZD3>,%iU/ux51B>UNhnHyX*4t}!eXfEh!j>mJ|s}p}0f&H6K3#:)1N5bMRvQItU2_64,swb(=P`~Km
  I tried to make TCP String based signature and match it against  \.[Yy][Oo][Uu][Tt][Uu][Bb][Ee]\.[Cc][Oo][Mm]\. No luck
  Then I tried to create HTTP String based signature and by looking at the HTTP portion of the packet which looks like:
  GET /watch?v=OTzIipN9Ph8&feature=related HTTP/1.1
  Host: www.youtube.com
  User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.16 (KHTML, like Gecko) Version/5.0 Safari/533.16
  Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  Referer: http://www.youtube.com/watch?v=o9-U_Iv0O78&playnext_from=TL&videos=PhuEJ6wyeKs&feature=rec-LGOUT-real_rev-rn-3r-7-HM
  Accept-Language: en-us
  Accept-Encoding: gzip, deflate
  Cookie: watched_video_id_list=8c0482051639fa5ffa488173dfe5001aWwIAAABzCwAAAG85LVVfSXYwTzc4cwsAAABLRXhzQVNEMC05OA==; GEO=fb0890c2d1c0f42b3dc126c2e6b9f771cwsAAAAzQ0EYVCBMTDJvAA==; PREF=f1=40000000; VISITOR_INFO1_LIVE=DM3zU9wKOmE; use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw
  Connection: keep-alive
  I enabled Header Regex to match against [Hh][Oo][Ss][Tt]\:.\.[Yy][Oo][Uu][Tt][Uu][Bb][Ee]\.[Cc][Oo][Mm]\. and still no luck
  I intentionally used Header regex as I assume that HTTP header portion starts after the first CRLN (\r\n) and ends with CRLNCRLN (\r\n\r\n)
  Eugene

• IDS/IPS Signatures Update

  Hi,
  I have one question regarding signatures update, are the Cisco new signatures include the new updates plus the old ones or just the difference between the latest update and the previous one?
  If I have an IPS which has never been updated for a year let's say, is it just enough to install the latest signature update and the latest Service pack? Does the service pack include signatures as well when applied?
  Please advise!
  Thanks,
  Haitham

  A signature update will contain all Cisco signatures that have been released so far. A service pack will be bundled with a signature update, but not necessarily the latest one. So you should first apply the latest service pack and then apply the latest signature update.

• IDS 4230 - End of Software Support = No Signature Update?

  I have one question regarding to Product Bulletin, No. 1772 - "End-of-Sale Announcement for Cisco Intrusion Detection System 4230 Platform"
  According to the bulletin, the date of End of software support is July 31, 2005. Does it mean the signate update for this platfrom will not be available after July 31, 2005 or it just mean that the new version of the IDS sensor software will no longer support this platform.

  As for your first question about replacing EOL equipment with another EOL equipment.
  Ordinarily this would not be done, except that the IDS-4230 has hardware issues and were eligible for a no cost replacement program.
  Under ordinary circumstances a failed IDS-4230 would only have been replaced with a refurbished IDS-4230.
  But because of the hardware issues a failed IDS-4230 will be replaced with a IDS-4235.
  RMA processes are not meant to be used for free upgrades to the newest products. The RMA process is only for replacing of failed products with either the original product or a suitable replacement. The IDS-4235 is a suitable replacement for the IDS-4230 because it has higher performance and a longer period of support.
  Customers wanting to purchase a new IDS-4230 or IDS-4235 are directed to purcahse an IPS-4240 instead.
  As for signature support on the IDS-4230.
  The IDS-4230 signature support is tied to the End of Signature support for the version 4.1 software.
  I have yet to see an official notification on CCO for the end of signature support for the IDS 4.1 software.
  What this tells you is that the end of support is still more than six months away.
  The posting of the notification will give you a minimum 6 months notice.
  So as of the end of November you can feel comfortable that signature support for 4.1 will extend beyond end of May 2006.
  Unofficially I have heard end of signature support for 4.1 being around August/September 2006, but that is still subject to change until a formal notice is posted on CCO.