IDS Signature Updates

Similar Messages

• IDS Signature update S(184)

  The IDS signature update S(184) included [MS plug and play - 6131] This particulare SIG ID is disable, and the severity is Information. is there is any one know how to enable it and change it to high?
  thnak you

  You can use IDM (https://) to change the severity and enable the signature. The other management platforms also provide you a meands to change it as well.

• Cisco IDS signature update vs. Snort

  Greetings all
  I have a question for anyone using any Cisco IDS products.
  How often the Cisco IDS/IDSM update it's signatures and are the updates
  comparable to Snort? Example: An exploit is known...Snort publishes an
  update...can a similar update be found for Cisco IDS?
  Regards
  Fredrik Hofgren

  Cisco does not update as frequently or completely as Snort. Cisco also tends to give much higher priority to releasing signatures on vulnerabilities that affect their own products. There are also many signatures released for Snort that never seem to make their way to Cisco from what we have seen.

• IPS/IDS Signature updates

  Just a quick question, will there be a charge for upgrading the signatures? In other words will you have to pay to download the new updates as they come out?

  What about the IOS IPS with 5.x? It looks like the IOS IPS doesn;t support the 5.x signatures due to current engine support, yet I havn't been able to find an EOL on IOS IPS.

• Problem updating IDS signatures

  I have a IDS-4215 sensor with version 5.1(5)E1S333V1.2
  I tried several times updating signatures with next version on it but it doesnot get updated and only the local MC gets upgraded. I have other IDS sensors also but I dont have any problem updating signatures with them.
  Why are the signatures not getting updated on this Sensor.
  Help me with a solution. All helpful posts will be rated.

  Did you try applying S355 directly to the sensor using the CLI or IDM rather than the MC?
  Sometimes you don't get good error messages when trying to apply through the MC.
  If you apply through CLI or IDM did you get any messages back from the sensor?
  Did you get a success messgae? If doing it from the CLI did it come back to a CLI prompt?
  If no error messages come back when trying the upgrade, then it will require looking at a "show tech" from your sensor to try and see what is going on.
  You would not want to copy that output to this forum, so your best bet would be to open up a TAC case and provide them the output from when you tried applying the update through the CLI or IDM, as well as the output from the "show tech" taken immediately after the failed upgrade attempt.
  I am not currently aware of any situation where the upgrade would fail without some type of error message being returned.
  Here, however, are some common errors that should return an error message (I don't remember the exact wording of the error messages):
  1) sensorApp/analysis engine is Not Running
  (you can check "show version" before doing the upgrade to make sure it is Running).
  2) sensorApp/analysis engine is not responding (you can do a "show stat vi" before trying the upgrade to ensure it is responding to statistic requests before trying the upgrade)
  3) license has expired (you can do a "show ver" and make sure the license has not expired)
  4) Signature Update already installed - This is a tricky one. This can happen when a previous attempt to update at that same signature level failed, but left some remnants around. The second attempt to install the same update detects the remains of the previous failure and incorrectly thinks that the update is already installed. There are 2 ways to recover from this. Save off the config, and do a recover-application command to re-image the sensor, then re-apply the config. Or wait till the next signature update S356 comes out and try it with the newer sig update. I haven't seen this problem in a long time, and I am not sure if it can happen anymore. Steps were taken to try and prevent this from happening.
  5) sensorApp/analysis engine could stop During the signature update - This can happen on lower end sensors like the IDS-4215 especially when tunings have been made to the signatures or custom signatures have been created. The low end sensors have limited memory. When a new signature update is applied the sensor has to compile the new signatures. If using the standard set of signatures with no user tunings, then the signature update should apply fine. But if the customer has made tunings and/or added custom signatures, then this compiling of the new signatures could push the sensor above it's allowed memory limits. The kernel will then kill sensorApp/analysis engine. The signature update will never complete (never get an error OR a success message). And the sensor has to be rebooted to get it working again. If you are running into this issue you might need to remove some of your tunings and custom signatures, apply the signature update, and then re-apply your tunings.

• Problem updating signature updates in IDS 4215

  Problem upgrading the signatures of IDS 4215
  I have to upgrade the signature file of ids 4215. The latest signature update version is IDS-sig-4.1-5-S252. To upgrade the signature file I install the service pack IDS-K9-sp-4.1-5-S189. The service pack was installed properly but while updating the signatures it is giving the following error
  Error: Cannot communicate with mainApp (getVersion). Please contact your system
  Administrator.
  Would you like to run cidDump? [No]:
  Procedure Followed
  I installed a ftp server in the network and put the signature update file there. I then issued the command
  upgrade ftp://[email protected]/5Dp--5-S2s52.ir
  Pmg.pk-g4.1-5-S252.rpm.pkg
  After that it gave me the above error
  Question
  How can I recover the image while recovery partition is already there?
  The snapshot of the procedure that I followed is given below
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption.
  http://www.cisco.com/wwl/export/crypto
  If you require further assistance please contact us by sending email to
  [email protected].
  customer-ids4215#
  customer-ids4215# sh ver
  customer-ids4215# sh version
  Application Partition:
  Cisco Systems Intrusion Detection Sensor, Version 4.1(5)S189
  OS Version 2.4.26-IDS-smp-bigphys
  Platform: IDS-4215
  Using 424386560 out of 460161024 bytes of available memory (92% usage)
  Using 4.4G out of 17G bytes of available disk space (27% usage)
  MainApp 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  AnalysisEngine 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  Authentication 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  Logger 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  NetworkAccess 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  TransactionSource 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  WebServer 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  CLI 2005_Aug_02_10.53 (Release) 2005-08-02T10:25:35-0500
  Upgrade History:
  * IDS-sig-4.1-4-S119 17:29:28 UTC Sat Oct 16 2004
  IDS-K9-sp-4.1-5-S189.rpm.pkg 09:28:03 UTC Wed Dec 27 2006
  Recovery Partition Version 2.4 - 4.1(4)S91
  customer-ids4215#
  customer-ids4215#
  customer-ids4215# conf t
  customer-ids4215(config)#
  customer-ids4215(config)# upgrade
  <source-url> Location of upgrade
  customer-ids4215(config)# upgrade ftp://[email protected]/5Dp--5-S2s52.ir
  pmg.pk-g4.1-5-S252.rpm.pkg
  Password:
  Warning: Executing this command will apply a signature update to the application
  partition.
  Continue with upgrade? : yes
  Broadcast message from root (Sun Jan 7 14:46:24 2007):
  Applying update IDS-sig-4.1-5-S252. This may take several minutes.
  Please do not reboot the sensor during this update.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use.http://www.cisco.com/wwl/export/crypto
  If you require further assistance please contact us by sending email to
  [email protected].
  Error: Cannot communicate with mainApp (getVersion). Please contact your system
  administrator.
  Would you like to run cidDump?[no]:
  Connection to host lost.
  C:\>

  Just so you know, you will need to update your IPS from 4.1-5 to 5.0-1 to get signatures up to 217. To get a signature beyond 217, you'll need to upgrade to 5.0-5. This isn't that lengthy of a process, but it is required if you want to go beyond 217. Also, 252 is an older signature, 265 is been out now for a few. Just an idea of how fast these signatures update. Shoot a reply back if you don't know how to upgrade.

• MC-IDS - Error Updating Network IDS Signatures

  MC for IDS Sensors
  Update Network IDS Signatures
  Error
  Object update failed. The update package provided appears to be corrupt, or permission was denied for reading the file. Please verify the update package contents and retry the operation.
  I verified the checksum of 4207248 matches the file I downloaded from CCO. We are running on Solaris. What userid is VMS using to read?
  Any ideas ? -jason
  root@bnavms # cd/opt/CSCOpx/MDC/etc/ids/updates/
  root@bnavms # su jra
  root@bnavms # ls -l
  -rw-r--r-- 1 jra other 4207248 Jan 7 09:30 IDS-sig-4.1-4-S136.rpm.pkg

  You need to get the .zip version of the update. It can be found on the same CCO download page under the IDSMC -> IDS Management Console link at the bottom of the page.

• IDS/IPS Signatures Update

  Hi,
  I have one question regarding signatures update, are the Cisco new signatures include the new updates plus the old ones or just the difference between the latest update and the previous one?
  If I have an IPS which has never been updated for a year let's say, is it just enough to install the latest signature update and the latest Service pack? Does the service pack include signatures as well when applied?
  Please advise!
  Thanks,
  Haitham

  A signature update will contain all Cisco signatures that have been released so far. A service pack will be bundled with a signature update, but not necessarily the latest one. So you should first apply the latest service pack and then apply the latest signature update.

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Scheduling a signature update through MC

  How can you schedule a signature update to take place for example at 3:00 in the morning? When I do a signature update through MC, I select the sensor I want to update then click continue and it updates at that time. Can I schedule this somehow? I am using IDS MC and apply updates through the Management Center.Thanks for the help.

  Hi,
  Any one can help me on this please?
  Angshuman

• IDSM Signature Updates

  Hi,
  Sudenly after Upgrade our IDSM-2 in the Realeses Tab the signature are not been updated but the IDS it self is up to date.
  Generaly the IDS is update but I can't see the last aplied signatures on IPS>sig>releases...
  Who has the solution?
  Regards,
  Sent from Cisco Technical Support iPad App

  Hello.
  Sudenly after Upgrade our IDSM-2 in the Realeses Tab the signature are not been updated but the IDS it self is up to date. Generaly the IDS is update but I can't see the last aplied signatures on IPS>sig>releases...
  Are you encountering this behavior in IDM (the sensor's built-in GUI) or in IME (IPS Manager Express)?
  I recently encountered a customer who ran into this behavior with IDM and the issue was due to the signature update(s) not actually completing 100% due to a defect being encountered.
  I also recently encountered a customer who ran into this with IME and the issue was eventually resolved via an uninstall and re-install of the IME application software.

• Verifying the Correct Signature Updates, Management Software, and Version

  I am working today at a Client Site where I installed several months ago a Cisco IPS 4240 Sensor. The Sensor is currently running Version 6.0(3)E1.
  I am not certain how to proceed with respect to signature updates on this box.
  Under signature definition, it lists the following:
  Signature Update S291.0 2007-06-18
  I have noticed on the Security Software Page for IPS that the latest Signature File is S336. Should I install this on the IPS? In order to perform this, will it take down the IPS unit?
  Also, there are several Management applications listed under the "Network IPS/IDS Management/Monitoring Software" heading, including: IME, IPC MC, and ICS. I am already using IDM as well as IEV respectively to Configure/ Monitor and then IEV to Alarm on certain Events. What are IME, IPC MC, and ICS and how are they different from IDM and IEV??

  IME = Intrusion Prevention Manager Express
  - IME is fairly new (released only a month or 2 ago) IME is a next generation of IEV. It does the event monitoring of IEV, but is also able to do configuration similar to IDM. So it is IEV and IDM in one tool. The configuration screens of IME will only work IPS 6.1, but the event monitoring screens will work with 5.1, 6.0, and 6.1.
  IPS MC = Intrusion Prevention System Management Center
  IPS MC was a part of VMS (VPN and Security Management System). IPS MC was configuration of a large number of sensors.
  IPS MC and VMS are both End Of Saled and were replaced with CSM
  CSM = Cisco Security Manager
  CSM is a multi-security device configuration management system. It is targeted at Enterprise customers with more than 5 sensors.
  ICS = Intrusion Containment System
  ICS was a product produced by Trend Micro Systems. Trend could create signatures for Viruses and Worms and then send an update to ICS and ICS would then create the signatures on the sensors. These signatures were known as the V signatures.
  ICS has been End of Saled
  So from your perspective you need not be concerned with IPS MC (VMS) or ICS.
  IME should be of interest to you as an upgrade from IEV (IME like IEV is available as part of your existing sensor support contracts and is not an additional charge).
  As you upgrade sensors to IPS v6.1 you might consider upgrading IEV to IME.
  CSM (and also MARS) would be of interest if you are going to manage more than 5 sensors. (IME and IEV are limited to 5 sensors).

• Use Active FTP for signature updates

  Is it possible to use active ftp opposed to passive when upgrading IDS signatures? I am running 4210s with v.4.1. During signature updates for some reason the FTP connection uses a random ephemeral port instead of port 21. When I ftp manaually from the service account with the PASS command to turn off passive ftp, the file transfers fine. ACLs are blocking the connection because the port always changes and I don't want to open up the ephemeral port range.
  Thanks,
  Joel

  As far as I know, you can only use the passive ftp for the sig updates.

• Scheduling IDS Sensor updates CiscoWorks VMS

  I have CiscoWorks VMS setup to auto download new IDS signature files, this works great, however is there a way I can have those signatures automatically installed to my sensors?

  Automatic update of signatures is possible with FTP or SCP. You will have to first download the updates from Cisco on to the FTP or SCP server. The sensor will automatically install them.
  See here for more inforamtion on Auto upadte feature:
  http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap3.htm#wp32902

• Signature update fail

  The following error has occured while updating the signature file IDS-sig-4.1-5-S252.rpm.pkg on VMS 2.2 machine.
  what are the possible cause of the error
  Object update failed. The update package provided appears to be corrupt, or permission was denied for reading the file. Please verify the update package contents and retry the operation.

  Apply the latest signature update to the IDSMC
  Apply all the signature updates starting from the oldest to the latest to the IDSMC
  . Delete the sensor(s) and add them back in... apply the latest signatures to the IDSMC
  If at this point, the error sustains, then the only way to fix is to reinstall the IDSMC.