IOS IPS auto-update
Hi,
I have a couple of questions I hope people could answer:
1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server? Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
Hoping someone could answer these or help point me in the right direction to find the answer out.
regards M
I found this link with answers my one question.
Cisco IOS Intrusion Prevention System (IPS)
Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html
Similar Messages
-
IOS IPS auto-update without CSM
Hi,
We have 400 x 1811 router on which we need to update the IPS signature definition and custom signature.
What is the best way to do it withou running CSM ?
According to Cisco documentation, we need to add the auto-update command with an .XML extention. But when we load a .pkg in a router, the output is 4 different files. Unfortunalty we can auto-update only one file. Which one to I need to load on our TFTP server ?
All the exemples of Cisco are using one single XML file.
Does a single file with the signature defenition, category, default and type exist ?
Since all our router have the same IPS config, I tought I could use one router at the central office with the configuration we want. And by someway asking the remote routers to auto-update their XML file on that router on which I would have activated a TFTP server.
Anyone ever had to upgrade a lot of router IOS IPS signature?This can now be done in the 15.1T branch using cisco.com to download the update directly, see :
http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html#wp1040750
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue.html#wp1137583 -
Hi,
Can we configure 1841 IOS IPS to get automatic signature updates directly from cisco site. I know we can do it in other firewalls like sonicwall, fortigate, etc.
Regards
Siva KHi Siva,
Yes you can do it from the Cisco Security Manager , or you can try
Automatic Signature Update Guidelines
When enabling automatic signature updates, it is recommended that you ensure
the following configuration guidelines have been met:
* The router's clock is set up with the proper relative time.
*The frequency for Cisco IOS IPS to obtain updated signature information has
been defined.
*The URL in which to retrieve the Cisco IOS IPS signature configuration files
has been specified.
*Optionally, the username and password for which to access the files from the
server have been specified.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ips auto-update
4. occur-at min:hour date day
5. username name password password
6. url url
7. exit
8. show ip ips auto-update
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1079125
regards
Yesua -
It seems like whenever there is an IDS sensor/appliance update for defending against the latest virus/worm but there is no update for IOS IPS signatures.
Case in point - on June 3 there was an IDS update for W32/Bobax.worm.o S174. The IOS IPS zip file as of today is S169 from May 25, What gives?
Also, why isn't their any release notes for the IOS IPS zip files to document what was added? That way we can read it to judge if we need to download the zip file or not.There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
SC -
IOS IPS SIG Updates via IDSMDC
When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
SHMThere are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
SC -
WRVS4400NV2 IPS now blocking Cisco IPS Auto Update Server
Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto update as it had been doing without issue for months. I looked in the logs and the IPS was showing an HTTP Error when attempting to update. I checked and nothing had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
The WRVS4400N IPS was blocking connections with the cisco auto update server because it detected an RPC Anomaly in the traffic. So apparently, something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
FYI-I also posted this issue to the small business router community discussion forum.Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto update as it had been doing without issue for months. I looked in the logs and the IPS was showing an HTTP Error when attempting to update. I checked and nothing had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
The WRVS4400N IPS was blocking connections with the cisco auto update server because it detected an RPC Anomaly in the traffic. So apparently, something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
FYI-I also posted this issue to the small business router community discussion forum. -
Is there a way to automate IOS IPS signature updates without CSM?
I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
Thanks in advance!From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
Here is the configuration guide for your reference:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659 -
Hello,
I have two IPS ASA5525-IPS "module" of 5525-X Firewall.
I set the proxy connection in DNS/Proxy Settings for update the signatures, but, i receive an error above:
Auto Update Statistics
lastDirectoryReadAttempt = 11:03:09 GMT-03:00 Wed Jan 09 2013
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,110]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 11:00:00 GMT-03:00 Thu Jan 10 2013
Auxilliary Processors Installed
Testing the connection i can see the packet direct in my firewall, and not passing over the proxy, i need the IPS use the proxy to update signatures.
The configuration looks okay for me.
Any sugestions?
Tks a lot.Hi,
This enhancement to use proxy server for updates would be available in future release. (CSCsv89560)
Regards,
Sawan Gupta -
Hi,
Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
Thanks and rgds
Rajeshhi,
if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it. -
Hello, Customers having IPS 4215 version 6.0(5)E3 are having their sensor crashing following auto update from an FTP server.
The web interface is no more accessible and the analysis engine stopped( I've attached the show tech-support)
The problem happened with different signatures S383 and S384, please adviseHaving a 4215 sensor crash on a signature update is a very common event.
The 4215 sensors only have 512 MB or RAM (most sensors have 1 or 2 GB), this has caused many problems during the update process.
You can try rebooting the sensor several times, if that doesnt bring it back to life, you can try resetting the signature policy back to default, if that doesn't help you'll need to open a TAC case to modify some of the signature build time memory parmeters. -
I am having an issue with the IPS. I have configured it for auto update and I am trying to download a new signature package. It seems to be working. However, once it comes across the package to download, it gives me this error:
evError: eventId=1232049941352795438 severity=error vendor=Cisco
originator:
hostId: xxxxips11
appName: mainApp
appInstanceId: 347
time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
errorMessage: name=errSystemError autoUpdate successfully selected a package () from the cisco.com locator service, however, package download failed: This package file does not have the required .pkg extension
I know that it is trying to download the correct package because I get this message prior:
evStatus: eventId=1232049941352795436 vendor=Cisco
originator:
hostId: xxxxips11
appName: mainApp
appInstanceId: 342
time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
autoUpgradeServerCheck:
uri: xxxxxx@//
packageFileName: IPS-sig-S378-req-E3.pkg
result: status=true
Does anyone know what this could possibly be?Upgrade IPS MC and Security Monitor to 2.2.
-
I've configured the signature auto update via the GUI and CLI but receive the same error:
evError: eventId=1210198298109812431 vendor=Cisco severity=error
originator:
hostId: LON-Sensor
appName: mainApp
appInstanceId: 341
time: Jun 06, 2008 03:00:07 UTC offset=60 timeZone=BST
errorMessage: MainApplication::downloadAndStartUpdate Error status returned with status str Found name=errSystemError
Any ideas? I've rebooted both the IPS & ASA in the hope that would resolve the problem to no avail. I have another ASA/IPS in a different site and that works ok.Hi, I got the information :)
show stat host
General Statistics
Last Change To Host Config (UTC) = 14-Jan-2009 14:38:43
Command Control Port Device = GigabitEthernet0/0
Network Statistics
= ge0_0 Link encap:Ethernet HWaddr 00:13:C4:80:C3:C1
= inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
= UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
= RX packets:25375769 errors:0 dropped:0 overruns:0 frame:0
= TX packets:2411636 errors:0 dropped:0 overruns:0 carrier:0
= collisions:0 txqueuelen:1000
= RX bytes:2570835196 (2.3 GiB) TX bytes:657595036 (627.1 MiB)
= Base address:0xbc00 Memory:f8200000-f8220000
NTP Statistics
status = Not applicable
Memory Usage
usedBytes = 660455424
freeBytes = 372043776
totalBytes = 1032499200
CPU Statistics
Usage over last 5 seconds = 31
Usage over last minute = 40
Usage over last 5 minutes = 36
Memory Statistics
Memory usage (bytes) = 660455424
Memory free (bytes) = 372043776
Auto Update Statistics
lastDirectoryReadAttempt = 08:40:00 GMT-06:00 Wed Feb 04 2009
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,111]
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 08:40:00 GMT-06:00 Thu Feb 05 2009
Auxilliary Processors Installed.
! Current configuration last modified Mon Jan 19 17:15:14 2009
! Version 6.2(1)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S379.0 2009-01-30
! Virus Update V1.4 2007-03-02
service interface
exit
service authentication
exit
service event-action-rules rules0
overrides deny-attacker-inline
override-item-status Enabled
risk-rating-range 90-100
exit
exit
service host
network-settings
host-ip 192.168.1.11/24,192.168.1.1
host-name sensor
telnet-option disabled
access-list 10.254.254.0/24
access-list 192.168.1.0/24
exit
time-zone-settings
offset -360
standard-time-zone-name GMT-06:00
exit
auto-upgrade
cisco-server enabled
schedule-option calendar-schedule
times-of-day 08:40:00
days-of-week monday
days-of-week tuesday
days-of-week wednesday
days-of-week thursday
exit
user-name ********
password ********
cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
exit
exit
exit
service logger
exit
service network-access
exit
service notification
exit
service signature-definition sig0
signatures 9430 1
status
enabled true
exit
exit
signatures 11018 1
status
enabled true
exit
exit
signatures 12000 0
status
enabled true
exit
exit
signatures 12003 0
status
enabled false
exit
exit
signatures 12020 0
status
enabled true
exit
exit
exit
service ssh-known-hosts
exit
service trusted-certificates
exit
service web-server
exit
service anomaly-detection ad0
exit
service external-product-interface
exit
service health-monitor
memory-usage-policy
enable true
exit
exit
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/1
exit
exit -
Hi,
I have auto update enabled in my AIP SSM 10 , at the time of auto updates i have observed the following messages in Console
"Broadcast Message from IPS
Applying update IPS-sig-S766-req-E4"
It remains in this condition and then i have to do a hw-module reset to get it back again , moreover updates which were downloaded arent applied.
Kindly HelpWhen signature auto-update failures are diagnosed, look at the HTTP error codes.
IPS# show statistics host
Auto Update Statistics
lastDirectoryReadAttempt = 19:31:09 CST Thu Nov 18 2010
= Read directory: https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl
= Error: AutoUpdate exception: HTTP connection failed [1,110] <--
lastDownloadAttempt = 19:08:10 CST Thu Nov 18 2010
lastInstallAttempt = 19:08:44 CST Thu Nov 18 2010
nextAttempt = 19:35:00 CST Thu Nov 18 2010
Message Meaning
Error: AutoUpdate exception: HTTP connection failed [1,110]
Authentication failed. Check the username and password.
status=false AutoUpdate exception: Receive HTTP response failed [3,212]
The request to the Auto Update server timed out.
Error: http error response: 400
Make sure the cisco-url setting is defaulted. If the CCO ID is greater than 32 characters in length, try a different CCO ID. This can be a limitation on the Cisco download server.
Error: AutoUpdate exception: HTTP connection failed [1,0]
Network issue prevented download or there is a potential issue with the download servers.
and also keep in mind that CCO username should not contain any special characters, for example, @ . Refer to Cisco bug ID CSCsq30139 (registered customers only) for more information. -
IPS auto-update vs manual download
Is there a delay in what's available via auto-update and updates that are available for manual download through cisco.com? I noticed today that S498 became available yesterday, but my IPS module in my ASA hasn't downloaded it automatically yet. When I do a #sh statistics host, I have a recent download attempt that says "Success: No installable auto update package found on server.
Just wondering if there is a delay between manual and auto updates or if I need to be concerned that my auto-udpates aren't working properly.
Thanks!The "lastDirectoryReadAttempt" is when the last check occurred (should match your scheduled timing). If the status is that there is no available update, that is as far as the process goes. If an update is available, the sensor should attempt to download.
The "lastDownloadAttempt" will indicate the last time an update download was found and the download was attempted.
The "lastInstallAttempt" will indicate the last time an update was downloaded and install initiated.
It does look like it checked at a point today and did not find an available update. That your outputs are UTC, I cannot correlate when the check today was run in relation to the publishing of the latest update. It may be that there is a cache engine between your sensor and Cisco, and it is indicating that there is nothing available. I would give the process another 24 hours to update.
Scott -
The auto update is not working on the IPS. The current signature version is S502 but my IPS is S479
show statistics host output
Auto Update Statistics
lastDirectoryReadAttempt = 05:35:12 GMT-05:00 Mon Jul 26 2010
= Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
= Success: No installable auto update package found on server
lastDownloadAttempt = N/A
lastInstallAttempt = N/A
nextAttempt = 05:35:00 GMT-05:00 Tue Jul 27 2010
Auxilliary Processors Installed
show version output
Application Partition:
Cisco Intrusion Prevention System, Version 6.1(1)E3
Host:
Realm Keys key1.0
Signature Definition:
Signature Update S479.0 2010-03-19
Virus Update V1.4 2007-03-02
OS Version: 2.4.30-IDS-smp-bigphys
Platform: ASA-SSM-10
Serial Number: JAF10241017
Licensed, expires: 03-Sep-2010 UTC
S479.It looks like the issue is that the IPS is running the E3 engine (6.1(1)E3). All new updates require the E4 engine, so you'll have to update the sensor to 6.2(2)E4 or 7.0(4)E4. Upgrade links and instructions can be found here:
https://supportforums.cisco.com/docs/DOC-12212
Maybe you are looking for
-
Itunes says my computer is not authorized to play videos
I know this is a problem that Apple is aware of. I have tried several ways and I cannot get my iMac to play the videos I have purchased. I get an error message saying the computer is not authorized, but when I try to authorize it I get a message tell
-
hi, when i release billing to accounting and when items are open(still not settled by customer) which in RED in fbln. thats fine but when cacel the invoice i get both acounting doc. (one for cancelled invoice)are shown as open. i think there should
-
hi experts i need to join mtl_system_items_b with ra_customer_trx_lines_all, and it seems very easy but problem is .. my ra_customer_trx_lines_all.inventory_item_id is null and doesnt record any code but description is there.. what is this??? is this
-
Cnfigaration of purchase invoice (form)
hi, In my requirement I have created a form that form gives the invoice details. that invoice is purchase invoice document. so I want to configure this purchas invoice form. how can I achieve it. Moderator message: please do more research before as
-
Photoshop CC / 3D - Wrapping a graphic around a cylinder without repeating.
I'm trying to wrap a label around a 3D bottle by inserting the label as a diffuse texture. I am able to position and scale the label proportionately, however instead of wrapping around the bottle once, it's repeating twice. I've tried fooling with th