IOS IPS auto-update

Similar Messages

• IOS IPS auto-update without CSM

  Hi,
  We have 400 x 1811 router on which we need to update the IPS signature definition and custom signature.
  What is the best way to do it withou running CSM ?
  According to Cisco documentation, we need to add the auto-update command with an .XML extention. But when we load a .pkg in a router, the output is 4 different files. Unfortunalty we can auto-update only one file. Which one to I need to load on our TFTP server ?
  All the exemples of Cisco are using one single XML file.
  Does a single file with the signature defenition, category, default and type exist ?
  Since all our router have the same IPS config, I tought I could use one router at the central office with the configuration we want. And by someway asking the remote routers to auto-update their XML file on that router on which I would have activated a TFTP server.
  Anyone ever had to upgrade a lot of router IOS IPS signature?

  This can now be done in the 15.1T branch using cisco.com to download the update directly, see :
  http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html#wp1040750
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue.html#wp1137583

• 1841 IOS IPS online updates

  Hi,
  Can we configure 1841 IOS IPS to get automatic signature updates directly from cisco site. I know we can do it in other firewalls like sonicwall, fortigate, etc.
  Regards
  Siva K

  Hi  Siva,
  Yes you can do it from the Cisco Security Manager , or you can try
  Automatic Signature Update Guidelines
  When enabling automatic signature updates, it is recommended that you ensure
  the following configuration guidelines have been met:
  * The router's clock is set up with the proper relative time.
  *The frequency for Cisco IOS IPS to obtain updated signature information has
  been defined.
  *The URL in which to retrieve the Cisco IOS IPS signature configuration files
  has been specified.
  *Optionally, the username and password for which to access the files from the
  server have been specified.
  SUMMARY STEPS
  1. enable
  2. configure terminal
  3. ip ips auto-update
  4. occur-at min:hour date day
  5. username name password password
  6. url url
  7. exit
  8. show ip ips auto-update
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1079125
  regards
  Yesua

• IOS IPS Sig Updates

  It seems like whenever there is an IDS sensor/appliance update for defending against the latest virus/worm but there is no update for IOS IPS signatures.
  Case in point - on June 3 there was an IDS update for W32/Bobax.worm.o S174. The IOS IPS zip file as of today is S169 from May 25, What gives?
  Also, why isn't their any release notes for the IOS IPS zip files to document what was added? That way we can read it to judge if we need to download the zip file or not.

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• IOS IPS SIG Updates via IDSMDC

  When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
  So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
  SHM

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• WRVS4400NV2 IPS now blocking Cisco IPS Auto Update Server

  Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto  update as it had been doing without issue for months. I looked in the logs and the IPS was  showing an HTTP Error when attempting to update. I checked and nothing  had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
  The WRVS4400N IPS was blocking connections with the cisco auto update  server because it detected an RPC Anomaly in the traffic. So apparently,  something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
  FYI-I also posted this issue to the small business router community discussion forum.

  Yesterday I noted that my ASA5505 AIP-SSC5 card was failing to auto  update as it had been doing without issue for months. I looked in the logs and the IPS was  showing an HTTP Error when attempting to update. I checked and nothing  had changed in the IPS configuration. Then, on a hunch, I checked the IPS log of the WRVS4400N which is the edge router for the small business network.
  The WRVS4400N IPS was blocking connections with the cisco auto update  server because it detected an RPC Anomaly in the traffic. So apparently,  something has changed in the cisco IPS auto update server (https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl) response that the cisco small business router misidentifies as a threat. . .
  FYI-I also posted this issue to the small business router community discussion forum.

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• IPS Auto Update 5525X

  Hello,
  I have two IPS ASA5525-IPS "module" of 5525-X Firewall.
  I set the proxy connection in DNS/Proxy Settings for update the signatures, but, i receive an error above:
  Auto Update Statistics
     lastDirectoryReadAttempt = 11:03:09 GMT-03:00 Wed Jan 09 2013
      =   Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
      =   Error: AutoUpdate exception: HTTP connection failed [1,110]
     lastDownloadAttempt = N/A
     lastInstallAttempt = N/A
     nextAttempt = 11:00:00 GMT-03:00 Thu Jan 10 2013
  Auxilliary Processors Installed
  Testing the connection i can see the packet direct in my firewall, and not passing over the proxy, i need the IPS use the proxy to update signatures.
  The configuration looks okay for me.
  Any sugestions?
  Tks a lot.

  Hi,
  This enhancement to use proxy server for updates would be available in future release. (CSCsv89560)
  Regards,
  Sawan Gupta

• IOS IPS Signature Updates

  Hi,
  Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
  Thanks and rgds
  Rajesh

  hi,
  if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.

• IPS auto update

  Hello, Customers having IPS 4215 version 6.0(5)E3 are having their sensor crashing following auto update from an FTP server.
  The web interface is no more accessible and the analysis engine stopped( I've attached the show tech-support)
  The problem happened with different signatures S383 and S384, please advise

  Having a 4215 sensor crash on a signature update is a very common event.
  The 4215 sensors only have 512 MB or RAM (most sensors have 1 or 2 GB), this has caused many problems during the update process.
  You can try rebooting the sensor several times, if that doesnt bring it back to life, you can try resetting the signature policy back to default, if that doesn't help you'll need to open a TAC case to modify some of the signature build time memory parmeters.

• IPS Auto Update Error

  I am having an issue with the IPS. I have configured it for auto update and I am trying to download a new signature package. It seems to be working. However, once it comes across the package to download, it gives me this error:
  evError: eventId=1232049941352795438 severity=error vendor=Cisco
  originator:
  hostId: xxxxips11
  appName: mainApp
  appInstanceId: 347
  time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
  errorMessage: name=errSystemError autoUpdate successfully selected a package () from the cisco.com locator service, however, package download failed: This package file does not have the required .pkg extension
  I know that it is trying to download the correct package because I get this message prior:
  evStatus: eventId=1232049941352795436 vendor=Cisco
  originator:
  hostId: xxxxips11
  appName: mainApp
  appInstanceId: 342
  time: 2009/01/29 15:22:03 2009/01/29 10:22:03 GMT-05:00
  autoUpgradeServerCheck:
  uri: xxxxxx@//
  packageFileName: IPS-sig-S378-req-E3.pkg
  result: status=true
  Does anyone know what this could possibly be?

  Upgrade IPS MC and Security Monitor to 2.2.

• IPS Auto Update failing

  I've configured the signature auto update via the GUI and CLI but receive the same error:
  evError: eventId=1210198298109812431 vendor=Cisco severity=error
  originator:
  hostId: LON-Sensor
  appName: mainApp
  appInstanceId: 341
  time: Jun 06, 2008 03:00:07 UTC offset=60 timeZone=BST
  errorMessage: MainApplication::downloadAndStartUpdate Error status returned with status str Found name=errSystemError
  Any ideas? I've rebooted both the IPS & ASA in the hope that would resolve the problem to no avail. I have another ASA/IPS in a different site and that works ok.

  Hi, I got the information :)
  show stat host
  General Statistics
  Last Change To Host Config (UTC) = 14-Jan-2009 14:38:43
  Command Control Port Device = GigabitEthernet0/0
  Network Statistics
  = ge0_0 Link encap:Ethernet HWaddr 00:13:C4:80:C3:C1
  = inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
  = UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  = RX packets:25375769 errors:0 dropped:0 overruns:0 frame:0
  = TX packets:2411636 errors:0 dropped:0 overruns:0 carrier:0
  = collisions:0 txqueuelen:1000
  = RX bytes:2570835196 (2.3 GiB) TX bytes:657595036 (627.1 MiB)
  = Base address:0xbc00 Memory:f8200000-f8220000
  NTP Statistics
  status = Not applicable
  Memory Usage
  usedBytes = 660455424
  freeBytes = 372043776
  totalBytes = 1032499200
  CPU Statistics
  Usage over last 5 seconds = 31
  Usage over last minute = 40
  Usage over last 5 minutes = 36
  Memory Statistics
  Memory usage (bytes) = 660455424
  Memory free (bytes) = 372043776
  Auto Update Statistics
  lastDirectoryReadAttempt = 08:40:00 GMT-06:00 Wed Feb 04 2009
  = Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  = Error: AutoUpdate exception: HTTP connection failed [1,111]
  lastDownloadAttempt = N/A
  lastInstallAttempt = N/A
  nextAttempt = 08:40:00 GMT-06:00 Thu Feb 05 2009
  Auxilliary Processors Installed.
  ! Current configuration last modified Mon Jan 19 17:15:14 2009
  ! Version 6.2(1)
  ! Host:
  ! Realm Keys key1.0
  ! Signature Definition:
  ! Signature Update S379.0 2009-01-30
  ! Virus Update V1.4 2007-03-02
  service interface
  exit
  service authentication
  exit
  service event-action-rules rules0
  overrides deny-attacker-inline
  override-item-status Enabled
  risk-rating-range 90-100
  exit
  exit
  service host
  network-settings
  host-ip 192.168.1.11/24,192.168.1.1
  host-name sensor
  telnet-option disabled
  access-list 10.254.254.0/24
  access-list 192.168.1.0/24
  exit
  time-zone-settings
  offset -360
  standard-time-zone-name GMT-06:00
  exit
  auto-upgrade
  cisco-server enabled
  schedule-option calendar-schedule
  times-of-day 08:40:00
  days-of-week monday
  days-of-week tuesday
  days-of-week wednesday
  days-of-week thursday
  exit
  user-name ********
  password ********
  cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  exit
  exit
  exit
  service logger
  exit
  service network-access
  exit
  service notification
  exit
  service signature-definition sig0
  signatures 9430 1
  status
  enabled true
  exit
  exit
  signatures 11018 1
  status
  enabled true
  exit
  exit
  signatures 12000 0
  status
  enabled true
  exit
  exit
  signatures 12003 0
  status
  enabled false
  exit
  exit
  signatures 12020 0
  status
  enabled true
  exit
  exit
  exit
  service ssh-known-hosts
  exit
  service trusted-certificates
  exit
  service web-server
  exit
  service anomaly-detection ad0
  exit
  service external-product-interface
  exit
  service health-monitor
  memory-usage-policy
  enable true
  exit
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/1
  exit
  exit

• IPS Auto Update Failure

  Hi,
  I have auto update enabled in my AIP SSM 10 , at the time of auto updates i have observed the following messages in Console
  "Broadcast Message from IPS
  Applying update IPS-sig-S766-req-E4"
  It remains in this condition and then i have to do a hw-module reset to get it back again , moreover updates which were downloaded arent applied.
  Kindly Help

  When signature auto-update failures are diagnosed, look at the HTTP             error codes.
  IPS# show statistics host
  Auto Update Statistics
  lastDirectoryReadAttempt = 19:31:09 CST Thu Nov 18 2010
  = Read directory: https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl
  = Error: AutoUpdate exception: HTTP connection failed [1,110]   <--
  lastDownloadAttempt = 19:08:10 CST Thu Nov 18 2010
  lastInstallAttempt = 19:08:44 CST Thu Nov 18 2010
  nextAttempt = 19:35:00 CST Thu Nov 18 2010
  Message Meaning
  Error: AutoUpdate exception: HTTP connection failed                           [1,110]
  Authentication failed. Check the username and                           password.
  status=false AutoUpdate exception: Receive HTTP response                           failed [3,212]
  The request to the Auto Update server timed                           out.
  Error: http error response: 400
  Make sure the cisco-url setting is defaulted. If the CCO ID                           is greater than 32 characters in length, try a different CCO ID. This can be a                           limitation on the Cisco download server.
  Error: AutoUpdate exception: HTTP connection failed                           [1,0]
  Network issue prevented download or there is a potential                           issue with the download servers.
  and also keep in mind that CCO username should not contain any special characters, for             example, @ . Refer to Cisco bug ID CSCsq30139  (registered customers only)          for more             information.

• IPS auto-update vs manual download

  Is there a delay in what's available via auto-update and updates that are available for manual download through cisco.com?  I noticed today that S498 became available yesterday, but my IPS module in my ASA hasn't downloaded it automatically yet.  When I do a #sh statistics host, I have a recent download attempt that says "Success: No installable auto update package found on server.
  Just wondering if there is a delay between manual and auto updates or if I need to be concerned that my auto-udpates aren't working properly.
  Thanks!

  The "lastDirectoryReadAttempt" is when the last check occurred (should match your scheduled timing).  If the status is that there is no available update, that is as far as the process goes.  If an update is available, the sensor should attempt to download.
  The "lastDownloadAttempt" will indicate the last time an update download was found and the download was attempted.
  The "lastInstallAttempt" will indicate the last time an update was downloaded and install initiated.
  It does look like it checked at a point today and did not find an available update.  That your outputs are UTC, I cannot correlate when the check today was run in relation to the publishing of the latest update.  It may be that there is a cache engine between your sensor and Cisco, and it is indicating that there is nothing available.  I would give the process another 24 hours to update.
  Scott

• IPS Auto Update not working

  The auto update is not working on the IPS. The current signature version is S502 but my IPS is S479
  show statistics host output
  Auto Update Statistics
     lastDirectoryReadAttempt = 05:35:12 GMT-05:00 Mon Jul 26 2010
      =   Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
      =   Success: No installable auto update package found on server
     lastDownloadAttempt = N/A
     lastInstallAttempt = N/A
     nextAttempt = 05:35:00 GMT-05:00 Tue Jul 27 2010
  Auxilliary Processors Installed
  show version output
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.1(1)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S479.0                   2010-03-19
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          JAF10241017
  Licensed, expires:      03-Sep-2010 UTC
  S479.

  It looks like the issue is that the IPS is running the E3 engine (6.1(1)E3).  All new updates require the E4 engine, so you'll have to update the sensor to 6.2(2)E4 or 7.0(4)E4.  Upgrade links and instructions can be found here:
  https://supportforums.cisco.com/docs/DOC-12212