IOS IPS Automatic Signature Update

Similar Messages

• IOS IPS Important Notice - UPDATED

  IOS IPS customers running version 12.4T, 15.0M, or 15.1M - a critical software defect has been identified which may cause your router to reload and be stuck in a boot loop if IOS IPS signature version S639 or later is installed on the device. Recovery of impacted devices is possible only via a serial console connection through the device's ROMMON mode. For customers who are using IOS IPS signatures S638 or earlier, there is no issue. Customers wishing to upgrade the IOS IPS signature version to S639 or later must first be running a fixed version of IOS on the device prior to upgrading the IPS signatures.  Fixed versions of IOS include: 15.2(4)M, 15.1(3)T4, 15.2(3)T1, 15.1(4)M5, 12.4(24)T8 and later. Please refer to defect CSCtz27137 for additional details and steps to recover impacted devices.
  If you have upgraded your version of IOS to 15.2(4)M, 15.1(3)T4, 15.2(3)T1, 15.1(4)M5, 12.4(24)T8 or later you can obtain the most recent signature updates by  contacting the Cisco TAC

  What is the most recent version of IOS IPS sig file that TAC can supply?
  I'm running IOS 15.2(4)M1 and, per your suggestion above to contact TAC for the most recent signature update, I requested a later version of IPS sig than S636.
  I was simply referred back to the standard download page and IPS sig file S636.

• IPS/IDS Signature updates

  Just a quick question, will there be a charge for upgrading the signatures? In other words will you have to pay to download the new updates as they come out?

  What about the IOS IPS with 5.x? It looks like the IOS IPS doesn;t support the 5.x signatures due to current engine support, yet I havn't been able to find an EOL on IOS IPS.

• OOB warning during IPS 4260 signature update via CSM

  Hi,
  During the recent IPS signatures updates via CSM, i have noticed that there was warning (below).
  >OOB change detected - Out of Band(OOB)and sensor configuration change happened on device. But you selected to continue deployment in case of OOB. Continuing...
  what is the cause & impact of such event?
  As i suspected there is a mismatch of configuration, my inline interfaces are no longer applied to the virtual sensor 'VS0'. Could it be due to the mis-synchronisation?
  Apprepriate for any advice.
  thanks
  cash

  CSM keeps an internal copy of the configuration it last pushed to the sensor.
  Each portion of the configuration has a configToken assigned to it by the sensor. The config token is a base 64 encoding of that configuration portion.
  Each time CSM goes to push a new configuration it will compare the configToken of it's previously saved configuration for that sensor against the configToken of the configuration currently on the sensor.
  If the 2 configTokens match, then no configuration change has been made since the last time that CSM pushed a configuration to the sensor. CSM can safely push the new configuration to the sensor.
  If the 2 configTokens do not match, then an Out Of Band (OOB) configuration change has been made to the sensor. This means that the sensor's configuration has been modified by something other than CSM. This may have been a user changing something through the CLI or IDM instead of using CSM.
  In these situations CSM gives you the option of either stopping the push of the new configuration so the detected changes can be imported and evaluated by the user, or to go ahead and push the changes to the sensor.
  If you decide to go ahead and push the changes to the sensor, the outcome of the configuration change is not guaranteed.
  The sensor may wind up merging the OOB changes in with the new configuration from CSM, or the CSM changes may wind up overwriting the OOB changes.
  So telling CSM to push the new configuration even when OOB changes have been detected can be risky and can cause loss of some of your configuration.
  I fyou will be making changes with CLI or IDM, then it is always best to import those changes into CSM before making further configuration changes in CSM.

• How often ARE those IPS virus signatures updated?

  I was looking at a "show version" on one of my current sensors and noticed that the last virus signature was over 7 months ago. Now, one of the big reasons I was told we had to pay for our 5.x licenses was these virus signatures. If that's true, and this is the additional value Trend Micro has brought to our sensors, should they get updated a little more frequently?
  (from my sensor)
  Cisco Intrusion Prevention System, Version 5.1(1p1)S235.0
  Host:
  Realm Keys key1.0
  Signature Definition:
  Signature Update S235.0 2006-06-22
  Virus Update V1.2 2005-11-24

  The Virus Signature from Trend was one reason for the licensing in 5.x, but was not the only reason and was not even the primary reason.
  Even as far back as version 2.x a Support Contract was required for downloading and installation of signature updates. But was not enforced by the software. We relied on the users keeping the support contracts up to date on their own. Many users downloaded and installed signature updates without paying for the support contract. And the vast majority did not realize that a support contract was needed to receive the signature updates.
  With the lack of support contract purchases it became difficult to continue fielding a team for writing IPS signature updates.
  So in version 5.x it was decided to begin enforcing the purchase of support contracts through the use of Signature Update Licenses as part of the Cisco Service for IPS Contracts. Thus ensuring funding for the signature team, and allowing the team to spread out world wide for 24 hour coverage.
  The additional cost of a Cisco Service for IPS contract when compared to standard SmartNET contracts for other Cisco products is for the specific funding of the Cisco signature team, and a small amount sent to Trend for assistance in signature creation. Only a small portion of the support contract is paid to Trend Micro for their support.
  The Virus signatures are part of the Cisco Incident Control System (Cisco ICS). With the purchase of ICS there is a faster deployment of signature for Virus/Worms. When a virus or worm reaches a critical level then TrendMicro can create their own Virus signatures and have Cisco ICS deploy those signature to the sensors as soon as they are written.
  Cisco then includes these Virus signatures in a later standard Cisco signature update.
  Now as for why there have not been any recent updates to the Virus Signatures is that there has not been a major out break in the past 6/7 months. The virus signatures are only created on an emergency basis when a virus or worm reaches a critical level. Cisco ICS was specifically designed for handling virus and worm outbreaks, and is referred to as Outbreak Prevention.
  If the virus/worm does not reach a critical level, then the emergency Virus signatures are not created.
  Instead the Cisco signature team will take care of them as part of the standard Cisco signatures that are included as part of the standard S updates.
  This doesn't mean that we are not receiving information from Trend. For Virus/Worms that do not reach that critical level, the Trend team will instead send information to Cisco for creation of standard Cisco signatures by the Cisco signature team. This way the Cisco team can create a mroe general signature designed to catch all attacks for a certain vulnerability that will catch that specific virus/worm as well as future virus/worms that may also attempt to exploit the same vulnerability. These signatures wind up as part of the standard S update. This method is used because the Cisco signature team has more in depth knowledge of the various engines in Cisco IPS and can often write signatures that the Trend engineers would not be able to.
  It is only when the Trend Micro engineers need to create an emergency update that they will create their V signatures for the specific virus/worm.
  Otherwise they share share the information with Cisco and the Cisco engineers creates the signature.

• IPS Signature Update. The IPS is left hanging.

  I have performed a IPS signature ID update once the definition have been updated the IPS is left hanging and I need to perform a reload.  The config has been verified as not a possible cause for this adverse effect.  Have people had issue of this sort? What would cause the IPS to effectively stall when upgrade takes place? Any solutions?

  Please use the below troubleshoot guide
  http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html#troubleshoot

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• 1841 IOS IPS online updates

  Hi,
  Can we configure 1841 IOS IPS to get automatic signature updates directly from cisco site. I know we can do it in other firewalls like sonicwall, fortigate, etc.
  Regards
  Siva K

  Hi  Siva,
  Yes you can do it from the Cisco Security Manager , or you can try
  Automatic Signature Update Guidelines
  When enabling automatic signature updates, it is recommended that you ensure
  the following configuration guidelines have been met:
  * The router's clock is set up with the proper relative time.
  *The frequency for Cisco IOS IPS to obtain updated signature information has
  been defined.
  *The URL in which to retrieve the Cisco IOS IPS signature configuration files
  has been specified.
  *Optionally, the username and password for which to access the files from the
  server have been specified.
  SUMMARY STEPS
  1. enable
  2. configure terminal
  3. ip ips auto-update
  4. occur-at min:hour date day
  5. username name password password
  6. url url
  7. exit
  8. show ip ips auto-update
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1079125
  regards
  Yesua

• Signatur updates for Cisco IPS 4510

  Hi there.
  I one question to all cisco IDS/IPS professionals. If the management port only accept inbound traffic how can I then activate my Cisco 4510 IPS appliance to get automatically signature updates from cisco.com ? That one requires outbound traffic too. 
  Thanks.

  You Management0/0-port only supports "to-the-box" traffic which means that you can't use that port for an inline pair or a vlan-pair. But with the IP on that port configured, you can not only connect to your sensor, the sensor can also initiate connection to the rest of the network and so you can reach your update-destionations.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Fully Automated signature updates to IPS

  Hi,
  Is there a way to fully automate signature updates? By that I mean something that automatically downloads updates from Cisco and then automatically pushes them to IPS.
  Thanks,
  Tanya

  I believe Cisco CSM does that. You could script it up yourself too. The sensors can be configured to check for updates from a local server on a frequent basis.

• IOS IPS license

  Does anyone know if I need to buy a license for the IPS signature update of IOS routers. Thanks,

  Yes. You need to buy a license for the IPS signature update of IOS routers. For direct purchases this is included in SmartNet contract price for a given router.
  Partners can also purchase Cisco Services for IPS contract (signature update license) separately.
  Kemal Akozer
  IOS IPS Product Manager

• Installing signature update for IDSM-2 on AIP-SSM

  Hi every one,im not sure about this question but i think its beter to ask you experts.i want to know that if i have signature update for example for my IDSM-2 can i instal this sig update on my AIP-SSM --> suppose that IPS software on both devices are same and also i have installed valid license key on AIP-SSM.now can i do this or no? and i know that if you have not valid license installed on IDSM-2 you cant instal any sig update on IDSM-2 but what about AIP-SSM?i mean can i instal sig update on AIP-SSM without installed valid license key on AIP-SSM? thanks

  There are 3 main types of Signature Updates.
  1) IPS Sensor Signature Updates
  2) CSM Signature Updates for IPS Sensors
  3) IOS IPS Signature Updates
  The IPS Signature Update filename is in the form: IPS-sig-Sxxx-req-Ey.pkg
  This is most likely what you are referrnig to in your post. This file can be installed on ANY IDS/IPS Appliance or Module.
  The Requirement here is not the platform but rather the Engine Level. The "req-Ey" portion of the filename tells you that the sensor must already be running the "y" Engine level of software.
  So an IPS-sig-S436-req-E3.pkg file can be installed on any IDS/IPS Appliance or Module so long as the software on that sensor is an "E3" version.
  The CSM updates, are signature updates for the Cisco Security Manager. They contain special files that CSM uses to update itself, and then also included within the CSM update is the actual sensor update described above. CSM unpackages the CSM update, updates itself, and then uses that embedded file to upgrade the actual sensor.
  The third type of file is for IOS Routers loaded with special IOS software that has the special IOS IPS features where the Router itself (instead of a separate IDS/IPS module) does the signature monitoring.
  These IOS IPS Signature Updates get installed on the actual router, and are not installed on the IDS/IPS Sensor Appliances or Modules.
  So in answer to your question, yes the same Signature Update for your IDSM-2 is the exact same Signature Update for your SSM modules.
  The exact same file is available through multiple different paths on cisco.com. But it doesn't matter through which cisco.com path you downloaded the file you can still install it on all IDS/IPS Appliances and Modules.
  As for licensing, the license works the same on all IDS/IPS Appliances and Modules. A license must be on the sensor for the Signature Update to be applied.
  NOTE: A Trial License is available from cisco.com for new sensors to allow you time to get everything setup correctly for your sensor to be covered by a service contract, and get the standard license from the service contract.

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• IOS IPS Signature Updates

  Hi,
  Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
  Thanks and rgds
  Rajesh

  hi,
  if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.

• IOS IPS auto-update

  Hi,
  I have a couple of questions I hope people could answer:
  1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server?  Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
  2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
  Hoping someone could answer these or help point me in the right direction to find the answer out.
  regards M

  I found this link with answers my one question.
  Cisco IOS Intrusion Prevention System (IPS)
  Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html