IOS IPS SIG Updates via IDSMDC

Similar Messages

• IOS IPS Sig Updates

  It seems like whenever there is an IDS sensor/appliance update for defending against the latest virus/worm but there is no update for IOS IPS signatures.
  Case in point - on June 3 there was an IDS update for W32/Bobax.worm.o S174. The IOS IPS zip file as of today is S169 from May 25, What gives?
  Also, why isn't their any release notes for the IOS IPS zip files to document what was added? That way we can read it to judge if we need to download the zip file or not.

  There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
  Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
  SC

• IOS IPS - Sig 4050 UDP Bomb apparent false alarms?

  Hi,
  I'm trying the IOS IPS solution out in a lab environment and I seem to be getting lots of false alarms on sig 4050 - UDP bomb. Looking at the signature description via go/mysdn, and looking at it's configuration on the router via SDM, I can see it is simply looking for small UDP packets. But I don't know what size (The parameter is named ShortUDPLength and it's set to True).
  All NTP traffic kicks of this signature. Using Ethereal to capture the NTP exchange, I see that the communication in each direction is a single packet. The layer 2 frame lenght is 90 bytes. The UDP data length is 56 bytes. All of this seems fine. The NTP server is a Cisco router. The NTP client is running on a Windows 2000 workstation.
  Also, any TFTP to/from the router with IPS enabled also triggers the alert. Specifically it is the Ack's from the TFTP server that trigger the alert. They are indeed small packets - the UDP data size is only 12 bytes.
  Note, this same traffic does not cause alerts from a 5.0 IPS sensor. Looking at the signature definition on the sensor, it doesn't have a parameter named SnortUDPLength. Instead it has a parameter named udp-length-mismatch which is set to true. This doesn't seem to be keying off of a particular data size, but instead conflicting reports in the UDP header compared to the actual packet size.
  Any information that anyone could provide to shed light on this subject would be appreciated. Such as:
  1) Do you find that IOS IPS sig 4050 false alarms are common?
  2) What is the UDP data length that triggers the alert? It has to be bigger than 90 bytes!
  3) Does Cisco have any recommendations on what to do with this built in signature?
  Thanks,
  KEP

  On the sensor appliance side, the udp-length-mismatch checks for discrepancies between the ip header length and udp length of the packet. You were dead on, the signature triggers when the UDP length specified is less than the IP length specified. I'm not positive of exactly what the IOS ShortUDPLength parameter is.
  You provided some valuable information in that the same traffic doesn't trigger the alerts on the appliance, so we know that this is not the signature, but rather the implementation of it in IOS.
  I'm taking a bit of a leap here not knowing what IOS version you are running, but I'm guessing you may be running into CSCeh32935. The title states multicast, but the bug is not limited to just multicast traffic. This affectes some 12.3T releases and early 12.4. Looks like 12.4(2)T or higher has fixes implemented.
  Since you're in a lab environment, I'd go ahead and upgrade the IOS on the router and see if that doesn't resolve the issue. If it's still there, open up a TAC case, and they'll be able to recreate the issue and file a new bug if neccessary.

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• IOS IPS auto-update

  Hi,
  I have a couple of questions I hope people could answer:
  1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server?  Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
  2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
  Hoping someone could answer these or help point me in the right direction to find the answer out.
  regards M

  I found this link with answers my one question.
  Cisco IOS Intrusion Prevention System (IPS)
  Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html

• IOS IPS Signature Updates

  Hi,
  Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
  Thanks and rgds
  Rajesh

  hi,
  if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.

• IOS IPS auto-update without CSM

  Hi,
  We have 400 x 1811 router on which we need to update the IPS signature definition and custom signature.
  What is the best way to do it withou running CSM ?
  According to Cisco documentation, we need to add the auto-update command with an .XML extention. But when we load a .pkg in a router, the output is 4 different files. Unfortunalty we can auto-update only one file. Which one to I need to load on our TFTP server ?
  All the exemples of Cisco are using one single XML file.
  Does a single file with the signature defenition, category, default and type exist ?
  Since all our router have the same IPS config, I tought I could use one router at the central office with the configuration we want. And by someway asking the remote routers to auto-update their XML file on that router on which I would have activated a TFTP server.
  Anyone ever had to upgrade a lot of router IOS IPS signature?

  This can now be done in the 15.1T branch using cisco.com to download the update directly, see :
  http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html#wp1040750
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue.html#wp1137583

• 1841 IOS IPS online updates

  Hi,
  Can we configure 1841 IOS IPS to get automatic signature updates directly from cisco site. I know we can do it in other firewalls like sonicwall, fortigate, etc.
  Regards
  Siva K

  Hi  Siva,
  Yes you can do it from the Cisco Security Manager , or you can try
  Automatic Signature Update Guidelines
  When enabling automatic signature updates, it is recommended that you ensure
  the following configuration guidelines have been met:
  * The router's clock is set up with the proper relative time.
  *The frequency for Cisco IOS IPS to obtain updated signature information has
  been defined.
  *The URL in which to retrieve the Cisco IOS IPS signature configuration files
  has been specified.
  *Optionally, the username and password for which to access the files from the
  server have been specified.
  SUMMARY STEPS
  1. enable
  2. configure terminal
  3. ip ips auto-update
  4. occur-at min:hour date day
  5. username name password password
  6. url url
  7. exit
  8. show ip ips auto-update
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1079125
  regards
  Yesua

• Iphone 5 doesn´t work after an ios 8.2 update via itunes

  I was updating my iphone 5 model A1429 via itunes on my windows 7 computer,
  it was extracting the software when my computer died and it was showing the apple icon and a grey progress bar on the iphone.
  When I turned on my computer again, the itunes said "unexpected error occured, couldn´t update the phone" or something like that and that´s it.
  Since then itunes doesn´t recognize my device and on my iphone there is still the apple icon and the grey progress bar.
  What can I do?

  Hey Kristik24,
  I would like to recommend that you attempt to restore your iPhone using the steps in the following article:
  If you can't update or restore your iPhone, iPad, or iPod touch
  http://support.apple.com/kb/ht1808
  If you put your iPhone into recovery mode and your computer is still not recognizing the phone, use this article to help you address the issue:
  iOS: Device not recognized in iTunes for Windows
  http://support.apple.com/kb/ts1538
  Thanks for being a part of the Apple Support Communities!
  Regards,
  Braden

• IOS IPS Important Notice - UPDATED

  IOS IPS customers running version 12.4T, 15.0M, or 15.1M - a critical software defect has been identified which may cause your router to reload and be stuck in a boot loop if IOS IPS signature version S639 or later is installed on the device. Recovery of impacted devices is possible only via a serial console connection through the device's ROMMON mode. For customers who are using IOS IPS signatures S638 or earlier, there is no issue. Customers wishing to upgrade the IOS IPS signature version to S639 or later must first be running a fixed version of IOS on the device prior to upgrading the IPS signatures.  Fixed versions of IOS include: 15.2(4)M, 15.1(3)T4, 15.2(3)T1, 15.1(4)M5, 12.4(24)T8 and later. Please refer to defect CSCtz27137 for additional details and steps to recover impacted devices.
  If you have upgraded your version of IOS to 15.2(4)M, 15.1(3)T4, 15.2(3)T1, 15.1(4)M5, 12.4(24)T8 or later you can obtain the most recent signature updates by  contacting the Cisco TAC

  What is the most recent version of IOS IPS sig file that TAC can supply?
  I'm running IOS 15.2(4)M1 and, per your suggestion above to contact TAC for the most recent signature update, I requested a later version of IPS sig than S636.
  I was simply referred back to the standard download page and IPS sig file S636.

• OOB warning during IPS 4260 signature update via CSM

  Hi,
  During the recent IPS signatures updates via CSM, i have noticed that there was warning (below).
  >OOB change detected - Out of Band(OOB)and sensor configuration change happened on device. But you selected to continue deployment in case of OOB. Continuing...
  what is the cause & impact of such event?
  As i suspected there is a mismatch of configuration, my inline interfaces are no longer applied to the virtual sensor 'VS0'. Could it be due to the mis-synchronisation?
  Apprepriate for any advice.
  thanks
  cash

  CSM keeps an internal copy of the configuration it last pushed to the sensor.
  Each portion of the configuration has a configToken assigned to it by the sensor. The config token is a base 64 encoding of that configuration portion.
  Each time CSM goes to push a new configuration it will compare the configToken of it's previously saved configuration for that sensor against the configToken of the configuration currently on the sensor.
  If the 2 configTokens match, then no configuration change has been made since the last time that CSM pushed a configuration to the sensor. CSM can safely push the new configuration to the sensor.
  If the 2 configTokens do not match, then an Out Of Band (OOB) configuration change has been made to the sensor. This means that the sensor's configuration has been modified by something other than CSM. This may have been a user changing something through the CLI or IDM instead of using CSM.
  In these situations CSM gives you the option of either stopping the push of the new configuration so the detected changes can be imported and evaluated by the user, or to go ahead and push the changes to the sensor.
  If you decide to go ahead and push the changes to the sensor, the outcome of the configuration change is not guaranteed.
  The sensor may wind up merging the OOB changes in with the new configuration from CSM, or the CSM changes may wind up overwriting the OOB changes.
  So telling CSM to push the new configuration even when OOB changes have been detected can be risky and can cause loss of some of your configuration.
  I fyou will be making changes with CLI or IDM, then it is always best to import those changes into CSM before making further configuration changes in CSM.

• IOS IPS Signature-File

  Hi Guys,
  We have recently purchased a Cisco ISR 2921,  and on its docs it is writen that this product has a License for IOS IPS Signatrue File,  but on the product Flash Memory there is no  IOS IPS Sig-File.   and while i try to download the sig-file from Cisco, it fails.
  Can any one tell me where is an alternate way to download the sig-file ?

  900 active signatures is quite much for a system that has no dedicated IPS-ressources.
  But you can controll which and how many signatures get enabled on your router:
  In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
  gw#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  gw(config)#ip ips signature-category
  gw(config-ips-category)#?
  IPS signature category configuration commands:
    category  Category keyword
    exit      Exit from Category Mode
    no        Negate or set default values of a command
  gw(config-ips-category)#category ?
    adware/spyware                Adware/Spyware (more sub-categories)
    all                           All Categories
    attack                        Attack (more sub-categories)
    configurations                Configurations (more sub-categories)
    ddos                          DDoS (more sub-categories)
    dos                           DoS (more sub-categories)
    email                         Email (more sub-categories)
    instant_messaging             Instant Messaging (more sub-categories)
    ios_ips                       IOS IPS (more sub-categories)
    l2/l3/l4_protocol             L2/L3/L4 Protocol (more sub-categories)
    network_services              Network Services (more sub-categories)
    os                            OS (more sub-categories)
    other_services                Other Services (more sub-categories)
    p2p                           P2P (more sub-categories)
    reconnaissance                Reconnaissance (more sub-categories)
    releases                      Releases (more sub-categories)
    specially_licensed_signature  Specially Licensed Signature (more sub-categories)
    telepresence                  TelePresence (more sub-categories)
    uc_protection                 UC Protection (more sub-categories)
    viruses/worms/trojans         Viruses/Worms/Trojans (more sub-categories)
    web_server                    Web Server (more sub-categories)
  gw(config-ips-category)#category all
  gw(config-ips-category-action)#retire true
  gw(config-ips-category-action)#exit              
  gw(config-ips-category)#category web_server
  gw(config-ips-category-action)#?
  Category Options for configuration:
    alert-severity   Alarm Severity Rating
    enabled          Enable Category Signatures
    event-action     Action
    exit             Exit from Category Actions Mode
    fidelity-rating  Signature Fidelity Rating
    no               Negate or set default values of a command
    retired          Retire Category Signatures
  gw(config-ips-category-action)#retired false
  gw(config-ips-category-action)#exit
  gw(config-ips-category)#exit
  Do you want to accept these changes? [confirm]
  gw(config)#
  gw(config)#exit
  gw#sh ip ips configuration | s IPS Signature Status
  IPS Signature Status
      Total Active Signatures: 131
      Total Inactive Signatures: 4370
  gw#
  I didn't follow the thread and answered your first post to have less line-breaks in this post.

• IPS signature update

  i would like to get some idea for IOS IPS signature update.
  example currently the router fresh install using IOS-S416-CLI.pkg, IOS category ios_ips in advanced mode, with retired false.
  Just wonder what if next time download and loading with latest patch of the IOS-SXXX-CLI.pkg into the machine, what will effect on the current compiled signature?
  will it just loaded in incremental form?  (meaning is it the signature in latest patch will added as new enable signature), then what about the signature previously being modified and save one, any effect on it? (like re-write my previous save signature)
  with the new patch install, would it also effect on the router DRAM and flash size? (my router with 384 mb DRAM and 128mb flash)
  thanks

  Hi,
  When you compile a new signature package on a router that carries an existing signature database, the signature configuration in the new signature package will supersede the router's existing database's signature configuration. Thus, if you have made changes to the signature database on the your router, and you compile in an updated signature package that contradicts your changes, your changes will be overwritten!!, and will need to be re-created.
  You can avoid having to re-create your changes if you copy the "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" file to some other location on the router's local storage, and re-apply the original "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" to the updated signature database after you have compiled the updated signature package to the router's database.
  And don't forget, the basic signature category is appropriate for routers with less than 128 MB of flash memory, and the advanced signature category is appropriate for routers with more than 128 MB of flash memory.
  Hope this helps,
  Thank You,

• IPhone 5 constant crashing after iOS 8.0 Update and Factory Reset!!

  So...thanks Apple! You completely bricked my phone with the most recent update.
  Status since 9/17....
  * Performed iOS 8.0 update via iTunes on my iPhone 5.
  * No issues whatsoever until Saturday 9/20 around 5pm
  * Phone starts reseting incessantly about every 5-10 minutes.
  * Performed hard reset. No luck.
  * Uninstalled apps since update. No luck.
  * Noticed upon some crashes the screen goes totally janky (maybe graphics chip failure?)
  * This morning decided to run full factory reset, hoping all would be fixed.
  * Resetting issues start almost immediately and are continuing.
  I'm not too excited about going into the Apple store given all the iOS 8.0 issues and fan-boys buying the newest 6 (holding out for 6s if possible).
  Has anyone else out there had a similar experience?
  Thank you in advance,

  SO, the constant reboots have stopped, but now have significant charging issues.
  * % charge doesn't increase on multiple different charging cables
  * hard reset doesn't solve

• 1st gen iPod Touch with iOS 3.1.3 - update via wi-fi?

  That's basically it.  I found my old 1st gen iPod Touch and wanted to update the iOS, but I am away from my computer with iTunes. 
  I do have wi-fi though.
  I tried via Settings->General->Update.  But it doesn't have an update option in settings.
  Anyone? 

  A 1G iPod Touch can not be updated past iOS 3.1.3.  Only the 3G and 4G iPod touch models can run iOS 5 or later, which added in the ability to update via the Settings app.
  B-rock