IOS IPS Signature Updates
Hi,
Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
Thanks and rgds
Rajesh
hi,
if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.
Similar Messages
-
Is there a way to automate IOS IPS signature updates without CSM?
I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
Thanks in advance!From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
Here is the configuration guide for your reference:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659 -
It seems like whenever there is an IDS sensor/appliance update for defending against the latest virus/worm but there is no update for IOS IPS signatures.
Case in point - on June 3 there was an IDS update for W32/Bobax.worm.o S174. The IOS IPS zip file as of today is S169 from May 25, What gives?
Also, why isn't their any release notes for the IOS IPS zip files to document what was added? That way we can read it to judge if we need to download the zip file or not.There are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
SC -
IOS IPS SIG Updates via IDSMDC
When using IDSMSC to push out updates for Sensors and IOS IPS devices, the signature update process pushes the updates to the sensors during the udate process. However the IOS IPS devices pulls their signature definitions from the server itself.
So my question is, do you need to "Generate" and "Deploy" to all IOS IPS devices to insure the devices are updated with the latest signature definitions after the update?
SHMThere are a couple of extra steps in producing the IOS IPS signature update. The IOS IPS solution is a subset of the full appliance solution and is further constrained by memory limitations inherent in the routers that it runs in. Because of this, once the signature development team puts together an appliance update, that update has to be reviewed to make sure that the appliance signatures won't crash the IOS implementation. Any issues found during the review have to be addressed before the IOS update can be posted. This extra review step is the cause for the delay.
Regarding the release notes. The signatures usable by the IOS solution are a subset of the appliance update. You can look at the appliance update release notes to see what *might* be available. I say might because of the subset issues....
SC -
i would like to get some idea for IOS IPS signature update.
example currently the router fresh install using IOS-S416-CLI.pkg, IOS category ios_ips in advanced mode, with retired false.
Just wonder what if next time download and loading with latest patch of the IOS-SXXX-CLI.pkg into the machine, what will effect on the current compiled signature?
will it just loaded in incremental form? (meaning is it the signature in latest patch will added as new enable signature), then what about the signature previously being modified and save one, any effect on it? (like re-write my previous save signature)
with the new patch install, would it also effect on the router DRAM and flash size? (my router with 384 mb DRAM and 128mb flash)
thanksHi,
When you compile a new signature package on a router that carries an existing signature database, the signature configuration in the new signature package will supersede the router's existing database's signature configuration. Thus, if you have made changes to the signature database on the your router, and you compile in an updated signature package that contradicts your changes, your changes will be overwritten!!, and will need to be re-created.
You can avoid having to re-create your changes if you copy the "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" file to some other location on the router's local storage, and re-apply the original "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" to the updated signature database after you have compiled the updated signature package to the router's database.
And don't forget, the basic signature category is appropriate for routers with less than 128 MB of flash memory, and the advanced signature category is appropriate for routers with more than 128 MB of flash memory.
Hope this helps,
Thank You, -
Correct procedure to update IOS IPS signatures on 2911 router
What is the correct procedure to update the IOS IPS signatures on an 2911 router?
I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
Thank you in advance!The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
Typically here is how customer would enable/disable signatures:
- Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
- Monitor it for a couple of months
- Disable those that you don't need, and enable others if you think you require it for specific. -
Hi,
I have a couple of questions I hope people could answer:
1) What recommendations/options are available for downloading signature files to a HTTP/TFTP server prior to having the IOS IPS device pull them from the server? Is their a way to automate the HTTP/TFTP server downloading the signatures? (Cron job or such)
2) Does the signature file name change each time a new signature file is released? If it does, would I have to go back to the router to update the URL string that is configured in the ip ips auto-update section? I would hate to have to update 200 CPE devices each time a new signature file is released.
Hoping someone could answer these or help point me in the right direction to find the answer out.
regards MI found this link with answers my one question.
Cisco IOS Intrusion Prevention System (IPS)
Tuning, Deploying and Updating Cisco IOS IPS Signature Sets For Multiple-Device Deployments
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/white_paper_c11_549300.html -
IOS IPS auto-update without CSM
Hi,
We have 400 x 1811 router on which we need to update the IPS signature definition and custom signature.
What is the best way to do it withou running CSM ?
According to Cisco documentation, we need to add the auto-update command with an .XML extention. But when we load a .pkg in a router, the output is 4 different files. Unfortunalty we can auto-update only one file. Which one to I need to load on our TFTP server ?
All the exemples of Cisco are using one single XML file.
Does a single file with the signature defenition, category, default and type exist ?
Since all our router have the same IPS config, I tought I could use one router at the central office with the configuration we want. And by someway asking the remote routers to auto-update their XML file on that router on which I would have activated a TFTP server.
Anyone ever had to upgrade a lot of router IOS IPS signature?This can now be done in the 15.1T branch using cisco.com to download the update directly, see :
http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html#wp1040750
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue.html#wp1137583 -
Hi,
Can we configure 1841 IOS IPS to get automatic signature updates directly from cisco site. I know we can do it in other firewalls like sonicwall, fortigate, etc.
Regards
Siva KHi Siva,
Yes you can do it from the Cisco Security Manager , or you can try
Automatic Signature Update Guidelines
When enabling automatic signature updates, it is recommended that you ensure
the following configuration guidelines have been met:
* The router's clock is set up with the proper relative time.
*The frequency for Cisco IOS IPS to obtain updated signature information has
been defined.
*The URL in which to retrieve the Cisco IOS IPS signature configuration files
has been specified.
*Optionally, the username and password for which to access the files from the
server have been specified.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ips auto-update
4. occur-at min:hour date day
5. username name password password
6. url url
7. exit
8. show ip ips auto-update
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1079125
regards
Yesua -
IPS Signature Update - CSM v3.3 SP1
Hi,
I am getting the following error message when deploying IPS signature updates to some of my sensors via the CSM deployment tool:
"Failed to generate edit config delta for host component. Detail: Error while processing the host component with DNS,access-list or http-proxy"
The signature update actually deploys, but I am wondering what is causing this message. I get this with some 4240, 4255 and IDSM-II blades, but not with others and I can't see any config variances.
Does anyone have any ideas what is causing this message? The access ACLs are the same for each sensor.
Many thanksHi Liam,
As you mentioned you are using a shared policy, and the access ACLs for all sensors are the same, I assume that you may be using an "Allowed Hosts" shared policy.
In that case, how did you create that policy ?
Did you create the policy from the policy view page, or did you right click on the "Allowed Hosts" setting of a device in device view and select "share policy" ?
If you did the first, you may be running into a known issue. You can read more about this on the bug toolkit:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg02063
This is the workaround that should work for you in case you are indeed running into this issue:
1. Rediscover or newly add any one IPS device running 7.x version
2. Create entries for "Allowed Hosts" according to requirements.
3. Right click on "Allowed Hosts", select "Share Policy..." and specify a name for shared policy.
4. Assign this "Allowed Hosts" shared policy to one or more devices.
5. Deployment should now be successful for "Allowed Hosts". -
Hello All,
please can any provide the link to get the IPS signature update alerts.Actually, I've found the notifications through the standard notification service to be ... less than reliable - at least for IPS signature releases.
I would suggest subscribing to the "IPS Threat Defense Bulletin", published by SIO:
http://tools.cisco.com/gdrp/coiga/showsurvey.do?surveyCode=380&keyCode=123668_4
It's worth noting that you might need to re-subscribe on a regular basis (slightly annoying). I've found that they just stop showing up after 9 months or so ... -
2651XM IPS Signature Update?
Hello,
I have a 2651XM 256MB/32MB running 12.4(25) and I would like to update the IPS signature file. I see that the last update for 256MB.sdf was from Aug 2008. The latest IPS I found is IPS-sig-S518-req-E4.pkg from
http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=277801011&treeName=Security&mdfLevel=Model&url=null&modelName=Cisco+2651XM+Multiservice+Router&isPlatform=N&treeMdfId=268438162&modifmdfid=278279418&imname=Cisco+IDS+Access+Router+Network+Module&hybrid=Y&imst=Y
I've tried the command
ip ips sdf location flash:\\IPS-sig-S518-req-E4.pkg
ip ips sdf location flash:IPS-sig-S518-req-E4.pkg
but when I apply IPS to an interface and run 'show ip ips all' no signatures load and I get a message 'invalid token'.
I also tried seeing if the latest SDM will help but nothing.
My question is, what is it that I am doing wrong or missing? Is my router too old to be able to get the latest signature files?
Any advice or guidance to the right direction is much appreciated.
ThanksYou have a version of IOS that includes the older version of the IOS IPS feature (referred to as v4). This release only supports signature updates using the SDF formatted files. These files are no longer updated.
The signature update file you found (ending in .pkg) is the signature update package supported by Cisco's IPS appliances and is not compatible with the IOS IPS feature set.
The current IOS IPS feature (referred to as v5) also makes use of .pkg files. You will need to upgrade the IOS of your 2651 to a release in the T train such as 12.4(24)T2 to obtain the latest IOS IPS feature release.
You can find out more about the IOS IPS feature set here:
http://www.cisco.com/go/iosips
For starting with IOS IPS v5:
http://www.cisco.com/en/US/products/ps6634/products_tech_note09186a008097db66.shtml
Scott -
Hi Guys,
We have recently purchased a Cisco ISR 2921, and on its docs it is writen that this product has a License for IOS IPS Signatrue File, but on the product Flash Memory there is no IOS IPS Sig-File. and while i try to download the sig-file from Cisco, it fails.
Can any one tell me where is an alternate way to download the sig-file ?900 active signatures is quite much for a system that has no dedicated IPS-ressources.
But you can controll which and how many signatures get enabled on your router:
In the following example I first disable all signatures and enable the ones for web-servers. So just decide which signatures you need. But don't forget to monitor your router-ressources.
gw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
gw(config)#ip ips signature-category
gw(config-ips-category)#?
IPS signature category configuration commands:
category Category keyword
exit Exit from Category Mode
no Negate or set default values of a command
gw(config-ips-category)#category ?
adware/spyware Adware/Spyware (more sub-categories)
all All Categories
attack Attack (more sub-categories)
configurations Configurations (more sub-categories)
ddos DDoS (more sub-categories)
dos DoS (more sub-categories)
email Email (more sub-categories)
instant_messaging Instant Messaging (more sub-categories)
ios_ips IOS IPS (more sub-categories)
l2/l3/l4_protocol L2/L3/L4 Protocol (more sub-categories)
network_services Network Services (more sub-categories)
os OS (more sub-categories)
other_services Other Services (more sub-categories)
p2p P2P (more sub-categories)
reconnaissance Reconnaissance (more sub-categories)
releases Releases (more sub-categories)
specially_licensed_signature Specially Licensed Signature (more sub-categories)
telepresence TelePresence (more sub-categories)
uc_protection UC Protection (more sub-categories)
viruses/worms/trojans Viruses/Worms/Trojans (more sub-categories)
web_server Web Server (more sub-categories)
gw(config-ips-category)#category all
gw(config-ips-category-action)#retire true
gw(config-ips-category-action)#exit
gw(config-ips-category)#category web_server
gw(config-ips-category-action)#?
Category Options for configuration:
alert-severity Alarm Severity Rating
enabled Enable Category Signatures
event-action Action
exit Exit from Category Actions Mode
fidelity-rating Signature Fidelity Rating
no Negate or set default values of a command
retired Retire Category Signatures
gw(config-ips-category-action)#retired false
gw(config-ips-category-action)#exit
gw(config-ips-category)#exit
Do you want to accept these changes? [confirm]
gw(config)#
gw(config)#exit
gw#sh ip ips configuration | s IPS Signature Status
IPS Signature Status
Total Active Signatures: 131
Total Inactive Signatures: 4370
gw#
I didn't follow the thread and answered your first post to have less line-breaks in this post. -
I would like to "fine tune" category ios_ips advanced (or basic) on IOS IPS.
Clearly ISR G2 is not able to support as many active/enabled signatures as we'd like to so it would be nice to choose ones we actualy need.
Does anyone have table with signature descriptions so one can easily choose?
I found web site totaly inpractical... sorry cisco guys...
Please help !If you are using IME, there is a way to export a list of signatures. I have done this with the IPS 4255 and it might be the same for IOS IPS.
Under Configuration, go to Policy -> Signatures -> All Signatures. There is a function to Export the list of signatures, in either HTML or CSV format. -
IPS Signature Updates and CCO logins
I cannot seem to get my IPS 4255 on version 7.0(3)E4 go gather signature updates and I think it is becasue my CCO accound is not setup correcly. I took a browse through the discussions (admittedly did not read them entirely) but can anyone point me to a discussion on how to setup my CCO account or give me instructions on what I need to do?
Thank You
Unprotected,
Jason BielendaSmall correction.
The URL to create the account is https://tools.cisco.com/RPF/register/register.do
And you need an IPS services contract to get access to them.
There are trial licenses available too
https://tools.cisco.com/SWIFT/LicensingUI/demoPage
Maybe you are looking for
-
Active creative cloud subscription but still showing trial?
Hello, I currently have an active Creative Cloud subscription for Photoshop. I recently just wiped my PC (Windows 8.1 - custom build), and upon redownloading photoshop, it's asking for a serial number upon Photoshop launch when I use my log-in. I've
-
Hi All, The Actual query to perform is below. SELECT name,number from emp WHERE CASE WHEN :1='T' AND term_date IS Not NULL THEN 1 WHEN :1='A' AND term_date IS NULL THEN 1 WHEN :1='ALL' THEN 1 ELSE 1 END = 1; I have tried in DB adapter like below as
-
Use of ethernet port stopped working
I use my Airport Express to connect to my existing wireless network (an Airport Extreme Base Station). For over a year I've been using the ethernet port on the express to connect to my Playstation 2 so I can play video games over the internet and it'
-
Object name, segment advisor and db sequential read
oracle 10.2.0.4: I am looking at our ADDM and AWR report. It's complaining about db file sequential read waits and also "Segment Advisor" on LOB SYS_LOB.... I have couple of questions: 1. When select is fired (from JDBC/hibernate) with the column tha
-
My clock is getting slower...
I noticed during the last month that the system clock is getting behind right now all the time about 4 minutes. Shouldn't this be updated through the internet correctly?