IPS/IDS Signature updates

Similar Messages

• IDS Signature update S(184)

  The IDS signature update S(184) included [MS plug and play - 6131] This particulare SIG ID is disable, and the severity is Information. is there is any one know how to enable it and change it to high?
  thnak you

  You can use IDM (https://) to change the severity and enable the signature. The other management platforms also provide you a meands to change it as well.

• IDS Signature Updates

  When I update my IDS sensors using the IDS MC 3 of my 4 sensors hang. They never restart all of the services. When I telnet to them I get the message "Error: Cannot communicate with system processes. Please contact your system admi
  nistrator.". The IDS MC progress veiwer shows 100% but with errors. It's errors are :Sensor Int_IDS1: Signature Update Process
  An error occurred while running the update script on the sensor named Int_IDS1. Detail = An RDEP communication error occurred during the update. Exception message = org.apache.commons.httpclient.HttpRecoverableException: Error in parsing the status line from the response: unable to find line starting with "HTTP"
  One sensor works fine with no problems.
  I have tried upgrading the sensors individually through IDSMC and the same 3 fail with the same error message. I have tried doing it through command line and ftp and the same 3 fail. The 3 sensors that fail are 4235's and the successful sersor is a 4250 XL.

  If you are not running the 'f' patch on your sensors, 4.1.4(f), you should download and install that patch. It fixes some out-of-memory on upgrade issues that are most likely the cause of your problem.
  The patch location is posted in another thread.

• IOS IPS Automatic Signature Update

  I will use cisco1941w.
  I'd like to know, how to configure at CLI and where is the URL.
  Is the bellow correct?
  CLI
  Router(config)# ip ips auto-update
  Router(config-ips-auto-update)# occur-at 0 0-23 1-31 1-5
  Router(config-ips-auto-update)# url https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl
  Router(config-ips-auto-update)# username XXX password XXX
  URL
  https://www.cisco.com/cgi-bin/front.x/ida/locator/locator.pl

  Hello,
  A. Hete is what the six files do:
  • ios-ips-sigdef-default.xml: contains all the factory default signature definitions
  • ios-ips-sigdef-delta.xml: contains signature definitions that have been changed from the default
  • ios-ips-sigdef-typedef.xml: is a file that has all the signature parameter definitions
  • ios-ips-sigdef-category.xml: has all the signature category information, such as category ios_ips basic and advanced
  • ios-ips-seap-delta.xml: contains changes made to the default SEAP parameters
  • ios-ips-seap-typedef.xml: contains all the SEAP parameter definitions
  B. So the signature file (.pkg) is decompressed into these files and then 'idconf' loads them in memory.
  Hence to copy signature database of one router to the other, we need to copy atleast first 4 files.
  You only need to distribute the SEAP configuration if you modified any of the Signature Event Action Override configuration:
  We do not have one single file that contains all the signatures.  The signature package is installed in a certain way.
  Hence we will need atleast first 4 files to copy of signature database from one router to the other.
  C. Secondly, I dont know if auto-update will accept a file in .xmz package, I have not tested this.
  But I am guessing it will look for a .pkg file and decompress it.
  With copying a .xmz file, you may have to manually load it into memory using 'idconf' command.
  D. Hence there is no one single configuration file that you copy off the external ftp server.
  I guess, the only thing you can do is to have different routers update signatures at different times to reduce load on the network.
  It is also not necessary to check for signature updates every hour.
  Normal rate of adding new signature releases is every few days, so even if you check around once a day that should be ok.
  Sid Chandrachud
  TAC Security Solutions
  Customer support engineer

• OOB warning during IPS 4260 signature update via CSM

  Hi,
  During the recent IPS signatures updates via CSM, i have noticed that there was warning (below).
  >OOB change detected - Out of Band(OOB)and sensor configuration change happened on device. But you selected to continue deployment in case of OOB. Continuing...
  what is the cause & impact of such event?
  As i suspected there is a mismatch of configuration, my inline interfaces are no longer applied to the virtual sensor 'VS0'. Could it be due to the mis-synchronisation?
  Apprepriate for any advice.
  thanks
  cash

  CSM keeps an internal copy of the configuration it last pushed to the sensor.
  Each portion of the configuration has a configToken assigned to it by the sensor. The config token is a base 64 encoding of that configuration portion.
  Each time CSM goes to push a new configuration it will compare the configToken of it's previously saved configuration for that sensor against the configToken of the configuration currently on the sensor.
  If the 2 configTokens match, then no configuration change has been made since the last time that CSM pushed a configuration to the sensor. CSM can safely push the new configuration to the sensor.
  If the 2 configTokens do not match, then an Out Of Band (OOB) configuration change has been made to the sensor. This means that the sensor's configuration has been modified by something other than CSM. This may have been a user changing something through the CLI or IDM instead of using CSM.
  In these situations CSM gives you the option of either stopping the push of the new configuration so the detected changes can be imported and evaluated by the user, or to go ahead and push the changes to the sensor.
  If you decide to go ahead and push the changes to the sensor, the outcome of the configuration change is not guaranteed.
  The sensor may wind up merging the OOB changes in with the new configuration from CSM, or the CSM changes may wind up overwriting the OOB changes.
  So telling CSM to push the new configuration even when OOB changes have been detected can be risky and can cause loss of some of your configuration.
  I fyou will be making changes with CLI or IDM, then it is always best to import those changes into CSM before making further configuration changes in CSM.

• How often ARE those IPS virus signatures updated?

  I was looking at a "show version" on one of my current sensors and noticed that the last virus signature was over 7 months ago. Now, one of the big reasons I was told we had to pay for our 5.x licenses was these virus signatures. If that's true, and this is the additional value Trend Micro has brought to our sensors, should they get updated a little more frequently?
  (from my sensor)
  Cisco Intrusion Prevention System, Version 5.1(1p1)S235.0
  Host:
  Realm Keys key1.0
  Signature Definition:
  Signature Update S235.0 2006-06-22
  Virus Update V1.2 2005-11-24

  The Virus Signature from Trend was one reason for the licensing in 5.x, but was not the only reason and was not even the primary reason.
  Even as far back as version 2.x a Support Contract was required for downloading and installation of signature updates. But was not enforced by the software. We relied on the users keeping the support contracts up to date on their own. Many users downloaded and installed signature updates without paying for the support contract. And the vast majority did not realize that a support contract was needed to receive the signature updates.
  With the lack of support contract purchases it became difficult to continue fielding a team for writing IPS signature updates.
  So in version 5.x it was decided to begin enforcing the purchase of support contracts through the use of Signature Update Licenses as part of the Cisco Service for IPS Contracts. Thus ensuring funding for the signature team, and allowing the team to spread out world wide for 24 hour coverage.
  The additional cost of a Cisco Service for IPS contract when compared to standard SmartNET contracts for other Cisco products is for the specific funding of the Cisco signature team, and a small amount sent to Trend for assistance in signature creation. Only a small portion of the support contract is paid to Trend Micro for their support.
  The Virus signatures are part of the Cisco Incident Control System (Cisco ICS). With the purchase of ICS there is a faster deployment of signature for Virus/Worms. When a virus or worm reaches a critical level then TrendMicro can create their own Virus signatures and have Cisco ICS deploy those signature to the sensors as soon as they are written.
  Cisco then includes these Virus signatures in a later standard Cisco signature update.
  Now as for why there have not been any recent updates to the Virus Signatures is that there has not been a major out break in the past 6/7 months. The virus signatures are only created on an emergency basis when a virus or worm reaches a critical level. Cisco ICS was specifically designed for handling virus and worm outbreaks, and is referred to as Outbreak Prevention.
  If the virus/worm does not reach a critical level, then the emergency Virus signatures are not created.
  Instead the Cisco signature team will take care of them as part of the standard Cisco signatures that are included as part of the standard S updates.
  This doesn't mean that we are not receiving information from Trend. For Virus/Worms that do not reach that critical level, the Trend team will instead send information to Cisco for creation of standard Cisco signatures by the Cisco signature team. This way the Cisco team can create a mroe general signature designed to catch all attacks for a certain vulnerability that will catch that specific virus/worm as well as future virus/worms that may also attempt to exploit the same vulnerability. These signatures wind up as part of the standard S update. This method is used because the Cisco signature team has more in depth knowledge of the various engines in Cisco IPS and can often write signatures that the Trend engineers would not be able to.
  It is only when the Trend Micro engineers need to create an emergency update that they will create their V signatures for the specific virus/worm.
  Otherwise they share share the information with Cisco and the Cisco engineers creates the signature.

• Cisco IDS signature update vs. Snort

  Greetings all
  I have a question for anyone using any Cisco IDS products.
  How often the Cisco IDS/IDSM update it's signatures and are the updates
  comparable to Snort? Example: An exploit is known...Snort publishes an
  update...can a similar update be found for Cisco IDS?
  Regards
  Fredrik Hofgren

  Cisco does not update as frequently or completely as Snort. Cisco also tends to give much higher priority to releasing signatures on vulnerabilities that affect their own products. There are also many signatures released for Snort that never seem to make their way to Cisco from what we have seen.

• IPS Signature Update. The IPS is left hanging.

  I have performed a IPS signature ID update once the definition have been updated the IPS is left hanging and I need to perform a reload.  The config has been verified as not a possible cause for this adverse effect.  Have people had issue of this sort? What would cause the IPS to effectively stall when upgrade takes place? Any solutions?

  Please use the below troubleshoot guide
  http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html#troubleshoot

• Installing signature update for IDSM-2 on AIP-SSM

  Hi every one,im not sure about this question but i think its beter to ask you experts.i want to know that if i have signature update for example for my IDSM-2 can i instal this sig update on my AIP-SSM --> suppose that IPS software on both devices are same and also i have installed valid license key on AIP-SSM.now can i do this or no? and i know that if you have not valid license installed on IDSM-2 you cant instal any sig update on IDSM-2 but what about AIP-SSM?i mean can i instal sig update on AIP-SSM without installed valid license key on AIP-SSM? thanks

  There are 3 main types of Signature Updates.
  1) IPS Sensor Signature Updates
  2) CSM Signature Updates for IPS Sensors
  3) IOS IPS Signature Updates
  The IPS Signature Update filename is in the form: IPS-sig-Sxxx-req-Ey.pkg
  This is most likely what you are referrnig to in your post. This file can be installed on ANY IDS/IPS Appliance or Module.
  The Requirement here is not the platform but rather the Engine Level. The "req-Ey" portion of the filename tells you that the sensor must already be running the "y" Engine level of software.
  So an IPS-sig-S436-req-E3.pkg file can be installed on any IDS/IPS Appliance or Module so long as the software on that sensor is an "E3" version.
  The CSM updates, are signature updates for the Cisco Security Manager. They contain special files that CSM uses to update itself, and then also included within the CSM update is the actual sensor update described above. CSM unpackages the CSM update, updates itself, and then uses that embedded file to upgrade the actual sensor.
  The third type of file is for IOS Routers loaded with special IOS software that has the special IOS IPS features where the Router itself (instead of a separate IDS/IPS module) does the signature monitoring.
  These IOS IPS Signature Updates get installed on the actual router, and are not installed on the IDS/IPS Sensor Appliances or Modules.
  So in answer to your question, yes the same Signature Update for your IDSM-2 is the exact same Signature Update for your SSM modules.
  The exact same file is available through multiple different paths on cisco.com. But it doesn't matter through which cisco.com path you downloaded the file you can still install it on all IDS/IPS Appliances and Modules.
  As for licensing, the license works the same on all IDS/IPS Appliances and Modules. A license must be on the sensor for the Signature Update to be applied.
  NOTE: A Trial License is available from cisco.com for new sensors to allow you time to get everything setup correctly for your sensor to be covered by a service contract, and get the standard license from the service contract.

• IDS/IPS Signatures Update

  Hi,
  I have one question regarding signatures update, are the Cisco new signatures include the new updates plus the old ones or just the difference between the latest update and the previous one?
  If I have an IPS which has never been updated for a year let's say, is it just enough to install the latest signature update and the latest Service pack? Does the service pack include signatures as well when applied?
  Please advise!
  Thanks,
  Haitham

  A signature update will contain all Cisco signatures that have been released so far. A service pack will be bundled with a signature update, but not necessarily the latest one. So you should first apply the latest service pack and then apply the latest signature update.

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Problem updating signature updates in IDS 4215

  Problem upgrading the signatures of IDS 4215
  I have to upgrade the signature file of ids 4215. The latest signature update version is IDS-sig-4.1-5-S252. To upgrade the signature file I install the service pack IDS-K9-sp-4.1-5-S189. The service pack was installed properly but while updating the signatures it is giving the following error
  Error: Cannot communicate with mainApp (getVersion). Please contact your system
  Administrator.
  Would you like to run cidDump? [No]:
  Procedure Followed
  I installed a ftp server in the network and put the signature update file there. I then issued the command
  upgrade ftp://[email protected]/5Dp--5-S2s52.ir
  Pmg.pk-g4.1-5-S252.rpm.pkg
  After that it gave me the above error
  Question
  How can I recover the image while recovery partition is already there?
  The snapshot of the procedure that I followed is given below
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption.
  http://www.cisco.com/wwl/export/crypto
  If you require further assistance please contact us by sending email to
  [email protected].
  customer-ids4215#
  customer-ids4215# sh ver
  customer-ids4215# sh version
  Application Partition:
  Cisco Systems Intrusion Detection Sensor, Version 4.1(5)S189
  OS Version 2.4.26-IDS-smp-bigphys
  Platform: IDS-4215
  Using 424386560 out of 460161024 bytes of available memory (92% usage)
  Using 4.4G out of 17G bytes of available disk space (27% usage)
  MainApp 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  AnalysisEngine 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  Authentication 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  Logger 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  NetworkAccess 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  TransactionSource 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  WebServer 2005_Sep_01_21.30 (Release) 2005-09-01T21:30:35-0500 R
  unning
  CLI 2005_Aug_02_10.53 (Release) 2005-08-02T10:25:35-0500
  Upgrade History:
  * IDS-sig-4.1-4-S119 17:29:28 UTC Sat Oct 16 2004
  IDS-K9-sp-4.1-5-S189.rpm.pkg 09:28:03 UTC Wed Dec 27 2006
  Recovery Partition Version 2.4 - 4.1(4)S91
  customer-ids4215#
  customer-ids4215#
  customer-ids4215# conf t
  customer-ids4215(config)#
  customer-ids4215(config)# upgrade
  <source-url> Location of upgrade
  customer-ids4215(config)# upgrade ftp://[email protected]/5Dp--5-S2s52.ir
  pmg.pk-g4.1-5-S252.rpm.pkg
  Password:
  Warning: Executing this command will apply a signature update to the application
  partition.
  Continue with upgrade? : yes
  Broadcast message from root (Sun Jan 7 14:46:24 2007):
  Applying update IDS-sig-4.1-5-S252. This may take several minutes.
  Please do not reboot the sensor during this update.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use.http://www.cisco.com/wwl/export/crypto
  If you require further assistance please contact us by sending email to
  [email protected].
  Error: Cannot communicate with mainApp (getVersion). Please contact your system
  administrator.
  Would you like to run cidDump?[no]:
  Connection to host lost.
  C:\>

  Just so you know, you will need to update your IPS from 4.1-5 to 5.0-1 to get signatures up to 217. To get a signature beyond 217, you'll need to upgrade to 5.0-5. This isn't that lengthy of a process, but it is required if you want to go beyond 217. Also, 252 is an older signature, 265 is been out now for a few. Just an idea of how fast these signatures update. Shoot a reply back if you don't know how to upgrade.

• 2651XM IPS Signature Update?

  Hello,
  I have a 2651XM 256MB/32MB running 12.4(25) and I would like to update the IPS signature file.  I see that the last update for 256MB.sdf was from Aug 2008.  The latest IPS I found is IPS-sig-S518-req-E4.pkg from
  http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=277801011&treeName=Security&mdfLevel=Model&url=null&modelName=Cisco+2651XM+Multiservice+Router&isPlatform=N&treeMdfId=268438162&modifmdfid=278279418&imname=Cisco+IDS+Access+Router+Network+Module&hybrid=Y&imst=Y
  I've tried the command
  ip ips sdf location flash:\\IPS-sig-S518-req-E4.pkg
  ip ips sdf location flash:IPS-sig-S518-req-E4.pkg
  but when I apply IPS to an interface and run 'show ip ips all' no signatures load and I get a message 'invalid token'.
  I also tried seeing if the latest SDM will help but nothing.
  My question is, what is it that I am doing wrong or missing?  Is my router too old to be able to get the latest signature files?
  Any advice or guidance to the right direction is much appreciated.
  Thanks

  You have a version of IOS that includes the older version of the IOS IPS feature (referred to as v4).  This release only supports signature updates using the SDF formatted files.  These files are no longer updated.
  The signature update file you found (ending in .pkg) is the signature update package supported by Cisco's IPS appliances and is not compatible with the IOS IPS feature set.
  The current IOS IPS feature (referred to as v5) also makes use of .pkg files.  You will need to upgrade the IOS of your 2651 to a release in the T train such as 12.4(24)T2 to obtain the latest IOS IPS feature release.
  You can find out more about the IOS IPS feature set here:
  http://www.cisco.com/go/iosips
    For starting with IOS IPS v5:
  http://www.cisco.com/en/US/products/ps6634/products_tech_note09186a008097db66.shtml
  Scott

• Signatur updates for Cisco IPS 4510

  Hi there.
  I one question to all cisco IDS/IPS professionals. If the management port only accept inbound traffic how can I then activate my Cisco 4510 IPS appliance to get automatically signature updates from cisco.com ? That one requires outbound traffic too. 
  Thanks.

  You Management0/0-port only supports "to-the-box" traffic which means that you can't use that port for an inline pair or a vlan-pair. But with the IP on that port configured, you can not only connect to your sensor, the sensor can also initiate connection to the rest of the network and so you can reach your update-destionations.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• Problem updating IDS signatures

  I have a IDS-4215 sensor with version 5.1(5)E1S333V1.2
  I tried several times updating signatures with next version on it but it doesnot get updated and only the local MC gets upgraded. I have other IDS sensors also but I dont have any problem updating signatures with them.
  Why are the signatures not getting updated on this Sensor.
  Help me with a solution. All helpful posts will be rated.

  Did you try applying S355 directly to the sensor using the CLI or IDM rather than the MC?
  Sometimes you don't get good error messages when trying to apply through the MC.
  If you apply through CLI or IDM did you get any messages back from the sensor?
  Did you get a success messgae? If doing it from the CLI did it come back to a CLI prompt?
  If no error messages come back when trying the upgrade, then it will require looking at a "show tech" from your sensor to try and see what is going on.
  You would not want to copy that output to this forum, so your best bet would be to open up a TAC case and provide them the output from when you tried applying the update through the CLI or IDM, as well as the output from the "show tech" taken immediately after the failed upgrade attempt.
  I am not currently aware of any situation where the upgrade would fail without some type of error message being returned.
  Here, however, are some common errors that should return an error message (I don't remember the exact wording of the error messages):
  1) sensorApp/analysis engine is Not Running
  (you can check "show version" before doing the upgrade to make sure it is Running).
  2) sensorApp/analysis engine is not responding (you can do a "show stat vi" before trying the upgrade to ensure it is responding to statistic requests before trying the upgrade)
  3) license has expired (you can do a "show ver" and make sure the license has not expired)
  4) Signature Update already installed - This is a tricky one. This can happen when a previous attempt to update at that same signature level failed, but left some remnants around. The second attempt to install the same update detects the remains of the previous failure and incorrectly thinks that the update is already installed. There are 2 ways to recover from this. Save off the config, and do a recover-application command to re-image the sensor, then re-apply the config. Or wait till the next signature update S356 comes out and try it with the newer sig update. I haven't seen this problem in a long time, and I am not sure if it can happen anymore. Steps were taken to try and prevent this from happening.
  5) sensorApp/analysis engine could stop During the signature update - This can happen on lower end sensors like the IDS-4215 especially when tunings have been made to the signatures or custom signatures have been created. The low end sensors have limited memory. When a new signature update is applied the sensor has to compile the new signatures. If using the standard set of signatures with no user tunings, then the signature update should apply fine. But if the customer has made tunings and/or added custom signatures, then this compiling of the new signatures could push the sensor above it's allowed memory limits. The kernel will then kill sensorApp/analysis engine. The signature update will never complete (never get an error OR a success message). And the sensor has to be rebooted to get it working again. If you are running into this issue you might need to remove some of your tunings and custom signatures, apply the signature update, and then re-apply your tunings.