IPS Signature Dynamic Update

Similar Messages

• MARS: IPS Signature Dynamic Update Failed

  Hello all,
  I checked the signature update on the MARS system and it has no update for over 6 months.  My bad.  I should checked this regularly.
  So I tested the connectivity and it said successful.  Did the update now and failed:
  Download Failed: CS-MARS could not download IPS Signature file - IPS-CS-MARS-Sig-S482.zip
  at Apr 09, 2010 11:51:42 AM EDT
  It seems it does see the new signature out there but the down load failed not sure why.  I manually down load the signature and SSH to
  the box manually did the pnupgrade using ftp and also got error:
  CSMARS Upgrade...........[1126]
  Loading..................[IPS-CS-MARS-Sig-S481.zip]
      User.................[myID]
      Protocol.............[ftp]
      Host.................[x.xx.xx.xx]
      Path.................[CiscoIOS/IPS-CS-MARS-Sig-S481.zip]
      Modified.............[Thu, 08 Apr 2010 13:19:11 GMT]
      Size.................[632711]
  ######################################################################## 100.0%
  [Alert][get_pkg_info/223]: no IPS-CS-MARS-Sig-S481.zip package info.
  [Alert][main/265]: fail to find IPS-CS-MARS-Sig-S481.zip version info.
  Strip Meta Data..........[IPS-CS-MARS-Sig-S481.zip]
  Decrypt Package..........[IPS-CS-MARS-Sig-S481.zip]
  [Error][decrypt_pkg/181]: fail to decrypt IPS-CS-MARS-Sig-S481.zip(2).
  So from there may be file was corrupted so I did the same for S480, S479, S478 and got same error.
  Checked the thread in the community and follow the same step that in the threat and I am still geting no where.
  Case is opened and still going no where.
  If anyone ran into this problem before and had a solution for this is appreciated.
  Thank you.

  It does not support manually downloading the file and perform the update.
  Please use either local web server or direct connection to cisco.com site from the MARS as follows to update the IPS signature:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/chIpsCisoc6x.html#wp440709
  Hope that helps.

• Mars box MARS box v4.3.5 (2838) IPS Signature Version 330 upgrade

  Hi, I have the software MARS box v4.3.5 (2838) IPS Signature Version 330
  Is there any upgrade available for it?
  Where can I found info for upgarding the software and IPS Signature on Cisco Web Site?
  I also want to integrate CiscoWorks, LMS 2.6 to sent SNMP Trap Notification to the MARS box v4.3.5 (2838) IPS Signature Version 330. Is it possible and what would be the port # on the MARS box?

  You are already running the latest software for the Generation 1 MARS appliances. You can find newer updates here:
  http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars
  For IPS, it is better to turn on automatic updates. Just go to:
  Admin >> System Setup >> IPS Signature Dynamic Update Settings
  The URL is already set there, just put your CCO username/password and click 'Update Now' then hit 'Submit'. I think the current Signature release is 352. You can manually downlaod them from here if you like:
  http://www.cisco.com/cgi-bin/tablebuild.pl/mars-ips-sigup
  Please rate if helpful.
  Regards
  Farrukh

• IPS Signature Update. The IPS is left hanging.

  I have performed a IPS signature ID update once the definition have been updated the IPS is left hanging and I need to perform a reload.  The config has been verified as not a possible cause for this adverse effect.  Have people had issue of this sort? What would cause the IPS to effectively stall when upgrade takes place? Any solutions?

  Please use the below troubleshoot guide
  http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html#troubleshoot

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Correct procedure to update IOS IPS signatures on 2911 router

  What is the correct procedure to update the IOS IPS signatures on an 2911 router?
  I know how to download the signatures file (eg. IOS-S556-CLI.pkg) but what is the correct way to install the update?
  Thank you in advance!

  The IPS signature package comes with a list of pre-enabled signatures, hence Cisco does not recommend enabling a lot more other signatures, especially not every single signature as documented.
  The reason why is because the package might include retired/old signatures only for references, and not every single signature is required to protect your environment because you might not have the traffic for some signatures, you might not have some end hosts that are written with specific signatures, therefore, it becomes irrelevant if you enable it.
  Typically here is how customer would enable/disable signatures:
  - Use the default signature that is enabled by Cisco (the default should fit majority of the customers).
  - Monitor it for a couple of months
  - Disable those that you don't need, and enable others if you think you require it for specific.

• IOS IPS Signature Updates

  Hi,
  Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
  Thanks and rgds
  Rajesh

  hi,
  if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.

• IPS Signature Update - CSM v3.3 SP1

  Hi,
  I am getting the following error message when deploying IPS signature updates to some of my sensors via the CSM deployment tool:
  "Failed to generate edit config delta  for host component. Detail: Error while processing the host component with DNS,access-list or http-proxy"
  The signature update actually deploys, but I am wondering what is causing this message.  I get this with some 4240, 4255 and IDSM-II blades, but not with others and I can't see any config variances.
  Does anyone have any ideas what is causing this message?  The access ACLs are the same for each sensor.
  Many thanks

  Hi Liam,
  As you mentioned you are using a shared policy, and the access ACLs for all sensors are the same, I assume that you may be using an "Allowed Hosts" shared policy.
  In that case, how did you create that policy ?
  Did you create the policy from the policy view page, or did you right click on the "Allowed Hosts" setting of a device in device view and select "share policy" ?
  If you did the first, you may be running into a known issue. You can read more about this on the bug toolkit:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg02063
  This is the workaround that should work for you in case you are indeed running into this issue:
  1. Rediscover or newly add any one IPS device running 7.x version
  2. Create entries for "Allowed Hosts" according to requirements.
  3. Right click on "Allowed Hosts", select "Share Policy..." and specify a name for shared policy.
  4. Assign this "Allowed Hosts" shared policy to one or more devices.
  5. Deployment should now be successful for "Allowed Hosts".

• WRVS4400N v2: IPS SIGNATURES || 365 days without an update??

  Good day!
  I wanted to know how often Cisco determines it should be releasing new updated IPS signatures to ensure customers are being adequately protected from the latest threats? That is for those of us who choose to use the feature.
  https://supportforums.cisco.com/message/3419502#3419502
  As you can see in the last posting about this very issue, it took Cisco over 365 days to release one signle IPS file.
  Is the IPS file comparable to a virus definition file? Or does the IPS file simply not require being updated by Cisco... for years at a time.
  I'm finding that development on updated IPS files are being neglected by the Cisco development team.
  It will soon be comming up to August 9, 2012. That will make the last published IPS update 365 days old.
  Thanks for any insight you may provide.
  Sincerely,
  Christopher Laurie

  We should all get regular IPS updates, but I undersand some of the reasons why it could be tough to provide IPS signature updates for your device.  Basically you have an IPS *on/off* switch.  Therefore they have to be certain that ALL of the signatures aren't too sensitive.  Otherwise you would be forced to turn the functionality 'off'.
  The SA500 Series routers have a little more flexibility to configure IPS.  IPS signatures can be turned on/off at the signature-level.
  The enterprise-level IPS modules have 10 times the flexibility, are much more robust, and are highly configurable.  Custom IPS signatures can even be created by the end user.
  All in all, we are dealing with 3 different types of IPS signatures and IPS engine implementations.  That said, your device really needs IPS signature updates at least 3 or 4 times a year to be effective.  We used to have a WRVS4400N v2 so I understand where you're coming from.

• WRVS4400N - firmware issues and IPS signature update messages

  On my WRVS4400N with Firmware Version: V1.1.03 I keep getting the message:
  "Your Signature Version is beyond xxx days. Please Update it!"
  Cisco/Linksys: about time to update the IPS signature, because I always have the latest available, but you don't update it anymore.
  Besides: there are a lot of known issues with this router, but you don't provide us with a new firmware. OK, I did find a beta WRVS4400N_v1108.img on rapidshare, but is this really a Linksys beta? Why don't you publish updates anymore?
  I am very disappointed by your service on this matter :-(
  JJ (ICT dept 2500+ employees + Cisco user)

  Hi Tom,
  Last night I reset the setting to factory default, reinstalled firmware v2.0.2.1 and then restored my settings I backed up. Everything worked great after that but this morning it was down again. Same thing, no network and can't log into the router and forced to cycle the power.
  As a "way out there" guess, are there any compatibility issues with certain switches? One thing I did change the past few days was that I took out an older cheap 8-port D-Link Gigabit switch which was maxed-out and replaced it with a Netgear ProSafe 16-port Gigabit switch (model JGS516).
  Another thing that has changed is that I have added another network by cascading a D-Link DIR-655 wireless router. I have the WAN port of this router connected to a LAN port on the WRVS4400N router. The WRVS4400N router is using IP 192.168.21.x (subnet mask 255.255.255.0) and the other router is set to 192.169.10.x (subnet mask 255.255.255.0). I may be wrong but I can't see this being an issue. ANy ideas?

• CSM 3.1.0 doesn't update IPS signature after E2 engine

  Hi!:
  I have updated my IDS/IPS with E2 engine but now with CSM when I try to update my IDS, with a new signature, I received the next message:
  "There is no package to update sensor, sensor is up to date"
  I have in CSM S344 signature and my sensor have S342
  Is possible to update signatures with CSM 3.1.0 after E2 engine?
  Thank you
  Alex

  Refer to the following url for more info on upgrading to latest IPS signatures:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d280.html
  also refer the link below for more info on signature upgrade:
  http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html

• 2651XM IPS Signature Update?

  Hello,
  I have a 2651XM 256MB/32MB running 12.4(25) and I would like to update the IPS signature file.  I see that the last update for 256MB.sdf was from Aug 2008.  The latest IPS I found is IPS-sig-S518-req-E4.pkg from
  http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=277801011&treeName=Security&mdfLevel=Model&url=null&modelName=Cisco+2651XM+Multiservice+Router&isPlatform=N&treeMdfId=268438162&modifmdfid=278279418&imname=Cisco+IDS+Access+Router+Network+Module&hybrid=Y&imst=Y
  I've tried the command
  ip ips sdf location flash:\\IPS-sig-S518-req-E4.pkg
  ip ips sdf location flash:IPS-sig-S518-req-E4.pkg
  but when I apply IPS to an interface and run 'show ip ips all' no signatures load and I get a message 'invalid token'.
  I also tried seeing if the latest SDM will help but nothing.
  My question is, what is it that I am doing wrong or missing?  Is my router too old to be able to get the latest signature files?
  Any advice or guidance to the right direction is much appreciated.
  Thanks

  You have a version of IOS that includes the older version of the IOS IPS feature (referred to as v4).  This release only supports signature updates using the SDF formatted files.  These files are no longer updated.
  The signature update file you found (ending in .pkg) is the signature update package supported by Cisco's IPS appliances and is not compatible with the IOS IPS feature set.
  The current IOS IPS feature (referred to as v5) also makes use of .pkg files.  You will need to upgrade the IOS of your 2651 to a release in the T train such as 12.4(24)T2 to obtain the latest IOS IPS feature release.
  You can find out more about the IOS IPS feature set here:
  http://www.cisco.com/go/iosips
    For starting with IOS IPS v5:
  http://www.cisco.com/en/US/products/ps6634/products_tech_note09186a008097db66.shtml
  Scott

• IPS signature update

  i would like to get some idea for IOS IPS signature update.
  example currently the router fresh install using IOS-S416-CLI.pkg, IOS category ios_ips in advanced mode, with retired false.
  Just wonder what if next time download and loading with latest patch of the IOS-SXXX-CLI.pkg into the machine, what will effect on the current compiled signature?
  will it just loaded in incremental form?  (meaning is it the signature in latest patch will added as new enable signature), then what about the signature previously being modified and save one, any effect on it? (like re-write my previous save signature)
  with the new patch install, would it also effect on the router DRAM and flash size? (my router with 384 mb DRAM and 128mb flash)
  thanks

  Hi,
  When you compile a new signature package on a router that carries an existing signature database, the signature configuration in the new signature package will supersede the router's existing database's signature configuration. Thus, if you have made changes to the signature database on the your router, and you compile in an updated signature package that contradicts your changes, your changes will be overwritten!!, and will need to be re-created.
  You can avoid having to re-create your changes if you copy the "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" file to some other location on the router's local storage, and re-apply the original "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" to the updated signature database after you have compiled the updated signature package to the router's database.
  And don't forget, the basic signature category is appropriate for routers with less than 128 MB of flash memory, and the advanced signature category is appropriate for routers with more than 128 MB of flash memory.
  Hope this helps,
  Thank You,

• Does getting a Smartnet contract also give you IDS/IPS signature updates?

  A client of mine is looking into getting an ASA5510 with AIP-SSM module. I realize that with IDS/IPS systems, it is *crucial* to always keep signature files up-to-date. Does purchasing the Smartnet contract for the bundle give me signature file updates or is there some other package I need to buy?
  I see references to "Cisco Services for IPS" but that seems to be mainly for router/IOS-based firewall/IDS packages.

  There is not a Smartnet contract for the ASA/AIP-SSM bundle.
  The only SmartNET contract for SSM bundles are with the CSC-SSM and not the AIP-SSM.
  When purchasing an ASA/AIP-SSM bundle you will need to purchase a bundle maintenance contract. The bundle maintenance contracts are Cisco Service for IPS contracts and include the signature support for the AIP-SSM as well as the software and hardware support on both the AIP-SSM and ASA (the software and hardware support is what it is normally part of SmartNET).
  For the bundles you will want to purchase a Cisco Service for IPS maintenance contract using one of the following part number formats:
  CON-SUw-ASxAyKz
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "x" will be either 1 for the 5510, 2 for the 5520, or 4 for the 5540.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  The z will be either 8 or 9 depending on the encryption level.
  So for example:
  CON-SU2-AS2A20K9 - Would be 8X5X4 support for the ASA-5520 bundled with the AIP-SSM-20 with the higher encryption.
  NOTE: There are also SP contracts for purchase by Service Providers that follow a slightly different format.
  There are a few users who have purchased the ASA and AIP-SSM separately.
  When purcahsed separately you would need to purchase a SmartNET contract for the ASA, and a separate Cisco Service for IPS maintenance contract for the AIP-SSM.
  The AIP-SSM maintenane contract will be in the following format:
  CON-SUw-ASIPyK9
  The "w" will be either 1,2,3, or 4 depending on the level of service.
  The "y" will be either 10 for the AIP-SSM-10, or 20 for the AIP-SSM-20.
  So for example:
  CON-SU2-ASIP20K9 would be 8X5X4 support for the AIP-SSM-20.
  What you will find is that purchasing a separate SmartNET for the ASA and Cisco Service for IPS for the AIP-SSM will be more expensive than purchasing a single Cisco Service for IPS for the ASA/AIP-SSM bundle. This is because there is a discount when purchasing by the bundle.

• How to smartnet to update IPS signature

  I just get the Smartnet contract number from my vendor. But i am not sure how to use to update my IPS signature.
  Can anyone please point out?
  Regards, CT

  I had this same problem when trying to drag and drop an RSS feed gadget to a dashboard. I was able to get it to work by clicking the add button instead of doing a drag and drop. It still displays the error but it adds the gadget. Once the gadget has been added to the dashboard you can modify it by clicking the wrench icon.