IPS Signature Update - CSM v3.3 SP1

Similar Messages

• CSM 3.3.0 - IPS signature update

  Hi all,
  we have csm v 3.3.0 in our company and till december 2010 we have problem with IPS signature upgrades. When I try to download new signature updates, csm claim that connection to update server is successfull but last version which csm offer is
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  IPS-CS-MGR-sig-S534-req-E4.zip (actual version is IPS-CS-MGR-sig-S549-req-E4.zip)  - see attachement.
  License for CSM is Professional. Any idea? please help

  Hi Peter,
  You might not be running the latest service pack for version 3.3.0.
  Cisco Security Manager (CSM) customers subscribing  to automatic IPS signatures/sensors are required to download and  install a Cisco Security Manager Service Pack after December 23, 2010  as the IPS signatures are migrating to a new download location on CCO.
  Hence if you are running 3.3.0 then you need to upgrade to 3.3.0 SP2 (Service pack 2)
  There was a field notice out on this issue:
  http://www.cisco.com/en/US/partner/ts/fn/633/fn63373.html
  CSM downloads can be found here:
  http://tools.cisco.com/squish/72697
  Hope this helps,
  Sid Chandrachud
  Cisco TAC - Security team

• IPS signature update

  i would like to get some idea for IOS IPS signature update.
  example currently the router fresh install using IOS-S416-CLI.pkg, IOS category ios_ips in advanced mode, with retired false.
  Just wonder what if next time download and loading with latest patch of the IOS-SXXX-CLI.pkg into the machine, what will effect on the current compiled signature?
  will it just loaded in incremental form?  (meaning is it the signature in latest patch will added as new enable signature), then what about the signature previously being modified and save one, any effect on it? (like re-write my previous save signature)
  with the new patch install, would it also effect on the router DRAM and flash size? (my router with 384 mb DRAM and 128mb flash)
  thanks

  Hi,
  When you compile a new signature package on a router that carries an existing signature database, the signature configuration in the new signature package will supersede the router's existing database's signature configuration. Thus, if you have made changes to the signature database on the your router, and you compile in an updated signature package that contradicts your changes, your changes will be overwritten!!, and will need to be re-created.
  You can avoid having to re-create your changes if you copy the "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" file to some other location on the router's local storage, and re-apply the original "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" to the updated signature database after you have compiled the updated signature package to the router's database.
  And don't forget, the basic signature category is appropriate for routers with less than 128 MB of flash memory, and the advanced signature category is appropriate for routers with more than 128 MB of flash memory.
  Hope this helps,
  Thank You,

• IPS Signature update alerts

  Hello All,
  please can any provide the link to get the IPS signature update alerts.

  Actually, I've found the notifications through the standard notification service to be ... less than reliable - at least for IPS signature releases.
  I would suggest subscribing to the "IPS Threat Defense Bulletin", published by SIO:
  http://tools.cisco.com/gdrp/coiga/showsurvey.do?surveyCode=380&keyCode=123668_4
  It's worth noting that you might need to re-subscribe on a regular basis (slightly annoying).  I've found that they just stop showing up after 9 months or so ...

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• Is it really possible to revert IPS signatures from CSM

  Hi folks,
  I've been trying to revert IPS signatures that I deployed through CSM Signature policies to the older release but it doesn't seem to be working. Contrary to it Cisco's CSM guide says:
  If you later decide that you did not want to apply a signature update, you can revert to the
  previous update level by selecting the Signatures policy on the device, clicking the View
  Update Level button, and clicking Revert
  I can't imagine it is possible as the signatures are normally compiled into xml files. How would the sensor do it ?
  Eugene

  During installation a copy of files that will be replaced or updated during the installation will be copied into a backup directory.
  The CLI has a "downgrade" command that can uninstall the last update, and the backup copies will be used to replace the files being removed.
  A few things to be aware of:
  1) Old configuration will be copied back. So changes made since the update may be lost.
  2) This works only for Engine Updates and Signature Updates. Major Updates, Minor Updates, and Service Packs replace the complete operating system so there is too much data to try and make backup copies for.
  3) This works only for the last update installed. Once you've downgraded the latest one, you can't downgrade the previous one.
  4) This can be done through CLI, and now also available in CSM.
  Here are some things to check in your situation where it appears to not be working.
  Login to the sensor and execute "show ver".
  Does the history in the "show ver" output show a Signature Update package as the last update installed?
  If not then either another downgrade was previously done, or a Major Update, Minor Update, or Service Pack was the last package installed and can't be downgraded.
  If it can't be done through CSM you might try the CLI' "downgrade" command and see if it works through the CLI or if the CLI gives you an error and explanation.

• IOS IPS Signature Updates

  Hi,
  Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
  Thanks and rgds
  Rajesh

  hi,
  if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.

• IPS Signature Updates and CCO logins

  I cannot seem to get my IPS 4255 on version 7.0(3)E4 go gather signature updates and I think it is becasue my CCO accound is not setup correcly. I took a browse through the discussions (admittedly did not read them entirely) but can anyone point me to a discussion on how to setup my CCO account or give me instructions on what I need to do?
  Thank You
  Unprotected,
  Jason Bielenda

  Small correction.
  The URL to create the account is https://tools.cisco.com/RPF/register/register.do
  And you need an IPS services contract to get access to them.
  There are trial licenses available too
  https://tools.cisco.com/SWIFT/LicensingUI/demoPage

• IPS Signature Update S480?

  I noticed that the software for the E4 engine update has been posted for all IPS devices, but no matching signatures (yet).  Also, I see that the IPS updates for MARS now have an update for S480 available, but no matching signatures for IPS.
  Is this just a mix-up with release dates?  Or am I just missing where the S480 signatures are?  Also, will S480 be the first set of sigs released for the E4 engine?
  Anyone with any insight?

  Whoops ... guess I should have read that E4 engine "readme" file that came with the download ...
  "The E4 Engine Upgrade includes a Signature Update labeled S480. S480 will not be available for separate download.  Refer to the archived Active Update Bulletin for S480 for more details on this signature update release.  Active Update Bulletins are available at:
  http://tools.cisco.com/security/center/bulletin.x?i=57 "

• WRVS4400N - firmware issues and IPS signature update messages

  On my WRVS4400N with Firmware Version: V1.1.03 I keep getting the message:
  "Your Signature Version is beyond xxx days. Please Update it!"
  Cisco/Linksys: about time to update the IPS signature, because I always have the latest available, but you don't update it anymore.
  Besides: there are a lot of known issues with this router, but you don't provide us with a new firmware. OK, I did find a beta WRVS4400N_v1108.img on rapidshare, but is this really a Linksys beta? Why don't you publish updates anymore?
  I am very disappointed by your service on this matter :-(
  JJ (ICT dept 2500+ employees + Cisco user)

  Hi Tom,
  Last night I reset the setting to factory default, reinstalled firmware v2.0.2.1 and then restored my settings I backed up. Everything worked great after that but this morning it was down again. Same thing, no network and can't log into the router and forced to cycle the power.
  As a "way out there" guess, are there any compatibility issues with certain switches? One thing I did change the past few days was that I took out an older cheap 8-port D-Link Gigabit switch which was maxed-out and replaced it with a Netgear ProSafe 16-port Gigabit switch (model JGS516).
  Another thing that has changed is that I have added another network by cascading a D-Link DIR-655 wireless router. I have the WAN port of this router connected to a LAN port on the WRVS4400N router. The WRVS4400N router is using IP 192.168.21.x (subnet mask 255.255.255.0) and the other router is set to 192.169.10.x (subnet mask 255.255.255.0). I may be wrong but I can't see this being an issue. ANy ideas?

• 2651XM IPS Signature Update?

  Hello,
  I have a 2651XM 256MB/32MB running 12.4(25) and I would like to update the IPS signature file.  I see that the last update for 256MB.sdf was from Aug 2008.  The latest IPS I found is IPS-sig-S518-req-E4.pkg from
  http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=277801011&treeName=Security&mdfLevel=Model&url=null&modelName=Cisco+2651XM+Multiservice+Router&isPlatform=N&treeMdfId=268438162&modifmdfid=278279418&imname=Cisco+IDS+Access+Router+Network+Module&hybrid=Y&imst=Y
  I've tried the command
  ip ips sdf location flash:\\IPS-sig-S518-req-E4.pkg
  ip ips sdf location flash:IPS-sig-S518-req-E4.pkg
  but when I apply IPS to an interface and run 'show ip ips all' no signatures load and I get a message 'invalid token'.
  I also tried seeing if the latest SDM will help but nothing.
  My question is, what is it that I am doing wrong or missing?  Is my router too old to be able to get the latest signature files?
  Any advice or guidance to the right direction is much appreciated.
  Thanks

  You have a version of IOS that includes the older version of the IOS IPS feature (referred to as v4).  This release only supports signature updates using the SDF formatted files.  These files are no longer updated.
  The signature update file you found (ending in .pkg) is the signature update package supported by Cisco's IPS appliances and is not compatible with the IOS IPS feature set.
  The current IOS IPS feature (referred to as v5) also makes use of .pkg files.  You will need to upgrade the IOS of your 2651 to a release in the T train such as 12.4(24)T2 to obtain the latest IOS IPS feature release.
  You can find out more about the IOS IPS feature set here:
  http://www.cisco.com/go/iosips
    For starting with IOS IPS v5:
  http://www.cisco.com/en/US/products/ps6634/products_tech_note09186a008097db66.shtml
  Scott

• IDS/IPS Signatures Update

  Hi,
  I have one question regarding signatures update, are the Cisco new signatures include the new updates plus the old ones or just the difference between the latest update and the previous one?
  If I have an IPS which has never been updated for a year let's say, is it just enough to install the latest signature update and the latest Service pack? Does the service pack include signatures as well when applied?
  Please advise!
  Thanks,
  Haitham

  A signature update will contain all Cisco signatures that have been released so far. A service pack will be bundled with a signature update, but not necessarily the latest one. So you should first apply the latest service pack and then apply the latest signature update.

• IPS Signature Update Support on MARS?

  Hello,
  Is it possible to update MARS to understand and process the latest/greatest release version of IPS signatures we have deployed to our production sensors? All I have been able to find so far are the periodic update packages released as software downloads for MARS, the most recent example being the csmars-4.2.6.2458.pkg update. I have to believe I'm missing something something here.
  Thanks in advance for the assistance.
  Regards,
  Chad

  That's what I was afraid of. I have to hope that they address this soon; we've been using VMS for years and have grown used to having signatures understood as soon as they are updated. Interestingly we also run a 3rd party SIM that tends to run about a week behind Cisco's signature release to the time they (3rd party SIM vendor) release their pattern update to support the latest Cisco signatures...
  Thanks for the answer!
  Regards,
  Chad

• IPS Signature Update. The IPS is left hanging.

  I have performed a IPS signature ID update once the definition have been updated the IPS is left hanging and I need to perform a reload.  The config has been verified as not a possible cause for this adverse effect.  Have people had issue of this sort? What would cause the IPS to effectively stall when upgrade takes place? Any solutions?

  Please use the below troubleshoot guide
  http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html#troubleshoot

• IPS Signature Updates

  My customer did not install any signature updates in 2011. He is now ready to begin a scheduled update procedure. My question is: Are the updates cumulative, i.e., by upgrading today am I getting all the past signatures from the latest (s615 as of today)/

  Yes the signature updates are cumulative, but they do depend upon a minimum version of software. If you are already running any E4 release you can jump to the end of the signature update line and install S615.
  - Bob