IPS Signature Updates and CCO logins

Similar Messages

• IPS Signature Update - CSM v3.3 SP1

  Hi,
  I am getting the following error message when deploying IPS signature updates to some of my sensors via the CSM deployment tool:
  "Failed to generate edit config delta  for host component. Detail: Error while processing the host component with DNS,access-list or http-proxy"
  The signature update actually deploys, but I am wondering what is causing this message.  I get this with some 4240, 4255 and IDSM-II blades, but not with others and I can't see any config variances.
  Does anyone have any ideas what is causing this message?  The access ACLs are the same for each sensor.
  Many thanks

  Hi Liam,
  As you mentioned you are using a shared policy, and the access ACLs for all sensors are the same, I assume that you may be using an "Allowed Hosts" shared policy.
  In that case, how did you create that policy ?
  Did you create the policy from the policy view page, or did you right click on the "Allowed Hosts" setting of a device in device view and select "share policy" ?
  If you did the first, you may be running into a known issue. You can read more about this on the bug toolkit:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg02063
  This is the workaround that should work for you in case you are indeed running into this issue:
  1. Rediscover or newly add any one IPS device running 7.x version
  2. Create entries for "Allowed Hosts" according to requirements.
  3. Right click on "Allowed Hosts", select "Share Policy..." and specify a name for shared policy.
  4. Assign this "Allowed Hosts" shared policy to one or more devices.
  5. Deployment should now be successful for "Allowed Hosts".

• IPS signature update

  i would like to get some idea for IOS IPS signature update.
  example currently the router fresh install using IOS-S416-CLI.pkg, IOS category ios_ips in advanced mode, with retired false.
  Just wonder what if next time download and loading with latest patch of the IOS-SXXX-CLI.pkg into the machine, what will effect on the current compiled signature?
  will it just loaded in incremental form?  (meaning is it the signature in latest patch will added as new enable signature), then what about the signature previously being modified and save one, any effect on it? (like re-write my previous save signature)
  with the new patch install, would it also effect on the router DRAM and flash size? (my router with 384 mb DRAM and 128mb flash)
  thanks

  Hi,
  When you compile a new signature package on a router that carries an existing signature database, the signature configuration in the new signature package will supersede the router's existing database's signature configuration. Thus, if you have made changes to the signature database on the your router, and you compile in an updated signature package that contradicts your changes, your changes will be overwritten!!, and will need to be re-created.
  You can avoid having to re-create your changes if you copy the "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" file to some other location on the router's local storage, and re-apply the original "routername-sigdef-delta.xml" or "iosips-sigdef-delta.xmz" to the updated signature database after you have compiled the updated signature package to the router's database.
  And don't forget, the basic signature category is appropriate for routers with less than 128 MB of flash memory, and the advanced signature category is appropriate for routers with more than 128 MB of flash memory.
  Hope this helps,
  Thank You,

• IDS/IPS Signatures Update

  Hi,
  I have one question regarding signatures update, are the Cisco new signatures include the new updates plus the old ones or just the difference between the latest update and the previous one?
  If I have an IPS which has never been updated for a year let's say, is it just enough to install the latest signature update and the latest Service pack? Does the service pack include signatures as well when applied?
  Please advise!
  Thanks,
  Haitham

  A signature update will contain all Cisco signatures that have been released so far. A service pack will be bundled with a signature update, but not necessarily the latest one. So you should first apply the latest service pack and then apply the latest signature update.

• IPS Signature update alerts

  Hello All,
  please can any provide the link to get the IPS signature update alerts.

  Actually, I've found the notifications through the standard notification service to be ... less than reliable - at least for IPS signature releases.
  I would suggest subscribing to the "IPS Threat Defense Bulletin", published by SIO:
  http://tools.cisco.com/gdrp/coiga/showsurvey.do?surveyCode=380&keyCode=123668_4
  It's worth noting that you might need to re-subscribe on a regular basis (slightly annoying).  I've found that they just stop showing up after 9 months or so ...

• WRVS4400N - firmware issues and IPS signature update messages

  On my WRVS4400N with Firmware Version: V1.1.03 I keep getting the message:
  "Your Signature Version is beyond xxx days. Please Update it!"
  Cisco/Linksys: about time to update the IPS signature, because I always have the latest available, but you don't update it anymore.
  Besides: there are a lot of known issues with this router, but you don't provide us with a new firmware. OK, I did find a beta WRVS4400N_v1108.img on rapidshare, but is this really a Linksys beta? Why don't you publish updates anymore?
  I am very disappointed by your service on this matter :-(
  JJ (ICT dept 2500+ employees + Cisco user)

  Hi Tom,
  Last night I reset the setting to factory default, reinstalled firmware v2.0.2.1 and then restored my settings I backed up. Everything worked great after that but this morning it was down again. Same thing, no network and can't log into the router and forced to cycle the power.
  As a "way out there" guess, are there any compatibility issues with certain switches? One thing I did change the past few days was that I took out an older cheap 8-port D-Link Gigabit switch which was maxed-out and replaced it with a Netgear ProSafe 16-port Gigabit switch (model JGS516).
  Another thing that has changed is that I have added another network by cascading a D-Link DIR-655 wireless router. I have the WAN port of this router connected to a LAN port on the WRVS4400N router. The WRVS4400N router is using IP 192.168.21.x (subnet mask 255.255.255.0) and the other router is set to 192.169.10.x (subnet mask 255.255.255.0). I may be wrong but I can't see this being an issue. ANy ideas?

• CSM 3.3.0 - IPS signature update

  Hi all,
  we have csm v 3.3.0 in our company and till december 2010 we have problem with IPS signature upgrades. When I try to download new signature updates, csm claim that connection to update server is successfull but last version which csm offer is
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  IPS-CS-MGR-sig-S534-req-E4.zip (actual version is IPS-CS-MGR-sig-S549-req-E4.zip)  - see attachement.
  License for CSM is Professional. Any idea? please help

  Hi Peter,
  You might not be running the latest service pack for version 3.3.0.
  Cisco Security Manager (CSM) customers subscribing  to automatic IPS signatures/sensors are required to download and  install a Cisco Security Manager Service Pack after December 23, 2010  as the IPS signatures are migrating to a new download location on CCO.
  Hence if you are running 3.3.0 then you need to upgrade to 3.3.0 SP2 (Service pack 2)
  There was a field notice out on this issue:
  http://www.cisco.com/en/US/partner/ts/fn/633/fn63373.html
  CSM downloads can be found here:
  http://tools.cisco.com/squish/72697
  Hope this helps,
  Sid Chandrachud
  Cisco TAC - Security team

• Is there a way to automate IOS IPS signature updates without CSM?

  I have a growing number of 891 routers running IOS IDS/IPS. My Cisco vendor has stated repeatedly that CSM is the only way to manage signature updates to multiple routers, but I'm finding CSM to be incredibly tedious and slow. It also wants to manage a lot more than just the IPS policies and signatures which causes other problems.
  I have about 160 routers deployed now and that will grow to at least 600. I have CSM 3.3.1. I'm told 4.x would make it easier becasue it can be configured to ignore more of the non-IPS bits of the router configs, but the upgrade is a big chunk of money that wouldn't be in the budget until at least 2012.
  Is anybody doing this with an expect script or EEM applets or something else? It seems to me that I could manually upload an update to one router and push the resulting XML files to all the other routers a lot easier and faster than I could "discover" a bunch of routers in CSM (and rediscover them every time we make a CLI change), add the routers to a group, apply updates to a sig policy, lather, rinse, repeat..., not to mention troubleshooting the weird errors and completely wron "warnings" that CSM spews.
                 Thanks in advance!

  From IOS version 15.1(1)T, you can configure the IOS IPS to auto update from cisco.com which would help I believe.
  Here is the configuration guide for your reference:
  http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_ips5_sig_fs_ue_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1138659

• IOS IPS Signature Updates

  Hi,
  Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
  Thanks and rgds
  Rajesh

  hi,
  if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it.

• 2651XM IPS Signature Update?

  Hello,
  I have a 2651XM 256MB/32MB running 12.4(25) and I would like to update the IPS signature file.  I see that the last update for 256MB.sdf was from Aug 2008.  The latest IPS I found is IPS-sig-S518-req-E4.pkg from
  http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Intrusion+Prevention+System+%28IPS%29+Signature+Updates&mdfid=277801011&treeName=Security&mdfLevel=Model&url=null&modelName=Cisco+2651XM+Multiservice+Router&isPlatform=N&treeMdfId=268438162&modifmdfid=278279418&imname=Cisco+IDS+Access+Router+Network+Module&hybrid=Y&imst=Y
  I've tried the command
  ip ips sdf location flash:\\IPS-sig-S518-req-E4.pkg
  ip ips sdf location flash:IPS-sig-S518-req-E4.pkg
  but when I apply IPS to an interface and run 'show ip ips all' no signatures load and I get a message 'invalid token'.
  I also tried seeing if the latest SDM will help but nothing.
  My question is, what is it that I am doing wrong or missing?  Is my router too old to be able to get the latest signature files?
  Any advice or guidance to the right direction is much appreciated.
  Thanks

  You have a version of IOS that includes the older version of the IOS IPS feature (referred to as v4).  This release only supports signature updates using the SDF formatted files.  These files are no longer updated.
  The signature update file you found (ending in .pkg) is the signature update package supported by Cisco's IPS appliances and is not compatible with the IOS IPS feature set.
  The current IOS IPS feature (referred to as v5) also makes use of .pkg files.  You will need to upgrade the IOS of your 2651 to a release in the T train such as 12.4(24)T2 to obtain the latest IOS IPS feature release.
  You can find out more about the IOS IPS feature set here:
  http://www.cisco.com/go/iosips
    For starting with IOS IPS v5:
  http://www.cisco.com/en/US/products/ps6634/products_tech_note09186a008097db66.shtml
  Scott

• Signature updates and CSM error message

  Hi,
  I have started getting the following error message in CSM when pushing signature updates to our 4200 series and IDSM-II blades:
  Could not get device version after pushing down sensor update package to device
  The actual signature updates work fine, but just wondering if I can get rid of this error message.  Any ideas?
  Many thanks

  Hi Dustin,
  Here is the deployment log for one of the devices:
  Device version before update is: 7.0(2)E4S581.0
  Going to send the following package(s) to sensor: IPS-CS-MGR-sig-S583-req-E4.zip,
  Processing package file: IPS-CS-MGR-sig-S583-req-E4.zip
  Package is ready for update
  Checking analysis engine status from device XXXXXX
  Analysis engine is up running and device is ready to take updates
  Pushing package: IPS-sig-S583-req-E4.pkg to device
  Device did not respond to pushUpgrade command from CSM. It may have been upgraded. Will query to find out
  Device not ready, retry getVersion in 30000 milliseconds. (1/16)
  Device not ready, retry getVersion in 30000 milliseconds. (2/16)
  Device not ready, retry getVersion in 30000 milliseconds. (3/16)
  Device not ready, retry getVersion in 30000 milliseconds. (4/16)
  Device not ready, retry getVersion in 30000 milliseconds. (5/16)
  Error when trying to update: Could not get device version after pushing down sensor update package to device: XXXXXX. Please access the device using Command Line Interface, and check if it is working properly
  Device version before update is: 7.0(2)E4S581.0
  Going to send the following package(s) to sensor: IPS-CS-MGR-sig-S583-req-E4.zip,
  Processing package file: IPS-CS-MGR-sig-S583-req-E4.zip
  Package is ready for update
  Checking analysis engine status from device XXXXXX
  Analysis engine is up running and device is ready to take updates
  Pushing package: IPS-sig-S583-req-E4.pkg to device
  Device did not respond to pushUpgrade command from CSM. It may have been upgraded. Will query to find out
  Device not ready, retry getVersion in 30000 milliseconds. (1/16)
  Device not ready, retry getVersion in 30000 milliseconds. (2/16)
  Device not ready, retry getVersion in 30000 milliseconds. (3/16)
  Device not ready, retry getVersion in 30000 milliseconds. (4/16)
  Device not ready, retry getVersion in 30000 milliseconds. (5/16)
  Error when trying to update: Could not get device version after pushing down sensor update package to device: XXXXXX. Please access the device using Command Line Interface, and check if it is working properly

• IPS Signature Update Support on MARS?

  Hello,
  Is it possible to update MARS to understand and process the latest/greatest release version of IPS signatures we have deployed to our production sensors? All I have been able to find so far are the periodic update packages released as software downloads for MARS, the most recent example being the csmars-4.2.6.2458.pkg update. I have to believe I'm missing something something here.
  Thanks in advance for the assistance.
  Regards,
  Chad

  That's what I was afraid of. I have to hope that they address this soon; we've been using VMS for years and have grown used to having signatures understood as soon as they are updated. Interestingly we also run a 3rd party SIM that tends to run about a week behind Cisco's signature release to the time they (3rd party SIM vendor) release their pattern update to support the latest Cisco signatures...
  Thanks for the answer!
  Regards,
  Chad

• IPS Signature Update. The IPS is left hanging.

  I have performed a IPS signature ID update once the definition have been updated the IPS is left hanging and I need to perform a reload.  The config has been verified as not a possible cause for this adverse effect.  Have people had issue of this sort? What would cause the IPS to effectively stall when upgrade takes place? Any solutions?

  Please use the below troubleshoot guide
  http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html#troubleshoot

• IPS Signature Update S480?

  I noticed that the software for the E4 engine update has been posted for all IPS devices, but no matching signatures (yet).  Also, I see that the IPS updates for MARS now have an update for S480 available, but no matching signatures for IPS.
  Is this just a mix-up with release dates?  Or am I just missing where the S480 signatures are?  Also, will S480 be the first set of sigs released for the E4 engine?
  Anyone with any insight?

  Whoops ... guess I should have read that E4 engine "readme" file that came with the download ...
  "The E4 Engine Upgrade includes a Signature Update labeled S480. S480 will not be available for separate download.  Refer to the archived Active Update Bulletin for S480 for more details on this signature update release.  Active Update Bulletins are available at:
  http://tools.cisco.com/security/center/bulletin.x?i=57 "

• Updating and Auto Login

  I've looked all through the forum and can't find an answer so here goes. I have my iMac set to automatic login to my wifes account. Here are my steps for runing Software update. I log out of wifes account login to admin, restart to CD, run disc utility to repair permissions, restart. Log out of wifes acct, back into admin, run software update, restart. Go through theoriginal steps from repairing a second time and restart. Now my to my question. Is it ok to disable auto login totally (forever) or do the updates need to have a full login to complete? Will the updates complete if the bootup stops at the login pane? Sometimes if there are more than one update avalible depending on what they are I may do run them seperatly (carry over habit from windows) this ads an extra step to updates. Thanks in advance.

  Admin account is separate and used only for installing software or running software updates and none of the other accounts have admin rights. I'm pretty sure that a permission repair can not be correctly done if you try to repair while the device is mounted, hence boot from the install CD and run permissions from there. That's how I optimized the drive (defrag) when I was running OS 7.2 all the way to 8.6.,(we won't even bring up OS 9, LOL) start the machine from my Symantec CD and repair and optimize from it then restart. So do I need to let the OS boot all the way into one of the partitions to "complete the install" and "finish the update process" or will it be perfectly ok if it stops at the Login pane?