Is it really possible to revert IPS signatures from CSM
Hi folks,
I've been trying to revert IPS signatures that I deployed through CSM Signature policies to the older release but it doesn't seem to be working. Contrary to it Cisco's CSM guide says:
If you later decide that you did not want to apply a signature update, you can revert to the
previous update level by selecting the Signatures policy on the device, clicking the View
Update Level button, and clicking Revert
I can't imagine it is possible as the signatures are normally compiled into xml files. How would the sensor do it ?
Eugene
During installation a copy of files that will be replaced or updated during the installation will be copied into a backup directory.
The CLI has a "downgrade" command that can uninstall the last update, and the backup copies will be used to replace the files being removed.
A few things to be aware of:
1) Old configuration will be copied back. So changes made since the update may be lost.
2) This works only for Engine Updates and Signature Updates. Major Updates, Minor Updates, and Service Packs replace the complete operating system so there is too much data to try and make backup copies for.
3) This works only for the last update installed. Once you've downgraded the latest one, you can't downgrade the previous one.
4) This can be done through CLI, and now also available in CSM.
Here are some things to check in your situation where it appears to not be working.
Login to the sensor and execute "show ver".
Does the history in the "show ver" output show a Signature Update package as the last update installed?
If not then either another downgrade was previously done, or a Major Update, Minor Update, or Service Pack was the last package installed and can't be downgraded.
If it can't be done through CSM you might try the CLI' "downgrade" command and see if it works through the CLI or if the CLI gives you an error and explanation.
Similar Messages
-
IPS Signature Update - CSM v3.3 SP1
Hi,
I am getting the following error message when deploying IPS signature updates to some of my sensors via the CSM deployment tool:
"Failed to generate edit config delta for host component. Detail: Error while processing the host component with DNS,access-list or http-proxy"
The signature update actually deploys, but I am wondering what is causing this message. I get this with some 4240, 4255 and IDSM-II blades, but not with others and I can't see any config variances.
Does anyone have any ideas what is causing this message? The access ACLs are the same for each sensor.
Many thanksHi Liam,
As you mentioned you are using a shared policy, and the access ACLs for all sensors are the same, I assume that you may be using an "Allowed Hosts" shared policy.
In that case, how did you create that policy ?
Did you create the policy from the policy view page, or did you right click on the "Allowed Hosts" setting of a device in device view and select "share policy" ?
If you did the first, you may be running into a known issue. You can read more about this on the bug toolkit:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg02063
This is the workaround that should work for you in case you are indeed running into this issue:
1. Rediscover or newly add any one IPS device running 7.x version
2. Create entries for "Allowed Hosts" according to requirements.
3. Right click on "Allowed Hosts", select "Share Policy..." and specify a name for shared policy.
4. Assign this "Allowed Hosts" shared policy to one or more devices.
5. Deployment should now be successful for "Allowed Hosts". -
IPS Signature Updates with no Internet Access
Hi all,
I've got a bit of an interesting dilemma that I'm hoping that someone could help with. I have two distinct networks: A "regular" network, along with a "secure" network. I've not been involved in the setup/configuration, but I've been handed some work to do now that has me puzzled.
The two networks are separated with a pair of ASA devices with IPS modules installed. User access to the secure side works by using Cisco VPN client, terminating on the ASA's, and once connected applications are delivered via Citrix. Management of the ASA's involves connecting via management VPN to the "external" ASA interface, connecting to a management server via Citrix and from there, management via MARS, ASDM & IME.
My issue is that I have been asked to configure auto-updates for the IPS modules. However, there is no internet access from the secure network. Servers on the secure side can request files, etc, from the regular side but there is no direct access can be initiated from the regular side back to the secure network. There are no ASA devices that are contactable/manageable from the regular side.
I've read that it's possible to somehow download updates from cisco.com via FTP or similar, but I fail to see how I can automate the process. What I originally thought to do was to install another copy of IME on the regular network, set up a dummy device and there on configure auto-updates, but unfortunately the IPS needs to be contactable for that to work.
Can anybody think of a solution that could make this work for me?Hi Jennifer,
Thanks for that, but the instructions in that document appear to be related to updating a sensor from an FTP server where the updates have already been copied to it.
I have searched and searched, but I'm unable to locate the relevant location to download the signatures direct via FTP/SCP. I have attempted to locate them on ftp.cisco.com, but with no luck.
Regards,
James -
Hi,
Is it possible to update signatures for IOS IPS or do we need to update the IOS to get more signatures?
Thanks and rgds
Rajeshhi,
if you have cisco sdm, then it would be easy to update your IOS IPS signatures. You may need to upgrade IOS of the router only when the ips signature requires you to do it. -
Is it possible to revert back from iPhoto to Pictures?
Too be quite honest I have never really liked iPhoto and especially when you sync it with the iPhone and iPad etc. Is it possible to revert back to just using Pictures?
If this is possible I would like to be able to export my iPhoto album into Pictures and then delete iPhoto.
Cheers and Happy New Year!!What is your iPhoto version?
In iPhoto '11 you would need to export your iPhoto events, one by one, to folders in your Pictures folder.
Use the command "File > Export, Kind Original" to export the original files you imported to iPhoto, and use the command "File > Export , Kind Current" to export your edited versions.
To find out, which photos have been dited or not, define two smart albums (File > New > Smat album) with the rules:
Photo is not edited
and the other one:
Photo is edited
This way you can make sure to export all edited versions as well and not only the originals.
Regards
Léonie -
Filtering IPs on a IDS/IPS signature
Forgive me, I am pretty green when it comes to manipulting IDS/IPS signatures.
Is there a way to filter an IP or subnet from a IDS/IPS signature?
Senario:
We have 2 ASAs with IPS modules and 2 4260 IDS's, we use IPS Manager Express 6.1 to manage them. I keep getting a mail server that is triggering signature 5748-x because its sending a helo verb instead of a noop. This is fine for this paticular mail server. So i would like to remove its IP or filter its IP from the signature so when this happens the signature doesnt fire. However I dont want to disable the signature in case it happens somewhere else.
any help is greatly appreciated.
e-It's not really too bad. I would encourage you to read still though;-)
Each signature can be configured with any number of actions. by default, a lot of them have the "product alert" action.
event action filters are basically a way to suppress all or some actions based on various criteria, like sigid and source (attacker) ip address. I've attached an example. -
WRVS4400N v2: IPS SIGNATURES || 365 days without an update??
Good day!
I wanted to know how often Cisco determines it should be releasing new updated IPS signatures to ensure customers are being adequately protected from the latest threats? That is for those of us who choose to use the feature.
https://supportforums.cisco.com/message/3419502#3419502
As you can see in the last posting about this very issue, it took Cisco over 365 days to release one signle IPS file.
Is the IPS file comparable to a virus definition file? Or does the IPS file simply not require being updated by Cisco... for years at a time.
I'm finding that development on updated IPS files are being neglected by the Cisco development team.
It will soon be comming up to August 9, 2012. That will make the last published IPS update 365 days old.
Thanks for any insight you may provide.
Sincerely,
Christopher LaurieWe should all get regular IPS updates, but I undersand some of the reasons why it could be tough to provide IPS signature updates for your device. Basically you have an IPS *on/off* switch. Therefore they have to be certain that ALL of the signatures aren't too sensitive. Otherwise you would be forced to turn the functionality 'off'.
The SA500 Series routers have a little more flexibility to configure IPS. IPS signatures can be turned on/off at the signature-level.
The enterprise-level IPS modules have 10 times the flexibility, are much more robust, and are highly configurable. Custom IPS signatures can even be created by the end user.
All in all, we are dealing with 3 different types of IPS signatures and IPS engine implementations. That said, your device really needs IPS signature updates at least 3 or 4 times a year to be effective. We used to have a WRVS4400N v2 so I understand where you're coming from. -
WRVS4400N - firmware issues and IPS signature update messages
On my WRVS4400N with Firmware Version: V1.1.03 I keep getting the message:
"Your Signature Version is beyond xxx days. Please Update it!"
Cisco/Linksys: about time to update the IPS signature, because I always have the latest available, but you don't update it anymore.
Besides: there are a lot of known issues with this router, but you don't provide us with a new firmware. OK, I did find a beta WRVS4400N_v1108.img on rapidshare, but is this really a Linksys beta? Why don't you publish updates anymore?
I am very disappointed by your service on this matter :-(
JJ (ICT dept 2500+ employees + Cisco user)Hi Tom,
Last night I reset the setting to factory default, reinstalled firmware v2.0.2.1 and then restored my settings I backed up. Everything worked great after that but this morning it was down again. Same thing, no network and can't log into the router and forced to cycle the power.
As a "way out there" guess, are there any compatibility issues with certain switches? One thing I did change the past few days was that I took out an older cheap 8-port D-Link Gigabit switch which was maxed-out and replaced it with a Netgear ProSafe 16-port Gigabit switch (model JGS516).
Another thing that has changed is that I have added another network by cascading a D-Link DIR-655 wireless router. I have the WAN port of this router connected to a LAN port on the WRVS4400N router. The WRVS4400N router is using IP 192.168.21.x (subnet mask 255.255.255.0) and the other router is set to 192.169.10.x (subnet mask 255.255.255.0). I may be wrong but I can't see this being an issue. ANy ideas? -
CSM 3.1.0 doesn't update IPS signature after E2 engine
Hi!:
I have updated my IDS/IPS with E2 engine but now with CSM when I try to update my IDS, with a new signature, I received the next message:
"There is no package to update sensor, sensor is up to date"
I have in CSM S344 signature and my sensor have S342
Is possible to update signatures with CSM 3.1.0 after E2 engine?
Thank you
AlexRefer to the following url for more info on upgrading to latest IPS signatures:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d280.html
also refer the link below for more info on signature upgrade:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html -
Mars box MARS box v4.3.5 (2838) IPS Signature Version 330 upgrade
Hi, I have the software MARS box v4.3.5 (2838) IPS Signature Version 330
Is there any upgrade available for it?
Where can I found info for upgarding the software and IPS Signature on Cisco Web Site?
I also want to integrate CiscoWorks, LMS 2.6 to sent SNMP Trap Notification to the MARS box v4.3.5 (2838) IPS Signature Version 330. Is it possible and what would be the port # on the MARS box?You are already running the latest software for the Generation 1 MARS appliances. You can find newer updates here:
http://www.cisco.com/cgi-bin/tablebuild.pl/cs-mars
For IPS, it is better to turn on automatic updates. Just go to:
Admin >> System Setup >> IPS Signature Dynamic Update Settings
The URL is already set there, just put your CCO username/password and click 'Update Now' then hit 'Submit'. I think the current Signature release is 352. You can manually downlaod them from here if you like:
http://www.cisco.com/cgi-bin/tablebuild.pl/mars-ips-sigup
Please rate if helpful.
Regards
Farrukh -
IPS Signature Update Support on MARS?
Hello,
Is it possible to update MARS to understand and process the latest/greatest release version of IPS signatures we have deployed to our production sensors? All I have been able to find so far are the periodic update packages released as software downloads for MARS, the most recent example being the csmars-4.2.6.2458.pkg update. I have to believe I'm missing something something here.
Thanks in advance for the assistance.
Regards,
ChadThat's what I was afraid of. I have to hope that they address this soon; we've been using VMS for years and have grown used to having signatures understood as soon as they are updated. Interestingly we also run a 3rd party SIM that tends to run about a week behind Cisco's signature release to the time they (3rd party SIM vendor) release their pattern update to support the latest Cisco signatures...
Thanks for the answer!
Regards,
Chad -
Hi All.
I'm struggling to find a definitive answer or reason for some of the configuration IPS signature statuses.
What does the enabled setting in a rule actually mean in relation to retired and obsolete rules?
I have lots of rules which are enabled but which are also set as retired and/or obsolete. I'm assuming from my reaserach that these are not active rules
Why are these enabled? (especially when it doesn't mean anything?)
I appreciate that retired rules can be overidden and set to active, but surely when using the defaults from Cisco the retird rules should not be enabled?
I'm really confused by the non-sensical approach of both this and MARS.
Any help would be gratefully received.
Thanks
MarkAnybody?
-
IPS Signature Update. The IPS is left hanging.
I have performed a IPS signature ID update once the definition have been updated the IPS is left hanging and I need to perform a reload. The config has been verified as not a possible cause for this adverse effect. Have people had issue of this sort? What would cause the IPS to effectively stall when upgrade takes place? Any solutions?
Please use the below troubleshoot guide
http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113674-ips-automatic-signature-update-00.html#troubleshoot -
Is it possible to add a signature box on the bottom of forms?
is it possible to add a signature box on the bottom of forms?
We have a customer who is thinking of using forms, but needs a signature box to be included in the form is this something that can be added?Hi,
Unfortunately, Adobe FormsCentral does not have an option to add signatures.
In order to distribute forms requesting signatures, you may use the following Adobe products:-
Adobe Acrobat:- PDF creator, edit PDF | Adobe Acrobat XI
Adobe EchoSign:- Electronic Signature Software, Digital Signatures | Adobe EchoSign
Regards,
Nakul -
Is it possible to use digital signature in Sales order of SAP B1 ?
Hi Experts,
Version: 8.81 PL07
Cyrstal report Layout: 2011
Is it possible to use digital signature in Sales order of SAP B1 ?
Thanks in advance,
Regards,
DwarakHello
Signature by scanned image is possible, you can create a function to do it. please note: images must be inside the reports, and hide them with a CR function.
For certificate based sigbature of CR is not possible, you must develop an addon for that which is do this functionality.
János
Maybe you are looking for
-
To display the output without clicking on the View Output button
Hi, I have a requirement in which i created a menu option in PO through which i submit a PO report using the fnd_request.submit_request. Now there is an additional requirement to view the output of that report (submitted using menu option) without ev
-
Unable to identify the exchange protocol of the message (sync AS2 MDN)
Hi, We got the following error: Description: Unable to identify the exchange protocol of the message StackTrace: Error -: AIP-50080: Exchange protocol identification error at oracle.tip.adapter.b2b.engine.Engine.processIncomingMessage(Engine.jav
-
I am unable to received encrypted emails from my work as when I log into my gmail account once I have clicked onto the email message I keep getting an error that says I must log out of my hotmail and into my gmail to receive this message. I do this
-
VENDOR is mapped to the dialog column (USAGE_VENDOR) that does not exist
Hello, I'm trying to install Solman 4.0 Unicode. When I start sapinst and select a Central System, I get an error before it even gets to the point where I can input some parameters. The error is below, has anyone experienced this? Thank you. ~TJ E
-
Multiplexing errors in iDVD 08
i am receiving multiplexing errors each time I do the foowing: 1/ open idvd and choose one of the new '08 themes 2/ add 200 images from iPhoto '08 using the media panel 3/ add a track from iTunes 4/ finally choose "save as disc image" from the file m